Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fraud.WindowsProtectionSuite & Microsoft.Windows.RedirectedHosts


  • This topic is locked This topic is locked
7 replies to this topic

#1 phi1097

phi1097

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 22 May 2010 - 08:02 PM

When I run my spybot program the results show that I have Fraud.WindowsProtectionSuite & Microsoft.Windows.RedirectedHosts & can not delete them becasue it says access is denied..

First I tried http://www.bleepingcomputer.com/forums/t/317865/fraudwindowsprotectionsuite-microsoftwindowsredirectedhosts/ which brings me here.

dds log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by mm at 19:00:47.28 on Sat 05/22/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1481 [GMT -4:00]

AV: CleanUp Antivirus *On-access scanning enabled* (Outdated) {943D8AFA-D1CC-43C0-B784-0F036F2DC7DF}
AV: Trend Micro PC-cillin Internet Security *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: CleanUp Antivirus *enabled* {5341F26A-4314-4B42-883F-B8A1FD367251}
FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\mm.DH34G391\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride =
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\googleafe\GoogleAE.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: []
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\America Online 9.0 Tray Icon.lnk.disabled
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\HP Digital Imaging Monitor.lnk.disabled
uPolicies-system: RunStartupScriptSync = 1 (0x1)
mPolicies-system: RunStartupScriptSync = 1 (0x1)
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231717535734
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} - hxxp://www.worldwinner.com/games/v46/sol/sol.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
IFEO: image file execution options - svchost.exe
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 secure-plus-payments.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2006-10-10 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-1-9 68168]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2005-8-30 205328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2005-8-30 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2005-8-30 585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2005-8-30 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2005-8-30 262215]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 12872]

=============== Created Last 30 ================

2010-05-22 22:57:29 0 ----a-w- c:\documents and settings\mm.dh34g391\defogger_reenable
2010-05-20 17:56:10 0 d-----w- c:\docume~1\mm40fa~1.dh3\applic~1\Malwarebytes
2010-05-20 17:55:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-20 17:55:56 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-20 17:55:55 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-20 17:55:55 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-26 20:15:19 0 d-----w- c:\program files\windstream_act

==================== Find3M ====================

2010-05-16 22:23:12 165161 ----a-w- c:\windows\hpoins37.dat
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-03-09 08:28:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-25 15:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:54:25 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2006-12-30 01:13:35 56 --sh--r- c:\windows\system32\AE292043F8.sys
2006-12-30 01:13:37 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 19:01:24.90 ===============


Attached Files



BC AdBot (Login to Remove)

 


#2 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:12:26 PM

Posted 25 May 2010 - 09:55 AM

Hi phi1097!!.. smile.gif

Your logfile reveals that your current antivirus program: Trend Micro PC-cillin Internet Security is outdated... Could you confirm that it's not being updated anymore??..

Please do the following:

Firstly,
Please restore your Proxy settings as they have been modified by malware...
To do this:
In Internet Explorer: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings".
In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection.

Secondly,
Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Post the log from ComboFix when you've accomplished that.
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#3 phi1097

phi1097
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 25 May 2010 - 11:32 AM

i think everything was disabled, also i haven't updated trend micro in a very long time




ComboFix 10-05-24.07 - mm 05/25/2010 12:21:13.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1639 [GMT -4:00]
Running from: c:\documents and settings\mm.DH34G391\Desktop\ComboFix.exe
AV: Trend Micro PC-cillin Internet Security *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\2d327df
c:\documents and settings\All Users\Application Data\2d327df\4475.mof
c:\documents and settings\All Users\Application Data\2d327df\62.mof
c:\documents and settings\All Users\Application Data\2d327df\BackUp\America Online 9.0 Tray Icon.lnk.disabled
c:\documents and settings\All Users\Application Data\2d327df\BackUp\Digital Line Detect.lnk
c:\documents and settings\All Users\Application Data\2d327df\BackUp\HP Digital Imaging Monitor.lnk.disabled
c:\documents and settings\All Users\Application Data\2d327df\CU2d32.exe
c:\documents and settings\All Users\Application Data\2d327df\CUA.ico
c:\documents and settings\All Users\Application Data\2d327df\CUASys\vd952342.bd
c:\program files\Common Files\System\Uninstall
c:\windows\system32\AbaleZip.dll

.
((((((((((((((((((((((((( Files Created from 2010-04-25 to 2010-05-25 )))))))))))))))))))))))))))))))
.

2010-05-24 21:41 . 2010-05-24 21:41 -------- d-----w- c:\documents and settings\ROBERT MESSINA\Application Data\Malwarebytes
2010-05-20 18:37 . 2010-05-20 18:37 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-05-20 17:56 . 2010-05-20 17:56 -------- d-----w- c:\documents and settings\mm.DH34G391\Application Data\Malwarebytes
2010-05-20 17:55 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-20 17:55 . 2010-05-20 17:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-20 17:55 . 2010-05-20 17:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-20 17:55 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-20 17:38 . 2010-05-20 17:38 -------- d-----w- c:\documents and settings\mm.DH34G391\Local Settings\Application Data\Threat Expert
2010-05-20 12:38 . 2010-05-20 12:38 -------- d-----w- c:\documents and settings\ROBERT MESSINA\Local Settings\Application Data\Threat Expert
2010-05-15 20:33 . 2010-05-22 16:36 63488 ----a-w- c:\documents and settings\mm.DH34G391\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-05 14:04 . 2010-05-05 22:20 -------- d-----w- c:\documents and settings\ROBERT MESSINA\Local Settings\Application Data\khomhhhyk
2010-05-01 19:10 . 2010-05-01 19:10 -------- d-----w- c:\documents and settings\ROBERT MESSINA\Local Settings\Application Data\Conduit
2010-05-01 19:10 . 2010-05-01 19:11 -------- d-----w- c:\documents and settings\ROBERT MESSINA\Local Settings\Application Data\Zynga
2010-04-30 22:53 . 2010-05-06 18:51 -------- d-----w- c:\documents and settings\ROBERT MESSINA\Application Data\Azureus
2010-04-26 20:15 . 2010-04-26 20:15 -------- d-----w- c:\program files\windstream_act

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-22 16:35 . 2009-03-23 22:39 117760 ----a-w- c:\documents and settings\mm.DH34G391\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-22 16:23 . 2007-01-09 21:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-21 21:55 . 2008-04-25 18:11 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-19 20:34 . 2009-06-28 18:32 -------- d-----w- c:\program files\CCleaner
2010-05-16 22:23 . 2010-02-07 22:11 165161 ----a-w- c:\windows\hpoins37.dat
2010-05-15 20:30 . 2007-01-29 18:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-15 20:22 . 2009-05-11 19:28 -------- d-----w- c:\program files\SpywareBlaster
2010-05-13 23:49 . 2009-05-05 16:34 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-05-07 21:27 . 2009-11-24 20:43 117760 ----a-w- c:\documents and settings\ROBERT MESSINA\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-07 14:21 . 2010-02-07 20:58 -------- d-----w- c:\documents and settings\ROBERT MESSINA\Application Data\HPAppData
2010-05-06 17:44 . 2010-02-07 22:30 -------- d-----w- c:\documents and settings\mm.DH34G391\Application Data\HPAppData
2010-04-30 23:09 . 2009-11-08 21:37 -------- d-----w- c:\program files\Vuze
2010-04-26 20:24 . 2006-01-21 00:41 -------- d-----w- c:\program files\Common Files\Motive
2010-04-26 20:15 . 2006-01-21 00:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2010-04-24 21:04 . 2010-02-28 22:36 36288 ----a-w- c:\documents and settings\karen messina\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-24 19:54 . 2010-04-24 19:54 503808 ----a-w- c:\documents and settings\karen messina\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-30cb7b63-n\msvcp71.dll
2010-04-24 19:54 . 2010-04-24 19:54 499712 ----a-w- c:\documents and settings\karen messina\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-30cb7b63-n\jmc.dll
2010-04-24 19:54 . 2010-04-24 19:54 348160 ----a-w- c:\documents and settings\karen messina\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-30cb7b63-n\msvcr71.dll
2010-04-24 19:54 . 2010-04-24 19:54 61440 ----a-w- c:\documents and settings\karen messina\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-220e5398-n\decora-sse.dll
2010-04-24 19:54 . 2010-04-24 19:54 12800 ----a-w- c:\documents and settings\karen messina\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-220e5398-n\decora-d3d.dll
2010-04-24 19:51 . 2010-02-08 20:01 -------- d-----w- c:\documents and settings\karen messina\Application Data\HPAppData
2010-04-20 17:18 . 2010-04-20 17:18 52224 ----a-w- c:\documents and settings\ROBERT MESSINA\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-20 15:57 . 2006-01-06 20:41 36288 ----a-w- c:\documents and settings\ROBERT MESSINA\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-20 14:12 . 2010-04-20 14:12 -------- d-sh--w- c:\documents and settings\All Users\Application Data\CUIMSA
2010-04-08 15:58 . 2009-10-15 17:07 -------- d-----w- c:\program files\Ascentive
2010-04-08 15:58 . 2005-12-30 14:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-08 15:33 . 2010-03-01 00:38 -------- d-----w- c:\documents and settings\mm.DH34G391\Application Data\InstallShield
2010-04-05 18:11 . 2010-04-05 18:11 503808 ----a-w- c:\documents and settings\ROBERT MESSINA\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5bcbde3d-n\msvcp71.dll
2010-04-05 18:11 . 2010-04-05 18:11 499712 ----a-w- c:\documents and settings\ROBERT MESSINA\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5bcbde3d-n\jmc.dll
2010-04-05 18:11 . 2010-04-05 18:11 348160 ----a-w- c:\documents and settings\ROBERT MESSINA\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5bcbde3d-n\msvcr71.dll
2010-04-05 18:11 . 2010-04-05 18:11 61440 ----a-w- c:\documents and settings\ROBERT MESSINA\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-166e2387-n\decora-sse.dll
2010-04-05 18:11 . 2010-04-05 18:11 12800 ----a-w- c:\documents and settings\ROBERT MESSINA\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-166e2387-n\decora-d3d.dll
2010-04-05 14:15 . 2010-03-01 00:40 256 ----a-w- c:\windows\system32\pool.bin
2010-04-03 22:29 . 2010-04-03 22:29 503808 ----a-w- c:\documents and settings\mm.DH34G391\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-53ecc4b8-n\msvcp71.dll
2010-04-03 22:29 . 2010-04-03 22:29 499712 ----a-w- c:\documents and settings\mm.DH34G391\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-53ecc4b8-n\jmc.dll
2010-04-03 22:29 . 2010-04-03 22:29 348160 ----a-w- c:\documents and settings\mm.DH34G391\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-53ecc4b8-n\msvcr71.dll
2010-04-03 22:29 . 2010-04-03 22:29 61440 ----a-w- c:\documents and settings\mm.DH34G391\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7f9cc969-n\decora-sse.dll
2010-04-03 22:29 . 2010-04-03 22:29 12800 ----a-w- c:\documents and settings\mm.DH34G391\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7f9cc969-n\decora-d3d.dll
2010-04-03 22:28 . 2005-12-30 14:14 -------- d-----w- c:\program files\Java
2010-03-26 17:29 . 2010-03-26 17:29 -------- d-----w- c:\documents and settings\LocalService\Application Data\Roxio
2010-03-26 17:29 . 2010-03-26 17:29 -------- d-----w- c:\documents and settings\mm.DH34G391\Application Data\Roxio
2010-03-10 06:15 . 2004-08-10 18:51 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 08:28 . 2008-12-06 19:36 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-04 18:02 . 2006-12-30 01:08 36288 ----a-w- c:\documents and settings\mm.DH34G391\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-03 23:58 . 2010-03-03 23:58 69632 ----a-r- c:\documents and settings\mm.DH34G391\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\NewShortcut600_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-03-03 23:58 . 2010-03-03 23:58 69632 ----a-r- c:\documents and settings\mm.DH34G391\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\NewShortcut60_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-03-03 23:58 . 2010-03-03 23:58 69632 ----a-r- c:\documents and settings\mm.DH34G391\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\NewShortcut6_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-03-03 23:58 . 2010-03-03 23:58 69632 ----a-r- c:\documents and settings\mm.DH34G391\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\NewShortcut5_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-03-03 23:58 . 2010-03-03 23:58 69632 ----a-r- c:\documents and settings\mm.DH34G391\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\NewShortcut4_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-03-03 23:58 . 2010-03-03 23:58 69632 ----a-r- c:\documents and settings\mm.DH34G391\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\NewShortcut3_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-03-03 23:58 . 2010-03-03 23:58 69632 ----a-r- c:\documents and settings\mm.DH34G391\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\NewShortcut12_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-03-03 23:58 . 2010-03-03 23:58 69632 ----a-r- c:\documents and settings\mm.DH34G391\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\DesktopMgr.exe
2010-03-03 23:58 . 2010-03-03 23:58 49152 ----a-r- c:\documents and settings\mm.DH34G391\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\RedirectorEXE2_770DFD1204C24F4DA163D64FACCB5CBD.exe
2010-03-03 23:58 . 2010-03-03 23:58 49152 ----a-r- c:\documents and settings\mm.DH34G391\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\RedirectorEXE1_770DFD1204C24F4DA163D64FACCB5CBD.exe
2010-03-03 23:58 . 2010-03-03 23:58 49152 ----a-r- c:\documents and settings\mm.DH34G391\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\RedirectorEXE_770DFD1204C24F4DA163D64FACCB5CBD.exe
2010-03-01 00:29 . 2010-03-01 00:29 69632 ----a-r- c:\documents and settings\mm.DH34G391\Application Data\Microsoft\Installer\{F8C04C5B-8876-424D-B428-23626373D2A0}\NewShortcut600_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-03-01 00:29 . 2010-03-01 00:29 49152 ----a-r- c:\documents and settings\mm.DH34G391\Application Data\Microsoft\Installer\{F8C04C5B-8876-424D-B428-23626373D2A0}\RedirectorEXE2_770DFD1204C24F4DA163D64FACCB5CBD.exe
2010-03-01 00:29 . 2010-03-01 00:28 69632 ----a-r- c:\documents and settings\mm.DH34G391\Application Data\Microsoft\Installer\{F8C04C5B-8876-424D-B428-23626373D2A0}\NewShortcut60_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-03-01 00:28 . 2010-03-01 00:28 69632 ----a-r- c:\documents and settings\mm.DH34G391\Application Data\Microsoft\Installer\{F8C04C5B-8876-424D-B428-23626373D2A0}\NewShortcut6_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-03-01 00:28 . 2010-03-01 00:28 69632 ----a-r- c:\documents and settings\mm.DH34G391\Application Data\Microsoft\Installer\{F8C04C5B-8876-424D-B428-23626373D2A0}\NewShortcut5_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-03-01 00:28 . 2010-03-01 00:28 69632 ----a-r- c:\documents and settings\mm.DH34G391\Application Data\Microsoft\Installer\{F8C04C5B-8876-424D-B428-23626373D2A0}\NewShortcut4_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-03-01 00:28 . 2010-03-01 00:28 69632 ----a-r- c:\documents and settings\mm.DH34G391\Application Data\Microsoft\Installer\{F8C04C5B-8876-424D-B428-23626373D2A0}\NewShortcut3_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-03-01 00:28 . 2010-03-01 00:28 69632 ----a-r- c:\documents and settings\mm.DH34G391\Application Data\Microsoft\Installer\{F8C04C5B-8876-424D-B428-23626373D2A0}\NewShortcut12_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-03-01 00:28 . 2010-03-01 00:28 69632 ----a-r- c:\documents and settings\mm.DH34G391\Application Data\Microsoft\Installer\{F8C04C5B-8876-424D-B428-23626373D2A0}\DesktopMgr.exe
2010-02-25 06:24 . 2004-08-10 18:51 916480 ----a-w- c:\windows\system32\wininet.dll
2006-12-30 01:13 . 2006-05-08 16:04 56 --sh--r- c:\windows\system32\AE292043F8.sys
2006-12-30 01:13 . 2006-05-08 16:04 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk.disabled [2005-12-30 831]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-30 24576]
HP Digital Imaging Monitor.lnk.disabled [2010-2-7 1808]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-24 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-10-07 19:59 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2008-07-10 13:47 116040 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-01-27 07:02 86016 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-05-27 14:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-05-15 20:30 2017280 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"SUPERAntiSpyware"=c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" /startup
"OE_OEM"="c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
"RealTray"=c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
"SpyHunter Security Suite"=c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe
"MimBoot"=c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"BlackBerryAutoUpdate"=c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERANTISPYWARE.EXE"=
"c:\\Program Files\\Vuze\\Azureus.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/10/2006 1:53 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/9/2007 3:09 PM 68168]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [8/30/2005 6:30 PM 205328]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [8/30/2005 6:30 PM 36368]
S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [8/30/2005 6:30 PM 290889]
S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [8/30/2005 6:30 PM 585792]
S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [8/30/2005 6:30 PM 262215]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 5:51 PM 12872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-05-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]

2010-05-25 c:\windows\Tasks\User_Feed_Synchronization-{FB307A7F-BC71-424C-9254-ED25E099309E}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
Notify-WgaLogon - (no file)
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-25 12:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(628)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\igfxdev.dll

- - - - - - - > 'winlogon.exe'(1704)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\igfxdev.dll
.
Completion time: 2010-05-25 12:29:11
ComboFix-quarantined-files.txt 2010-05-25 16:29

Pre-Run: 55,231,651,840 bytes free
Post-Run: 55,260,033,024 bytes free

- - End Of File - - 781762F2544D688A8F87CA9C0D68A5F1


#4 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:12:26 PM

Posted 25 May 2010 - 01:10 PM

Hi again phi1097!!.. smile.gif..

That looks better... Does any problem persist??..

QUOTE(phi1097 @ May 25 2010, 06:32 PM) View Post
i think everything was disabled, also i haven't updated trend micro in a very long time

I see... Running an updated antivirus application is crucial for computer security!.. That's why I suggest you uninstall outdated Trend Micro PC-cillin Internet Security program (use Start > Control Panel double-click on Add or Remove Programs)...
Then, please install an antivirus program of your choice, run a full system scan with it, and post a log (if possible)... You may want to install one of the antivirus applications I recommend on my site: link

Afterwards, please do the following:

We need to upload a few malware files.
Download upload.bat to your Desktop.
Then open Notepad and copy and paste next present in the codebox:
CODE
http://www.bleepingcomputer.com/forums/t/318494/fraudwindowsprotectionsuite-microsoftwindowsredirectedhosts/
"c:\documents and settings\ROBERT MESSINA\Local Settings\Application Data\khomhhhyk"
c:\Qoobox\Quarantine\c\windows\system32\AbaleZip.dll

Save this as upload.txt , and place it on your Desktop.

Doubleclick upload.bat and let the script run. A Notepad window with a logfile will open, you may close it. Then a browser window should pop-up, submit a Files_for_submission.zip file (created in the same directory you saved upload.bat at) - browse to that file and click Send File. You may leave two other boxes blank.
Let me know if the file has been uploaded successfully or note any errors encountered.

Then,
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad and copy/paste the text in the quotebox below into it:

QUOTE
Folder::
c:\documents and settings\ROBERT MESSINA\Local Settings\Application Data\khomhhhyk
DirLook::
c:\program files\windstream_act
c:\documents and settings\All Users\Application Data\CUIMSA
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555


Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt. Post it in your next reply.
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#5 phi1097

phi1097
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 26 May 2010 - 07:42 PM

I ran Malwarebytes and spybot S&D and found no problems

ComboFix 10-05-24.07 - mm 05/26/2010 20:30:07.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1630 [GMT -4:00]
Running from: c:\documents and settings\mm.DH34G391\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\mm.DH34G391\Desktop\CFScript.txt
AV: Trend Micro PC-cillin Internet Security *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\ROBERT MESSINA\Local Settings\Application Data\khomhhhyk

.
((((((((((((((((((((((((( Files Created from 2010-04-27 to 2010-05-27 )))))))))))))))))))))))))))))))
.

2010-05-26 23:08 . 2010-05-26 23:08 -------- d-sh--w- c:\documents and settings\mm.DH34G391\IECompatCache
2010-05-24 21:41 . 2010-05-24 21:41 -------- d-----w- c:\documents and settings\ROBERT MESSINA\Application Data\Malwarebytes
2010-05-20 18:37 . 2010-05-20 18:37 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-05-20 17:56 . 2010-05-20 17:56 -------- d-----w- c:\documents and settings\mm.DH34G391\Application Data\Malwarebytes
2010-05-20 17:55 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-20 17:55 . 2010-05-20 17:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-20 17:55 . 2010-05-20 17:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-20 17:55 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-20 17:38 . 2010-05-20 17:38 -------- d-----w- c:\documents and settings\mm.DH34G391\Local Settings\Application Data\Threat Expert
2010-05-20 12:38 . 2010-05-20 12:38 -------- d-----w- c:\documents and settings\ROBERT MESSINA\Local Settings\Application Data\Threat Expert
2010-05-15 20:33 . 2010-05-22 16:36 63488 ----a-w- c:\documents and settings\mm.DH34G391\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-01 19:10 . 2010-05-01 19:10 -------- d-----w- c:\documents and settings\ROBERT MESSINA\Local Settings\Application Data\Conduit
2010-05-01 19:10 . 2010-05-01 19:11 -------- d-----w- c:\documents and settings\ROBERT MESSINA\Local Settings\Application Data\Zynga
2010-04-30 22:53 . 2010-05-06 18:51 -------- d-----w- c:\documents and settings\ROBERT MESSINA\Application Data\Azureus

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-26 23:20 . 2007-01-09 21:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-22 16:35 . 2009-03-23 22:39 117760 ----a-w- c:\documents and settings\mm.DH34G391\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-21 21:55 . 2008-04-25 18:11 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-19 20:34 . 2009-06-28 18:32 -------- d-----w- c:\program files\CCleaner
2010-05-16 22:23 . 2010-02-07 22:11 165161 ----a-w- c:\windows\hpoins37.dat
2010-05-15 20:30 . 2007-01-29 18:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-15 20:22 . 2009-05-11 19:28 -------- d-----w- c:\program files\SpywareBlaster
2010-05-13 23:49 . 2009-05-05 16:34 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-05-07 21:27 . 2009-11-24 20:43 117760 ----a-w- c:\documents and settings\ROBERT MESSINA\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-07 14:21 . 2010-02-07 20:58 -------- d-----w- c:\documents and settings\ROBERT MESSINA\Application Data\HPAppData
2010-05-06 17:44 . 2010-02-07 22:30 -------- d-----w- c:\documents and settings\mm.DH34G391\Application Data\HPAppData
2010-04-30 23:09 . 2009-11-08 21:37 -------- d-----w- c:\program files\Vuze
2010-04-26 20:24 . 2006-01-21 00:41 -------- d-----w- c:\program files\Common Files\Motive
2010-04-26 20:15 . 2006-01-21 00:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2010-04-26 20:15 . 2010-04-26 20:15 -------- d-----w- c:\program files\windstream_act
2010-04-24 21:04 . 2010-02-28 22:36 36288 ----a-w- c:\documents and settings\karen messina\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-24 19:54 . 2010-04-24 19:54 503808 ----a-w- c:\documents and settings\karen messina\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-30cb7b63-n\msvcp71.dll
2010-04-24 19:54 . 2010-04-24 19:54 499712 ----a-w- c:\documents and settings\karen messina\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-30cb7b63-n\jmc.dll
2010-04-24 19:54 . 2010-04-24 19:54 348160 ----a-w- c:\documents and settings\karen messina\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-30cb7b63-n\msvcr71.dll
2010-04-24 19:54 . 2010-04-24 19:54 61440 ----a-w- c:\documents and settings\karen messina\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-220e5398-n\decora-sse.dll
2010-04-24 19:54 . 2010-04-24 19:54 12800 ----a-w- c:\documents and settings\karen messina\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-220e5398-n\decora-d3d.dll
2010-04-24 19:51 . 2010-02-08 20:01 -------- d-----w- c:\documents and settings\karen messina\Application Data\HPAppData
2010-04-20 17:18 . 2010-04-20 17:18 52224 ----a-w- c:\documents and settings\ROBERT MESSINA\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-20 15:57 . 2006-01-06 20:41 36288 ----a-w- c:\documents and settings\ROBERT MESSINA\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-20 14:12 . 2010-04-20 14:12 -------- d-sh--w- c:\documents and settings\All Users\Application Data\CUIMSA
2010-04-08 15:58 . 2009-10-15 17:07 -------- d-----w- c:\program files\Ascentive
2010-04-08 15:58 . 2005-12-30 14:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-08 15:33 . 2010-03-01 00:38 -------- d-----w- c:\documents and settings\mm.DH34G391\Application Data\InstallShield
2010-04-05 18:11 . 2010-04-05 18:11 503808 ----a-w- c:\documents and settings\ROBERT MESSINA\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5bcbde3d-n\msvcp71.dll
2010-04-05 18:11 . 2010-04-05 18:11 499712 ----a-w- c:\documents and settings\ROBERT MESSINA\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5bcbde3d-n\jmc.dll
2010-04-05 18:11 . 2010-04-05 18:11 348160 ----a-w- c:\documents and settings\ROBERT MESSINA\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5bcbde3d-n\msvcr71.dll
2010-04-05 18:11 . 2010-04-05 18:11 61440 ----a-w- c:\documents and settings\ROBERT MESSINA\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-166e2387-n\decora-sse.dll
2010-04-05 18:11 . 2010-04-05 18:11 12800 ----a-w- c:\documents and settings\ROBERT MESSINA\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-166e2387-n\decora-d3d.dll
2010-04-05 14:15 . 2010-03-01 00:40 256 ----a-w- c:\windows\system32\pool.bin
2010-04-03 22:29 . 2010-04-03 22:29 503808 ----a-w- c:\documents and settings\mm.DH34G391\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-53ecc4b8-n\msvcp71.dll
2010-04-03 22:29 . 2010-04-03 22:29 499712 ----a-w- c:\documents and settings\mm.DH34G391\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-53ecc4b8-n\jmc.dll
2010-04-03 22:29 . 2010-04-03 22:29 348160 ----a-w- c:\documents and settings\mm.DH34G391\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-53ecc4b8-n\msvcr71.dll
2010-04-03 22:29 . 2010-04-03 22:29 61440 ----a-w- c:\documents and settings\mm.DH34G391\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7f9cc969-n\decora-sse.dll
2010-04-03 22:29 . 2010-04-03 22:29 12800 ----a-w- c:\documents and settings\mm.DH34G391\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7f9cc969-n\decora-d3d.dll
2010-04-03 22:28 . 2005-12-30 14:14 -------- d-----w- c:\program files\Java
2010-03-10 06:15 . 2004-08-10 18:51 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 08:28 . 2008-12-06 19:36 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-04 18:02 . 2006-12-30 01:08 36288 ----a-w- c:\documents and settings\mm.DH34G391\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-03 23:58 . 2010-03-03 23:58 69632 ----a-r- c:\documents and settings\mm.DH34G391\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\NewShortcut600_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-03-03 23:58 . 2010-03-03 23:58 69632 ----a-r- c:\documents and settings\mm.DH34G391\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\NewShortcut60_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-03-03 23:58 . 2010-03-03 23:58 69632 ----a-r- c:\documents and settings\mm.DH34G391\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\NewShortcut6_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-03-03 23:58 . 2010-03-03 23:58 69632 ----a-r- c:\documents and settings\mm.DH34G391\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\NewShortcut5_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-03-03 23:58 . 2010-03-03 23:58 69632 ----a-r- c:\documents and settings\mm.DH34G391\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\NewShortcut4_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-03-03 23:58 . 2010-03-03 23:58 69632 ----a-r- c:\documents and settings\mm.DH34G391\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\NewShortcut3_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-03-03 23:58 . 2010-03-03 23:58 69632 ----a-r- c:\documents and settings\mm.DH34G391\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\NewShortcut12_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-03-03 23:58 . 2010-03-03 23:58 69632 ----a-r- c:\documents and settings\mm.DH34G391\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\DesktopMgr.exe
2010-03-03 23:58 . 2010-03-03 23:58 49152 ----a-r- c:\documents and settings\mm.DH34G391\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\RedirectorEXE2_770DFD1204C24F4DA163D64FACCB5CBD.exe
2010-03-03 23:58 . 2010-03-03 23:58 49152 ----a-r- c:\documents and settings\mm.DH34G391\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\RedirectorEXE1_770DFD1204C24F4DA163D64FACCB5CBD.exe
2010-03-03 23:58 . 2010-03-03 23:58 49152 ----a-r- c:\documents and settings\mm.DH34G391\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\RedirectorEXE_770DFD1204C24F4DA163D64FACCB5CBD.exe
2010-03-01 00:29 . 2010-03-01 00:29 69632 ----a-r- c:\documents and settings\mm.DH34G391\Application Data\Microsoft\Installer\{F8C04C5B-8876-424D-B428-23626373D2A0}\NewShortcut600_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-03-01 00:29 . 2010-03-01 00:29 49152 ----a-r- c:\documents and settings\mm.DH34G391\Application Data\Microsoft\Installer\{F8C04C5B-8876-424D-B428-23626373D2A0}\RedirectorEXE2_770DFD1204C24F4DA163D64FACCB5CBD.exe
2010-03-01 00:29 . 2010-03-01 00:28 69632 ----a-r- c:\documents and settings\mm.DH34G391\Application Data\Microsoft\Installer\{F8C04C5B-8876-424D-B428-23626373D2A0}\NewShortcut60_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-03-01 00:28 . 2010-03-01 00:28 69632 ----a-r- c:\documents and settings\mm.DH34G391\Application Data\Microsoft\Installer\{F8C04C5B-8876-424D-B428-23626373D2A0}\NewShortcut6_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-03-01 00:28 . 2010-03-01 00:28 69632 ----a-r- c:\documents and settings\mm.DH34G391\Application Data\Microsoft\Installer\{F8C04C5B-8876-424D-B428-23626373D2A0}\NewShortcut5_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-03-01 00:28 . 2010-03-01 00:28 69632 ----a-r- c:\documents and settings\mm.DH34G391\Application Data\Microsoft\Installer\{F8C04C5B-8876-424D-B428-23626373D2A0}\NewShortcut4_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-03-01 00:28 . 2010-03-01 00:28 69632 ----a-r- c:\documents and settings\mm.DH34G391\Application Data\Microsoft\Installer\{F8C04C5B-8876-424D-B428-23626373D2A0}\NewShortcut3_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-03-01 00:28 . 2010-03-01 00:28 69632 ----a-r- c:\documents and settings\mm.DH34G391\Application Data\Microsoft\Installer\{F8C04C5B-8876-424D-B428-23626373D2A0}\NewShortcut12_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-03-01 00:28 . 2010-03-01 00:28 69632 ----a-r- c:\documents and settings\mm.DH34G391\Application Data\Microsoft\Installer\{F8C04C5B-8876-424D-B428-23626373D2A0}\DesktopMgr.exe
2006-12-30 01:13 . 2006-05-08 16:04 56 --sh--r- c:\windows\system32\AE292043F8.sys
2006-12-30 01:13 . 2006-05-08 16:04 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\All Users\Application Data\CUIMSA ----

2010-04-20 14:12 . 2010-04-20 18:01 25137 --sha-w- c:\documents and settings\All Users\Application Data\CUIMSA\CUFRNETGA.cfg

---- Directory of c:\program files\windstream_act ----

2010-04-26 20:15 . 2008-01-05 01:06 21722 ----a-w- c:\program files\windstream_act\ProfileDefinitions\EmailProfile.js
2010-04-26 20:15 . 2008-01-04 15:18 4402 ----a-w- c:\program files\windstream_act\ProfileDefinitions\EmailProfile.xml


((((((((((((((((((((((((((((( SnapShot@2010-05-25_16.26.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-27 00:25 . 2010-05-27 00:25 16384 c:\windows\TEMP\Perflib_Perfdata_188.dat
+ 2007-01-29 08:58 . 2010-04-21 13:28 46080 c:\windows\system32\tzchange.exe
- 2007-01-29 08:58 . 2010-01-23 08:11 46080 c:\windows\system32\tzchange.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk.disabled [2005-12-30 831]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-30 24576]
HP Digital Imaging Monitor.lnk.disabled [2010-2-7 1808]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-24 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-10-07 19:59 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2008-07-10 13:47 116040 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-01-27 07:02 86016 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-05-27 14:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-05-15 20:30 2017280 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"SUPERAntiSpyware"=c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" /startup
"OE_OEM"="c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
"RealTray"=c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
"SpyHunter Security Suite"=c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe
"MimBoot"=c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"BlackBerryAutoUpdate"=c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERANTISPYWARE.EXE"=
"c:\\Program Files\\Vuze\\Azureus.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/10/2006 1:53 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/9/2007 3:09 PM 68168]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [8/30/2005 6:30 PM 205328]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [8/30/2005 6:30 PM 36368]
S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [8/30/2005 6:30 PM 290889]
S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [8/30/2005 6:30 PM 585792]
S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [8/30/2005 6:30 PM 262215]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 5:51 PM 12872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-05-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]

2010-05-26 c:\windows\Tasks\User_Feed_Synchronization-{FB307A7F-BC71-424C-9254-ED25E099309E}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-26 20:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(628)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3144)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-05-26 20:39:23
ComboFix-quarantined-files.txt 2010-05-27 00:39
ComboFix2.txt 2010-05-25 16:29

Pre-Run: 56,040,951,808 bytes free
Post-Run: 56,054,321,152 bytes free

- - End Of File - - 846328355D059F583DCE405115C70EA6


#6 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:12:26 PM

Posted 27 May 2010 - 10:59 AM

Hi again phi1097!!.. smile.gif

QUOTE(phi1097 @ May 27 2010, 02:42 AM) View Post
I ran Malwarebytes and spybot S&D and found no problems

Glad to see that!.. thumbup2.gif

I made an error with an upload script in my previous post, one file (AbaleZip.dll) did not get uploaded... I'll ask you to upload it once again, as I believe this is a false positive...

Please do the following:

1) Go to Start --> Run --> write cmd and click OK...

In the command prompt write (or copy and right-click paste):
copy c:\Qoobox\Quarantine\c\windows\system32\AbaleZip.dll.vir c:\windows\system32\AbaleZip.dll

Then click Enter

Close the command prompt...

2) Please upload a file for analysis:
Go to this site, click on Browse, and choose the following file:

c:\windows\system32\AbaleZip.dll

In the text box paste a link to this thread and/or add any useful information, if you want to.
Then, click Upload. Allow the file to be uploaded - wait till: The file has been uploaded! appears.
Please let me know once you do this.

3) We need to update outdated programs (with security vulnerabilities) on your machine:

- Java

Go to Start > Control Panel double-click on Add or Remove Programs and remove:

Java™ 6 Update 19
Java™ 6 Update 6
Java™ 6 Update 7


Then,
  • Download the latest version of Java Runtime Environment (JRE) 6.
  • Scroll down to where it says "JDK 6 Update 20 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • In the Window that opens, select Windows, your Language, check the "agree" box and click Continue.
  • Click on the link to download Windows Offline Installation and save to your Desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe that you downloaded to install the newest version.

- Adobe Flash Player:

To make sure you have the latest version of Adobe Flash Player installed:
1. To uninstall an older version, download this file to your Desktop: uninstall_flash_player.exe
2. Quit ALL running applications, including all Internet Explorer or other browser windows, and messenger applications (like AOL Instant Messenger, Yahoo Messenger, MSN Messenger.
3. Double-click on the file you've downloaded to uninstall Flash.
4. If uninstalled successfully, go to this site: Install Adobe Flash Player, and choose Agree and install now. This will install the newest version of Flash for your browser (note: Flash plugins for IE and Firefox must be installed separately).
Note: I recommend you uncheck an optional install (Free McAfee Security Scan or Free Google Toolbar).

4) One optional program to remove (just decide if you want to keep it...):

Viewpoint Media Player
Viewpoint Manager is considered as foistware instead of malware. It is installed on your computer without your permission. It is known to be intrusive and there is also some possibility that it is now being used by various companies to give them info about your habits.

I suggest you remove the program now.

5) The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

6) You haven't uninstalled Trend Micro PC-cillin Internet Security yet, as I suggested in my previous post... I highly recommend you do so, and install another antivirus of your choice, so that you're protected...

7) Please check my site - snemelk.hekko.pl:
Also, I recommend you to read Grinler's excellent article: How did I get infected?, With steps so it does not happen again!

welcome.gif
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#7 phi1097

phi1097
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 27 May 2010 - 02:54 PM

AbaleZip.dll was uploaded



#8 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:12:26 PM

Posted 28 May 2010 - 06:29 AM

Hi again!.. smile.gif

QUOTE(phi1097 @ May 27 2010, 09:54 PM) View Post
AbaleZip.dll was uploaded

Thanks! That was indeed a false positive...

Glad we could help. smile.gif

If you need this topic reopened, just send me a PM (Send message from my profile) with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users