Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Antispy Safeguard, Antivirus 2010, & Maybe More


  • This topic is locked This topic is locked
51 replies to this topic

#1 elonkra

elonkra

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 20 October 2010 - 04:40 PM

------------------------------------------------------------------------------

Hi. Just found this incredible forum. Thanks in advance for any assistance.

------------------------------------------------------------------------------

My problem appears to have begun with the "Fake Microsoft Security Essentials Alert Trojan and AntiSpySafeguard." I also believe (but am not certain) that I am infected with the "Antivirus Studio 2010." I have attempted to fix these issues using the instructions on this website (listed below, in the two links that immediately follow this paragraph), but this did not solve my problem, because malwarebytes crashes and will not reboot--I get the common error messages stating (1) that the path, file, device, or whatnot cannot be found; and (2) that I may not have the appropriate permissions.

http://www.bleepingcomputer.com/virus-removal/remove-fake-microsoft-security-essentials-alert
http://www.bleepingcomputer.com/virus-removal/remove-antivirus-studio-2010

I tried to get the malwarebytes crash problem fixed by following instructions I found elsewhere, which involved using a command prompt to change permissions settings. This allows me to run the program again, but it still crashes and then will not reboot. For what it's worth, the same result has followed attempts to run HijackThis, Super Antispy Software, and other executable files.

I am able to run rkill.com, and in fact I'm now running it a few times each time I boot, along with immediately ending the "Antivirus 2010" program that is listed in my task manager. Takes me 5-10 minutes to get on the net, at this point.

When I was initially infected, I began having regular problems booting the computer at all, and eventually, it got to a point where it would not even boot in safe mode (safe mode was hanging on "isapnp.sys"). I got it to boot again by trying something I found via a google search, which involved removing an oddly-named 0kb file in windows\system32\drivers via what I think is called recovery console. That fix allowed me to boot again, and here's the message forum thread where I found it: http://social.answers.microsoft.com/Forums/en-US/xprepair/thread/1bb2ac51-8b5c-4058-b835-408524ace776

I attempted to follow the preparation guide before posting, and my results are as follows:

1. C:\ is backed up, using Cobian's "incremental" backup.

2. Topic reply notification by default enabled (or at least I think so--the instructions in this section of the preparation guide appear to be a little outdated).

3. Firewall enabled (was already on).

4. I have not yet run DeFogger, but I will as soon as I get a reply here (wanted to wait because I am not sure if I regularly use whatever CD emulation software is, and I did not want to go through the hassle of rebooting until I've received a response here).

5. DDS has been downloaded, and it does run, but it is either crashing after a few minutes, or closing without producing a log file after a few minutes (can't tell which). In any event, when it stops running, no log files pop up for me.

6. I've extracted GMER, and I followed the instructions to run the partial scan, but it crashes shortly after the scan begins, and then will not let me run it again (just like with malwarebytes, I get an error such as this: cannot find path, file device, or driver... you may not have permission to blah, blah, blah).

I'm at a stopping point. The only other thing I wanted to mention was this: Maybe I shouldn't be leaving the internet connected except when necessary--when I came home from work today I had to reboot to get connected to the net, and when I logged off Windows I got some sort of an error I've never gotten before--"Other users are logged on to this computer. Shutting down your computer may result in loss in data. Do you want to continue?" Obviously, I continued.

Thanks again for any assistance.

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:20 AM

Posted 29 October 2010 - 11:56 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok,

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".


information and logs:

In your next post I need the following

1.logs from DDS
2.log from RKUnHooker
3.let me know of any problems you may have had
[/list]
Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 elonkra

elonkra
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 30 October 2010 - 01:06 AM

Hi Gringo. And thanks for your kind offer to help with my current situation.

Here's my update:

1. Ran defogger and disabled the drivers--as requested, and with no problems. I was not asked to reboot though, if it means anything.

2. Regarding DDS, I tried to download and run it again, and got the same result described in my initial post. The command window opened, and remained open, for about fifteen minutes, and then disappeared, with no log generation. I assume there was a crash. I am not aware of any anti-malware/script-blocking program that might be running--and, therefore, interfering--but then, I don't really know how exactly how to verify that.

3. Ran the RKUnHooker scan. Here's the log (thanks again!!!):

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2189952 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2189952 bytes
0x804D7000 RAW 2189952 bytes
0x804D7000 WMIxWDM 2189952 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF6F34000 C:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys 1044480 bytes (Conexant Systems, Inc., HSF_DP driver)
0xF6E8C000 C:\WINDOWS\system32\DRIVERS\HSFCXTS2.sys 688128 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xF76F6000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xEC412000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 503808 bytes (Microsoft Corporation, WDF Dynamic)
0xEC48D000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF6DEE000 C:\WINDOWS\system32\drivers\smwdm.sys 417792 bytes (Analog Devices, Inc., SoundMAX Integrated Digital Audio )
0xF365E000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xEC5BA000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB9645000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xBF012000 C:\WINDOWS\System32\ati2dvaa.dll 299008 bytes (ATI Technologies Inc., ATI RAGE 128 WindowsNT Display Driver)
0xF70A0000 C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys 286720 bytes (ATI Technologies Inc., ATI RAGE 128 Miniport Driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB7D61000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF7056000 C:\WINDOWS\system32\DRIVERS\HSFBS2S2.sys 221184 bytes (Conexant Systems, Inc., HSF_HWB2 WDM driver)
0xF781A000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xF76C9000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB7D36000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xEC4FD000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xEC592000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xEC54A000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB97DC000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xF6DCA000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF6E54000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF7033000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xEC646000 C:\WINDOWS\system32\DRIVERS\MpFilter.sys 143360 bytes (Microsoft Corporation, Microsoft antimalware file system filter driver)
0xEC570000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xEC528000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS 139264 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)
0x806EE000 ACPI_HAL 131840 bytes
0x806EE000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF779A000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF77EA000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF76AF000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF77D2000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xF77D2000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xEC3FA000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF77BA000 C:\WINDOWS\System32\Drivers\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xF7783000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF6817000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB93B0000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF6E78000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF708C000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xEC613000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF7809000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF6766000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF3D8C000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF7A29000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF79F9000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF7A59000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF7A39000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB94FD000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF419C000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF78A9000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF79E9000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF720F000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF7889000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF3D7C000 C:\WINDOWS\System32\Drivers\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0xF7AA9000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF78B9000 agp440.sys 45056 bytes (Microsoft Corporation, 440 NT AGP Filter)
0xEF977000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF7A49000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF7879000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF7A99000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF7869000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF41BC000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF3E8D000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
!!!!!!!!!!!Hidden driver: 0xF0202000 4157096036 36864 bytes
0xF7A19000 C:\WINDOWS\System32\Drivers\AFS2K.SYS 36864 bytes (Oak Technology Inc., Audio File System)
0xF7899000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF7899000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF3D6C000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF7AB9000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xEF9D7000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xB8647000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF79D9000 C:\WINDOWS\system32\DRIVERS\processr.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF79C9000 C:\WINDOWS\System32\Drivers\vbma93e3.SYS 36864 bytes (VIA Technologies, Inc., Virtual Bus for Microsoft ACPI-Compliant System)
0xF0212000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
!!!!!!!!!!!Hidden driver: 0xEFE4A000 4157096036 32768 bytes
0xF7B01000 cercsr6.sys 32768 bytes (Adaptec, Inc., DELL CERC SATA1.5/6ch Miniport Driver)
0xF7C09000 C:\WINDOWS\system32\DRIVERS\DM9PCI5.SYS 32768 bytes (CNet Technology, Inc. , NDIS 5.0 driver )
0xF373A000 C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys 32768 bytes (Logitech, Inc., Logitech Mouse Filter Driver.)
0xF7C01000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xEFE52000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF7AE9000 szkg.sys 32768 bytes (iS3 Inc., szkg Device Driver)
0xF7C11000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xEFE6A000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF3742000 C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys 28672 bytes (Logitech, Inc., Logitech HID Filter Driver.)
0xF7AF1000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xEFE7A000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF7C21000 C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xF7C19000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF374A000 C:\WINDOWS\System32\Drivers\LUsbFilt.Sys 24576 bytes (Logitech, Inc., Logitech USB Filter Driver.)
0xF3A76000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF393E000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)
0xF7C29000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xEFE62000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF4075000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xEFE5A000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF7AF9000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF3A86000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF3A7E000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF7C71000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF3732000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF7D15000 C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys 16384 bytes (Logitech, Inc., Logitech PS2 Keyboard Filter Driver.)
0xF0734000 C:\WINDOWS\system32\drivers\MODEMCSA.sys 16384 bytes (Microsoft Corporation, Unimodem CSA Filter)
0xF60EB000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB97D8000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF7D19000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF7C7D000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF3B19000 C:\WINDOWS\system32\BUFADPT.SYS 12288 bytes (BUFFALO INC., BUFFALO Wireless Network Adapter Manager)
0xF767A000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF7D45000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xB95DD000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)
0xF7D49000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF7D2D000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF3B1D000 C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS 12288 bytes (Dell Computer Corporation, OMCI Device Driver)
0xF7D65000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF42EE000 C:\WINDOWS\System32\drivers\ws2ifsl.sys 12288 bytes (Microsoft Corporation, Winsock2 IFS Layer)
0xF7D6F000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7D85000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7D6D000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF44DB000 C:\Program Files\HWiNFO32\HWiNFO32.SYS 8192 bytes (REALiX™, HWiNFO32 Kernel Driver)
0xF7D6B000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xF7D71000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7D7D000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF7D73000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7E2B000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7DE7000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7D69000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x83786000 C:\WINDOWS\system32\KDCOM.DLL 7040 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7EF4000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7F34000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF03A5000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7ECB000 C:\WINDOWS\system32\drivers\SENSUPGD.SYS 4096 bytes (Sensaura Ltd, Sensaura Upgrade)
0xF023711B unknown_irp_handler 3813 bytes
!!!!!!!!!!!Hidden driver: 0x8375C298 ?_empty_? 3432 bytes
==============================================
>Stealth
==============================================
0xF77D2000 WARNING: suspicious driver modification [atapi.sys::0x8375C298]
0xF0236AA7 Unknown page with executable code, 1369 bytes
WARNING: Virus alike driver modification [netbios.sys]
0xEFE4D730 Unknown thread object [ ETHREAD 0x833AD8E0 ] TID: 380, 600 bytes
0xF0206078 Unknown thread object [ ETHREAD 0x833B5530 ] TID: 384, 600 bytes
0xF0237E8A Unknown thread object [ ETHREAD 0x833B47C0 ] TID: 388, 600 bytes

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:20 AM

Posted 30 October 2010 - 01:31 AM

Greetings

One or more of the identified infections is Known as a Backdoor Trojan. - TDSS rootkit <--please read

What this virus does do.

Functionality
The functionality that the Trojan exhibits implies that it has been designed with profit-making as its primary objective. Making money from the Web typically involves generating Web traffic, installing pay-per-install software and also by generating sales leads for other Web sites and services of a dubious nature. It tries to achieve its objective by employing an array of techniques to try and make the user participate in these income-generating activities.


What the virus can do.

Backdoor.Tidserv is a Trojan horse that uses an advanced rootkit to hide itself. It also displays advertisements, redirects user search results, and opens a back door on the compromised computer.


This "could" allow hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can clean this machine but I cannot guarantee that it will be 100% secure afterwards. "If you would like to continue, then follow the steps below, otherwise please let me know"

I Would like you to do the following.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 elonkra

elonkra
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 30 October 2010 - 02:21 AM

Thank you for the continuing supply of helpful information. I am willing to continue forward with an attempt to clean, and have had no problems yet regarding identity theft or banking, e.g.

I downloaded and ran combofix. A very small rectangular combofix window opened with a progress bar, and then it closed, and another a standard "open with" window opened, which simply provides a list of programs, and asks me which I would like to use to open "nircmd.cfxxe"

Wasn't sure what to do at that point. If you need a screencap, I can provide one.

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:20 AM

Posted 30 October 2010 - 02:25 AM

Hello

Lets try something else first, I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 elonkra

elonkra
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 30 October 2010 - 03:18 AM

Thanks!

2010/10/30 02:44:49.0779 TDSS rootkit removing tool 2.4.5.1 Oct 26 2010 11:28:49
2010/10/30 02:44:49.0779 ================================================================================
2010/10/30 02:44:49.0779 SystemInfo:
2010/10/30 02:44:49.0826
2010/10/30 02:44:49.0826 OS Version: 5.1.2600 ServicePack: 3.0
2010/10/30 02:44:49.0826 Product type: Workstation
2010/10/30 02:44:49.0826 ComputerName: HOMECOMPUTER
2010/10/30 02:44:49.0873 UserName: Chad Gowens
2010/10/30 02:44:49.0873 Windows directory: C:\WINDOWS
2010/10/30 02:44:49.0873 System windows directory: C:\WINDOWS
2010/10/30 02:44:49.0873 Processor architecture: Intel x86
2010/10/30 02:44:49.0873 Number of processors: 1
2010/10/30 02:44:49.0873 Page size: 0x1000
2010/10/30 02:44:49.0904 Boot type: Normal boot
2010/10/30 02:44:49.0904 ================================================================================
2010/10/30 02:44:53.0092 Initialize success
2010/10/30 02:47:31.0068 ================================================================================
2010/10/30 02:47:31.0068 Scan started
2010/10/30 02:47:31.0068 Mode: Manual;
2010/10/30 02:47:31.0068 ================================================================================
2010/10/30 02:47:48.0413 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys
2010/10/30 02:47:49.0069 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/10/30 02:47:49.0866 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/10/30 02:47:50.0835 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/10/30 02:47:51.0694 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/10/30 02:47:52.0319 AFS2K (0ebb674888cbdefd5773341c16dd6a07) C:\WINDOWS\system32\drivers\AFS2K.sys
2010/10/30 02:47:53.0226 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/10/30 02:47:56.0648 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/10/30 02:47:56.0819 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/10/30 02:47:57.0163 ati2mtaa (7e49ca74ad10ab761d620db5b02765cf) C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys
2010/10/30 02:47:57.0351 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/10/30 02:47:57.0601 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/10/30 02:47:57.0804 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/10/30 02:47:57.0976 BFAIFILT (7741690c21a7f99453cbe5dee8af6907) C:\WINDOWS\system32\Drivers\bfaifilt.sys
2010/10/30 02:47:58.0366 BUFADPT (df306fdaf60511b1f117b34a575abe07) C:\WINDOWS\system32\BUFADPT.SYS
2010/10/30 02:47:58.0648 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/10/30 02:47:59.0023 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/10/30 02:47:59.0210 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/10/30 02:47:59.0413 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/10/30 02:47:59.0585 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
2010/10/30 02:48:00.0804 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/10/30 02:48:00.0976 DM9102 (51ef6ca3d57055fed6ab99021d562443) C:\WINDOWS\system32\DRIVERS\DM9PCI5.SYS
2010/10/30 02:48:01.0242 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/10/30 02:48:01.0492 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/10/30 02:48:01.0679 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/10/30 02:48:01.0882 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/10/30 02:48:02.0210 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/10/30 02:48:02.0585 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/10/30 02:48:02.0867 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/10/30 02:48:03.0085 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/10/30 02:48:03.0351 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/10/30 02:48:03.0523 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/10/30 02:48:03.0695 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/10/30 02:48:04.0007 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/10/30 02:48:04.0226 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2010/10/30 02:48:04.0523 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/10/30 02:48:04.0992 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/10/30 02:48:05.0679 HPZid412 (287a63bd8509bd78e7978823b38afa81) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2010/10/30 02:48:05.0961 HPZipr12 (0b4fda2657c3e0315eaa57f9c6d4fd1f) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2010/10/30 02:48:06.0289 HPZius12 (29559db25258b60510a60c4e470fce32) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2010/10/30 02:48:06.0539 HSFHWBS2 (970178e8e003eb1481293830069624b9) C:\WINDOWS\system32\DRIVERS\HSFBS2S2.sys
2010/10/30 02:48:06.0976 HSF_DP (ebb354438a4c5a3327fb97306260714a) C:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys
2010/10/30 02:48:07.0382 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/10/30 02:48:07.0586 HWiNFO32 (c364282a3c27c1c26baade522eb29bc5) C:\Program Files\HWiNFO32\HWiNFO32.SYS
2010/10/30 02:48:08.0601 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/10/30 02:48:09.0211 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/10/30 02:48:09.0836 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/10/30 02:48:10.0133 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/10/30 02:48:10.0383 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/10/30 02:48:10.0617 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/10/30 02:48:10.0883 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/10/30 02:48:11.0086 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/10/30 02:48:11.0351 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/10/30 02:48:11.0664 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/10/30 02:48:12.0039 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/10/30 02:48:12.0742 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/10/30 02:48:12.0992 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/10/30 02:48:13.0289 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/10/30 02:48:13.0539 L8042Kbd (ac728768de636093b4d5ae6361cfadae) C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys
2010/10/30 02:48:13.0758 L8042mou (02d869562e114db8867271992408bb2d) C:\WINDOWS\system32\DRIVERS\L8042mou.Sys
2010/10/30 02:48:14.0336 LHidFilt (75415a95c589a07d6c97baa2d4143916) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
2010/10/30 02:48:14.0852 LMouFilt (fcb3f81ac07b8608f921134237823b88) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
2010/10/30 02:48:15.0180 LMouKE (b286865ac2747ee3b5ea78b5231f8c57) C:\WINDOWS\system32\DRIVERS\LMouKE.Sys
2010/10/30 02:48:15.0602 LUsbFilt (ff1c2f90d40a2e52649937854e175987) C:\WINDOWS\system32\Drivers\LUsbFilt.Sys
2010/10/30 02:48:15.0898 mdmxsdk (195741aee20369980796b557358cd774) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2010/10/30 02:48:16.0352 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/10/30 02:48:16.0742 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/10/30 02:48:17.0024 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2010/10/30 02:48:17.0258 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/10/30 02:48:17.0524 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/10/30 02:48:17.0805 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/10/30 02:48:18.0133 MpFilter (c98301ad8173a2235a9ab828955c32bb) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
2010/10/30 02:48:18.0586 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
2010/10/30 02:48:19.0617 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
2010/10/30 02:48:20.0367 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/10/30 02:48:20.0649 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/10/30 02:48:21.0024 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/10/30 02:48:21.0524 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/10/30 02:48:21.0836 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/10/30 02:48:22.0321 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/10/30 02:48:22.0586 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/10/30 02:48:22.0821 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/10/30 02:48:23.0024 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/10/30 02:48:23.0289 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/10/30 02:48:23.0586 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/10/30 02:48:23.0789 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/10/30 02:48:23.0993 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/10/30 02:48:24.0243 NetBIOS (f61a47e5bd83f2f94ed579510d062157) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/10/30 02:48:24.0555 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/10/30 02:48:25.0899 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/10/30 02:48:26.0758 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/10/30 02:48:27.0399 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/10/30 02:48:27.0930 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/10/30 02:48:28.0399 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/10/30 02:48:28.0743 OMCI (e1e54131462b63efefaf14aca8e4012b) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
2010/10/30 02:48:28.0946 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/10/30 02:48:29.0180 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/10/30 02:48:29.0571 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/10/30 02:48:29.0915 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/10/30 02:48:31.0055 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/10/30 02:48:33.0509 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/10/30 02:48:33.0962 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/10/30 02:48:34.0321 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/10/30 02:48:34.0618 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/10/30 02:48:35.0462 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/10/30 02:48:35.0681 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/10/30 02:48:35.0977 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/10/30 02:48:36.0212 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/10/30 02:48:36.0462 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/10/30 02:48:37.0040 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/10/30 02:48:37.0478 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/10/30 02:48:37.0915 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/10/30 02:48:38.0759 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/10/30 02:48:39.0056 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2010/10/30 02:48:39.0728 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/10/30 02:48:40.0150 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/10/30 02:48:40.0587 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/10/30 02:48:41.0259 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/10/30 02:48:42.0134 smwdm (bd3e236281547c681dfc7c947531b726) C:\WINDOWS\system32\drivers\smwdm.sys
2010/10/30 02:48:42.0978 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/10/30 02:48:43.0306 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/10/30 02:48:43.0775 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/10/30 02:48:44.0072 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/10/30 02:48:44.0275 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/10/30 02:48:45.0619 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/10/30 02:48:45.0884 szkg5 (9f329174fba9fc0fa10b8a3d4310c7a5) C:\WINDOWS\system32\DRIVERS\szkg.sys
2010/10/30 02:48:46.0540 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/10/30 02:48:46.0884 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/10/30 02:48:47.0165 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/10/30 02:48:47.0415 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/10/30 02:48:48.0197 U2KG54 (70aeec67e87a2002e6b2cc353d56e222) C:\WINDOWS\system32\DRIVERS\U2KG54.sys
2010/10/30 02:48:48.0634 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/10/30 02:48:49.0056 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/10/30 02:48:49.0572 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/10/30 02:48:49.0791 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/10/30 02:48:50.0009 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/10/30 02:48:50.0166 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/10/30 02:48:50.0431 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/10/30 02:48:50.0634 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/10/30 02:48:50.0822 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/10/30 02:48:51.0025 Suspicious service (NoAccess): vbma93e3
2010/10/30 02:48:51.0150 vbma93e3 (ac078c5c3d5de6b760ed6dc1d938d221) C:\WINDOWS\system32\drivers\vbma93e3.sys
2010/10/30 02:48:51.0197 vbma93e3 - detected Locked service (1)
2010/10/30 02:48:51.0369 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/10/30 02:48:51.0775 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/10/30 02:48:52.0119 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/10/30 02:48:52.0416 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2010/10/30 02:48:52.0869 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/10/30 02:48:53.0181 winachsf (1225ebea76aac3c84df6c54fe5e5d8be) C:\WINDOWS\system32\DRIVERS\HSFCXTS2.sys
2010/10/30 02:48:53.0666 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2010/10/30 02:48:54.0338 \HardDisk0\MBR - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/10/30 02:48:54.0416 ================================================================================
2010/10/30 02:48:54.0416 Scan finished
2010/10/30 02:48:54.0416 ================================================================================
2010/10/30 02:48:54.0603 Detected object count: 2
2010/10/30 02:49:34.0277 Locked service(vbma93e3) - User select action: Skip
2010/10/30 02:49:34.0308 \HardDisk0\MBR - will be cured after reboot
2010/10/30 02:49:34.0308 Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) - User select action: Cure
2010/10/30 02:49:42.0059 Deinitialize success

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:20 AM

Posted 30 October 2010 - 03:28 AM

Hello

Ok lets try this, I want you to run combofix in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.

Boot into Safe Mode

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

after combofix has finished its scan please post the report back here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 elonkra

elonkra
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 01 November 2010 - 03:36 PM

Sorry for the somewhat belated response.

I booted into safe mode and ran combofix, with the same result as described above in normal mode (a small, rectangular combofix window opened with a progress bar, and then disappeared w/no further results, right around the time the progress bar seemed to reach 100%). I downloaded a screencap of the progress bar to photobucket, and can therefore show you exactly what it was that I saw, if needed.

Thanks again.

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:20 AM

Posted 01 November 2010 - 04:50 PM

Hello

Here is what I want you to do navagate to this file C:\WINDOWS\system32\drivers\vbma93e3.sysI want you to drag this file from the system32 folder to the desktop and rerun combofix for me

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 elonkra

elonkra
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 01 November 2010 - 07:46 PM

Ok, here's my update:

1. I dragged the file and wasn't sure whether I should try combofix in normal or safe mode, so I tried normal first (same result as above--progress bar + apparent crash/no log)

2. Rebooted into safe mode, checked to see if I needed to re-drag the file, and I didn't, so I tried to run combofix, and I experienced a bit of progress. Can't remember exactly what the combofix window(s) said after the progress bar closed, but the program DID progress further than before, and I began to click through the prompts that you said I would encounter. I will try to do a better job with my note-taking and/or screen-capping of images and error messages that I come across going forward (sorry). If I'm not mistaken, I got a set of two progress bars shortly after a script-like window opened up (sorry if my lingo is bad here, as well)

3. Ultimately, and shortly after I broke this new ground, a combofix window popped up to notify me that I needed to disable "microsoft security essentials" before proceeding. So I tried to figure out how to disable it. For the sake of context, I previously attempted to install MSE, at the suggestion of a friend, shortly after I encountered this problem (before you and I ever interacted online). I cannot remember the result of that attempt, though I am guessing the result of that effort was similar to my other previously-described attempts to run anti-malware software (crashes + error messages notifying me that the file, path, device, or driver cannot be found and/or I didn't have permission to access). In any event, in an attempt to disable MSE as combofix recommended, I went to start--> all programs-->microsoft security essentials, and tried to run the program (hoping that I'd have the option to disable), but that did not work. So I tried to uninstall the program through the control panel, but could not figure out which program to uninstall, so I abandoned that idea as well. I tried googling around for a solution, but found no trustworthy answer, so I tried to "x out" of the combofix window that first told me to "click ok" when I had disabled MSE, so that I could reboot in normal and report my progress to you, but instead of shutting down, it appeared to me as if combofix appeared to begin running (kindly, and at my own risk, to use its language). After which, I got a notice telling me that MS recovery console needed to be installed and/or updated ("click yes to download install, net connection required). I clicked no, and then combofix seemed to try and "scan" anyway (may take ten minutes, or more if badly infected, as the pop-up window informed me). I x'd out and rebooted in normal at that point, because I wanted to report to you before progressing any further. Sorry for the long-windedness, just trying to be as thorough and as helpful as possible. Thanks!

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:20 AM

Posted 01 November 2010 - 10:20 PM

Hello

Ok go back into safe mode and run combofix if it says to disable anything go ahead and keep going (most things are off durring safe mode)and if it reboots the computer make sure you go back into safe mode.


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 elonkra

elonkra
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 02 November 2010 - 12:32 AM

Update:

1. I went into safe mode and ran combofix as instructed. Ignored the command to disable microsoft security essentials, and soon thereafter, I encountered a window that popped up with the title "microsoft windows recovery console." Here's what it said:

========

this machine does not have the microsoft windows recovery console installed. alternately, an existing installation of the recovery console may be present but requires updating.

without it, combofix shall not attempt the fixing of some serious infections.

click yes to have combofix download/install it.

note: this requires an active internet connection.

---------


2. I clicked no, and proceeded, given that I figured there's no internet connection when operating in safe mode.

3. Combofix proceeded with its scan, and I encountered a couple of error messages along the way, for what it's worth ("pev.exe" encountered a problem and needs to close, "windows explorer" encountered a problem and needs to close). If you wanna the stage in which I encountered those errors, I can check my notes and tell you. After completing 50 stages, I got a pop-up window I've encountered before, which notifies me that I'm in safe mode and asks me if I wanna continue. I said yes, and combofix continued, telling me a "deeper scan" which might take 10-15 minutes was needed. I exited the room for about that length of time, and upon returning, the computer was back at the welcome screen (apparently, a reboot happened for some reason). I restarted the computer in safe mode, and re-ran combofix again. 50 stages went by, and this time, no deeper scan was mentioned. Instead, certain files were deleted. Then I was notified that a log report was being prepared, which follows below.

4. Upon restarting the computer in normal mode, significant progress seems to have been made. First off, my logitech mouse checked for updates, and another random startup program initialized (chameleon clock). No need to celebrate over random, unnecessary, and probably cumbersome startup programs seeing the life of day, I'm sure, but until now, nothing at all was starting up since this problem first occurred, nor was anything visible in the area that shows certain running programs, in the lower right corner of the task bar (system tray, I think it might be called?). In addition, while I continued my recent routine of immediately running rkill.com a couple or three times upon booting up, this was the first time that I did not get the "YOUR COMPUTER IS INFECTED" rectangle, and the first time that I did not have to open the task manager to "end the task" entitled "antivirus 2010."

So what is next, and where should I ship you my firstborn son, exactly? You'll find the combofix log that you asked for below:

ComboFix 10-10-28.09 - Chad Gowens 11/01/2010 23:23:31.2.1 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.383.228 [GMT -5:00]
Running from: c:\documents and settings\Chad Gowens\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning enabled* (Outdated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Chad Gowens\Application Data\Nuxa\ipsuz.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\5wIih2.exe
c:\windows\avp32.exe
c:\windows\debug.exe
c:\windows\drweb.exe
c:\windows\Fonts\5wIih2.com
c:\windows\gdi32 .exe
c:\windows\iexplarer.exe
c:\windows\login.exe
c:\windows\mdm.exe
c:\windows\setup.exe
c:\windows\wininst.exe
.
---- Previous Run -------
.
c:\docume~1\CHADGO~1\LOCALS~1\Temp\1036870482.exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\1090031766 .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\1090031766.exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\1186950386.exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\1252786172.exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\1287008906.exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\1338476602.exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\1515220742.exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\1604025278.exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\1614657570.exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\2067137778 .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\2067137778.exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\2814338205.exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\2962241076.exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\315034142 .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\315034142.exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\3380555052.exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\3417143844.exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\3516078338.exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\3520373412.exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\3608287582.exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\3681169158.exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\979581246.exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\avp .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\avp .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\avp .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\avp .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\avp .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\avp .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\avp .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\avp .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\avp32 .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\avp32 .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\cmd .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\cmd .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\cmd .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\cmd .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\cmd .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\csrss .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\csrss .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\csrss .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\debug .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\debug .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\debug .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\debug .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\drweb .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\drweb .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\drweb .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\drweb .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\drweb .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\drweb .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\drweb .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\drweb .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\drweb .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\gdi32 .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\gdi32 .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\gdi32 .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\gdi32 .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\gdi32 .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\gdi32 .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\hexdump .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\hexdump .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\hexdump .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\iexplarer .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\iexplarer .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\iexplarer .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\iexplarer .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\install .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\install .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\login .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\login .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\login .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\login .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\login .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\login .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\login .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\login .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\login .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\login .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\login .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\login .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\lsass .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\lsass .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\lsass .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\lsass .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\lsass .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\lsass .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\lsass .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\mdm .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\mdm .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\mdm .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\nvsvc32 .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\nvsvc32 .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\nvsvc32 .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\services .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\services .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\services .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\services .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\setup .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\setup .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\setup .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\setup .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\setup .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\setup .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\setup .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\setup .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\setup .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\setup .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\setup .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\setup .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\smss .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\smss .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\smss .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\spoolsv .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\spoolsv .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\spoolsv .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\spoolsv .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\spoolsv .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\spoolsv .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\spoolsv .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\svchost .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\svchost .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\svchost .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\sysedit .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\sysedit .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\sysedit .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\sysedit .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\system .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\system .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\taskmgr .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\taskmgr .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\taskmgr .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\user .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\user .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\user .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\win .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\win .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\win .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\win16 .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\win16 .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\win16 .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\win16 .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\win16 .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\win16 .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\winamp .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\winamp .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\winamp .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\winamp .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\wininst .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\wininst .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\wininst .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\winlogon .exe
c:\docume~1\CHADGO~1\LOCALS~1\Temp\winlogon .exe
c:\documents and settings\All Users\Application Data\.wtav
c:\documents and settings\All Users\Application Data\5wIih2.exe
c:\documents and settings\All Users\Application Data\tANTTd3R.exe
c:\documents and settings\All Users\Application Data\Update\seupd.exe
c:\documents and settings\Chad Gowens\5wIih2.com
c:\documents and settings\Chad Gowens\Application Data\hotfix.exe
c:\documents and settings\Chad Gowens\Application Data\Nuxa\ipsuz .exe
c:\documents and settings\Chad Gowens\Application Data\Nuxa\ipsuz.exe
c:\documents and settings\Chad Gowens\Local Settings\Application Data\{977E0370-4B1C-4E06-B49B-42376E4D920C}\chrome.manifest
c:\documents and settings\Chad Gowens\Local Settings\Application Data\{977E0370-4B1C-4E06-B49B-42376E4D920C}\chrome\content\_cfg.js
c:\documents and settings\Chad Gowens\Local Settings\Application Data\{977E0370-4B1C-4E06-B49B-42376E4D920C}\chrome\content\overlay.xul
c:\documents and settings\Chad Gowens\Local Settings\Application Data\{977E0370-4B1C-4E06-B49B-42376E4D920C}\install.rdf
c:\documents and settings\Chad Gowens\Local Settings\Application Data\5wIih2.exe
c:\documents and settings\Chad Gowens\Local Settings\Temp\lsass .exe
c:\documents and settings\Chad Gowens\Local Settings\Temp\lsass .exe
c:\documents and settings\Chad Gowens\Local Settings\Temp\lsass .exe
c:\documents and settings\Chad Gowens\Local Settings\Temp\lsass .exe
c:\documents and settings\Chad Gowens\Local Settings\Temp\lsass .exe
c:\documents and settings\Chad Gowens\Local Settings\Temp\lsass .exe
c:\documents and settings\Chad Gowens\Local Settings\Temp\lsass .exe
c:\documents and settings\NetworkService\Local Settings\Application Data\5wIih2.exe
c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
c:\program files\AT&T\Internet Security Wizard\ISW.exe
c:\program files\BillP Studios\WinPatrol\winpatrol.exe
c:\program files\Chameleon Clock\ChamClock.exe
c:\program files\Common Files\iS3\Anti-Spyware\SZServer.exe
c:\program files\Messenger\msmsgs.exe
c:\program files\Microsoft Security Essentials\msseces.exe
c:\program files\Microsoft Works\WkDetect.exe
c:\program files\Mozilla Firefox\searchplugins\google_search.xml
c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
c:\windows\avp .exe
c:\windows\avp .exe
c:\windows\avp .exe
c:\windows\avp .exe
c:\windows\avp .exe
c:\windows\avp .exe
c:\windows\avp .exe
c:\windows\avp .exe
c:\windows\avp.exe
c:\windows\cmd .exe
c:\windows\cmd .exe
c:\windows\cmd .exe
c:\windows\cmd .exe
c:\windows\cmd .exe
c:\windows\cmd .exe
c:\windows\cmd .exe
c:\windows\cmd .exe
c:\windows\cmd .exe
c:\windows\cmd .exe
c:\windows\cmd .exe
c:\windows\cmd .exe
c:\windows\cmd .exe
c:\windows\cmd .exe
c:\windows\cmd .exe
c:\windows\cmd .exe
c:\windows\cmd .exe
c:\windows\cmd.exe
c:\windows\csrss .exe
c:\windows\csrss .exe
c:\windows\csrss.exe
c:\windows\debug .exe
c:\windows\debug .exe
c:\windows\debug .exe
c:\windows\debug .exe
c:\windows\debug .exe
c:\windows\debug .exe
c:\windows\debug .exe
c:\windows\debug .exe
c:\windows\debug .exe
c:\windows\drweb .exe
c:\windows\drweb .exe
c:\windows\drweb .exe
c:\windows\drweb .exe
c:\windows\Fonts\5wIih2.com
c:\windows\gdi32 .exe
c:\windows\gdi32 .exe
c:\windows\gdi32.exe
c:\windows\hexdump .exe
c:\windows\hexdump.exe
c:\windows\iexplarer .exe
c:\windows\iexplarer .exe
c:\windows\iexplarer .exe
c:\windows\iexplarer .exe
c:\windows\iexplarer .exe
c:\windows\iexplarer .exe
c:\windows\iexplarer .exe
c:\windows\iexplarer .exe
c:\windows\iexplarer .exe
c:\windows\iexplarer .exe
c:\windows\install .exe
c:\windows\install.exe
c:\windows\isimoheyevalan.dll
c:\windows\login .exe
c:\windows\login .exe
c:\windows\login .exe
c:\windows\login .exe
c:\windows\login .exe
c:\windows\login .exe
c:\windows\login .exe
c:\windows\login .exe
c:\windows\login .exe
c:\windows\lsass .exe
c:\windows\lsass .exe
c:\windows\lsass.exe
c:\windows\mdm .exe
c:\windows\nvsvc32.exe
c:\windows\Prpurot.dll
c:\windows\services .exe
c:\windows\services .exe
c:\windows\services .exe
c:\windows\services .exe
c:\windows\services .exe
c:\windows\services .exe
c:\windows\services .exe
c:\windows\services .exe
c:\windows\services .exe
c:\windows\services.exe
c:\windows\setup .exe
c:\windows\setup .exe
c:\windows\setup .exe
c:\windows\setup .exe
c:\windows\setup .exe
c:\windows\setup .exe
c:\windows\setup .exe
c:\windows\setup .exe
c:\windows\smss .exe
c:\windows\smss.exe
c:\windows\spoolsv .exe
c:\windows\spoolsv .exe
c:\windows\spoolsv.exe
c:\windows\svchost .exe
c:\windows\svchost.exe
c:\windows\sysedit .exe
c:\windows\sysedit .exe
c:\windows\sysedit .exe
c:\windows\sysedit .exe
c:\windows\sysedit .exe
c:\windows\sysedit .exe
c:\windows\sysedit .exe
c:\windows\sysedit.exe
c:\windows\system .exe
c:\windows\system .exe
c:\windows\system .exe
c:\windows\system.exe
c:\windows\system32\404Fix.exe
c:\windows\system32\6to4v32.dll
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\bbrpp.dll
c:\windows\system32\certstore.dat
c:\windows\system32\cnzwnse8gs.dll
c:\windows\system32\config\systemprofile\5wIih2.com
c:\windows\system32\dumphive.exe
c:\windows\system32\Iasv32.dll
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\USRINI~1.EXE
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\taskmgr.exe
c:\windows\Tasks\At100.job
c:\windows\Tasks\At1000.job
c:\windows\Tasks\At1001.job
c:\windows\Tasks\At1002.job
c:\windows\Tasks\At1003.job
c:\windows\Tasks\At1004.job
c:\windows\Tasks\At1005.job
c:\windows\Tasks\At1006.job
c:\windows\Tasks\At1007.job
c:\windows\Tasks\At1008.job
c:\windows\Tasks\At1009.job
c:\windows\Tasks\At101.job
c:\windows\Tasks\At1010.job
c:\windows\Tasks\At1011.job
c:\windows\Tasks\At1012.job
c:\windows\Tasks\At1013.job
c:\windows\Tasks\At1014.job
c:\windows\Tasks\At1015.job
c:\windows\Tasks\At1016.job
c:\windows\Tasks\At1017.job
c:\windows\Tasks\At1018.job
c:\windows\Tasks\At1019.job
c:\windows\Tasks\At1020.job
c:\windows\Tasks\At1021.job
c:\windows\Tasks\At1022.job
c:\windows\Tasks\At1023.job
c:\windows\Tasks\At1024.job
c:\windows\Tasks\At1025.job
c:\windows\Tasks\At1026.job
c:\windows\Tasks\At1027.job
c:\windows\Tasks\At1028.job
c:\windows\Tasks\At1029.job
c:\windows\Tasks\At103.job
c:\windows\Tasks\At1030.job
c:\windows\Tasks\At1031.job
c:\windows\Tasks\At1032.job
c:\windows\Tasks\At1033.job
c:\windows\Tasks\At1034.job
c:\windows\Tasks\At1035.job
c:\windows\Tasks\At1036.job
c:\windows\Tasks\At1037.job
c:\windows\Tasks\At1038.job
c:\windows\Tasks\At1039.job
c:\windows\Tasks\At104.job
c:\windows\Tasks\At1040.job
c:\windows\Tasks\At1041.job
c:\windows\Tasks\At1042.job
c:\windows\Tasks\At1043.job
c:\windows\Tasks\At1044.job
c:\windows\Tasks\At1045.job
c:\windows\Tasks\At1046.job
c:\windows\Tasks\At1047.job
c:\windows\Tasks\At1048.job
c:\windows\Tasks\At1049.job
c:\windows\Tasks\At1050.job
c:\windows\Tasks\At1051.job
c:\windows\Tasks\At1052.job
c:\windows\Tasks\At1053.job
c:\windows\Tasks\At1054.job
c:\windows\Tasks\At1055.job
c:\windows\Tasks\At1056.job
c:\windows\Tasks\At1057.job
c:\windows\Tasks\At1058.job
c:\windows\Tasks\At1059.job
c:\windows\Tasks\At106.job
c:\windows\Tasks\At1060.job
c:\windows\Tasks\At1061.job
c:\windows\Tasks\At1062.job
c:\windows\Tasks\At1063.job
c:\windows\Tasks\At1064.job
c:\windows\Tasks\At1065.job
c:\windows\Tasks\At1066.job
c:\windows\Tasks\At1067.job
c:\windows\Tasks\At1068.job
c:\windows\Tasks\At1069.job
c:\windows\Tasks\At107.job
c:\windows\Tasks\At1070.job
c:\windows\Tasks\At1071.job
c:\windows\Tasks\At1072.job
c:\windows\Tasks\At1073.job
c:\windows\Tasks\At1074.job
c:\windows\Tasks\At1075.job
c:\windows\Tasks\At1076.job
c:\windows\Tasks\At1077.job
c:\windows\Tasks\At1078.job
c:\windows\Tasks\At1079.job
c:\windows\Tasks\At1080.job
c:\windows\Tasks\At1081.job
c:\windows\Tasks\At1082.job
c:\windows\Tasks\At1083.job
c:\windows\Tasks\At1084.job
c:\windows\Tasks\At1085.job
c:\windows\Tasks\At1086.job
c:\windows\Tasks\At1087.job
c:\windows\Tasks\At1088.job
c:\windows\Tasks\At1089.job
c:\windows\Tasks\At109.job
c:\windows\Tasks\At1090.job
c:\windows\Tasks\At1091.job
c:\windows\Tasks\At1092.job
c:\windows\Tasks\At1093.job
c:\windows\Tasks\At1094.job
c:\windows\Tasks\At1095.job
c:\windows\Tasks\At1096.job
c:\windows\Tasks\At1097.job
c:\windows\Tasks\At1098.job
c:\windows\Tasks\At1099.job
c:\windows\Tasks\At110.job
c:\windows\Tasks\At1100.job
c:\windows\Tasks\At1101.job
c:\windows\Tasks\At1102.job
c:\windows\Tasks\At1103.job
c:\windows\Tasks\At1104.job
c:\windows\Tasks\At1105.job
c:\windows\Tasks\At1106.job
c:\windows\Tasks\At1107.job
c:\windows\Tasks\At1108.job
c:\windows\Tasks\At1109.job
c:\windows\Tasks\At1110.job
c:\windows\Tasks\At1111.job
c:\windows\Tasks\At1112.job
c:\windows\Tasks\At1113.job
c:\windows\Tasks\At1114.job
c:\windows\Tasks\At1115.job
c:\windows\Tasks\At1116.job
c:\windows\Tasks\At1117.job
c:\windows\Tasks\At1118.job
c:\windows\Tasks\At1119.job
c:\windows\Tasks\At112.job
c:\windows\Tasks\At1120.job
c:\windows\Tasks\At1121.job
c:\windows\Tasks\At1122.job
c:\windows\Tasks\At1123.job
c:\windows\Tasks\At1124.job
c:\windows\Tasks\At1125.job
c:\windows\Tasks\At1126.job
c:\windows\Tasks\At1127.job
c:\windows\Tasks\At1128.job
c:\windows\Tasks\At1129.job
c:\windows\Tasks\At113.job
c:\windows\Tasks\At1130.job
c:\windows\Tasks\At1131.job
c:\windows\Tasks\At1132.job
c:\windows\Tasks\At1133.job
c:\windows\Tasks\At1134.job
c:\windows\Tasks\At1135.job
c:\windows\Tasks\At1136.job
c:\windows\Tasks\At1137.job
c:\windows\Tasks\At1138.job
c:\windows\Tasks\At1139.job
c:\windows\Tasks\At1140.job
c:\windows\Tasks\At1141.job
c:\windows\Tasks\At1142.job
c:\windows\Tasks\At1143.job
c:\windows\Tasks\At1144.job
c:\windows\Tasks\At1145.job
c:\windows\Tasks\At1146.job
c:\windows\Tasks\At1147.job
c:\windows\Tasks\At1148.job
c:\windows\Tasks\At1149.job
c:\windows\Tasks\At115.job
c:\windows\Tasks\At1150.job
c:\windows\Tasks\At1151.job
c:\windows\Tasks\At1152.job
c:\windows\Tasks\At1153.job
c:\windows\Tasks\At1154.job
c:\windows\Tasks\At1155.job
c:\windows\Tasks\At1156.job
c:\windows\Tasks\At1157.job
c:\windows\Tasks\At1158.job
c:\windows\Tasks\At1159.job
c:\windows\Tasks\At116.job
c:\windows\Tasks\At1160.job
c:\windows\Tasks\At1161.job
c:\windows\Tasks\At1162.job
c:\windows\Tasks\At1163.job
c:\windows\Tasks\At1164.job
c:\windows\Tasks\At1165.job
c:\windows\Tasks\At1166.job
c:\windows\Tasks\At1167.job
c:\windows\Tasks\At1168.job
c:\windows\Tasks\At1169.job
c:\windows\Tasks\At1170.job
c:\windows\Tasks\At1171.job
c:\windows\Tasks\At1172.job
c:\windows\Tasks\At1173.job
c:\windows\Tasks\At1174.job
c:\windows\Tasks\At1175.job
c:\windows\Tasks\At1176.job
c:\windows\Tasks\At1177.job
c:\windows\Tasks\At1178.job
c:\windows\Tasks\At1179.job
c:\windows\Tasks\At118.job
c:\windows\Tasks\At1180.job
c:\windows\Tasks\At1181.job
c:\windows\Tasks\At1182.job
c:\windows\Tasks\At1183.job
c:\windows\Tasks\At1184.job
c:\windows\Tasks\At1185.job
c:\windows\Tasks\At1186.job
c:\windows\Tasks\At1187.job
c:\windows\Tasks\At1188.job
c:\windows\Tasks\At1189.job
c:\windows\Tasks\At119.job
c:\windows\Tasks\At1190.job
c:\windows\Tasks\At1191.job
c:\windows\Tasks\At1192.job
c:\windows\Tasks\At1193.job
c:\windows\Tasks\At1194.job
c:\windows\Tasks\At1195.job
c:\windows\Tasks\At1196.job
c:\windows\Tasks\At1197.job
c:\windows\Tasks\At1198.job
c:\windows\Tasks\At1199.job
c:\windows\Tasks\At1200.job
c:\windows\Tasks\At1201.job
c:\windows\Tasks\At1202.job
c:\windows\Tasks\At1203.job
c:\windows\Tasks\At1204.job
c:\windows\Tasks\At1205.job
c:\windows\Tasks\At1206.job
c:\windows\Tasks\At1207.job
c:\windows\Tasks\At1208.job
c:\windows\Tasks\At1209.job
c:\windows\Tasks\At121.job
c:\windows\Tasks\At1210.job
c:\windows\Tasks\At1211.job
c:\windows\Tasks\At1212.job
c:\windows\Tasks\At1213.job
c:\windows\Tasks\At1214.job
c:\windows\Tasks\At1215.job
c:\windows\Tasks\At1216.job
c:\windows\Tasks\At1217.job
c:\windows\Tasks\At1218.job
c:\windows\Tasks\At1219.job
c:\windows\Tasks\At122.job
c:\windows\Tasks\At1220.job
c:\windows\Tasks\At1221.job
c:\windows\Tasks\At1222.job
c:\windows\Tasks\At1223.job
c:\windows\Tasks\At1224.job
c:\windows\Tasks\At1225.job
c:\windows\Tasks\At1226.job
c:\windows\Tasks\At1227.job
c:\windows\Tasks\At1228.job
c:\windows\Tasks\At1229.job
c:\windows\Tasks\At1230.job
c:\windows\Tasks\At1231.job
c:\windows\Tasks\At1232.job
c:\windows\Tasks\At1233.job
c:\windows\Tasks\At1234.job
c:\windows\Tasks\At1235.job
c:\windows\Tasks\At1236.job
c:\windows\Tasks\At1237.job
c:\windows\Tasks\At1238.job
c:\windows\Tasks\At1239.job
c:\windows\Tasks\At124.job
c:\windows\Tasks\At1240.job
c:\windows\Tasks\At1241.job
c:\windows\Tasks\At1242.job
c:\windows\Tasks\At1243.job
c:\windows\Tasks\At1244.job
c:\windows\Tasks\At1245.job
c:\windows\Tasks\At1246.job
c:\windows\Tasks\At1247.job
c:\windows\Tasks\At1248.job
c:\windows\Tasks\At1249.job
c:\windows\Tasks\At125.job
c:\windows\Tasks\At1250.job
c:\windows\Tasks\At1251.job
c:\windows\Tasks\At1252.job
c:\windows\Tasks\At1253.job
c:\windows\Tasks\At1254.job
c:\windows\Tasks\At1255.job
c:\windows\Tasks\At1256.job
c:\windows\Tasks\At1257.job
c:\windows\Tasks\At1258.job
c:\windows\Tasks\At1259.job
c:\windows\Tasks\At1260.job
c:\windows\Tasks\At1261.job
c:\windows\Tasks\At1262.job
c:\windows\Tasks\At1263.job
c:\windows\Tasks\At1264.job
c:\windows\Tasks\At1265.job
c:\windows\Tasks\At1266.job
c:\windows\Tasks\At1267.job
c:\windows\Tasks\At1268.job
c:\windows\Tasks\At1269.job
c:\windows\Tasks\At127.job
c:\windows\Tasks\At1270.job
c:\windows\Tasks\At1271.job
c:\windows\Tasks\At1272.job
c:\windows\Tasks\At1273.job
c:\windows\Tasks\At1274.job
c:\windows\Tasks\At1275.job
c:\windows\Tasks\At1276.job
c:\windows\Tasks\At1277.job
c:\windows\Tasks\At1278.job
c:\windows\Tasks\At1279.job
c:\windows\Tasks\At128.job
c:\windows\Tasks\At1280.job
c:\windows\Tasks\At1281.job
c:\windows\Tasks\At1282.job
c:\windows\Tasks\At1283.job
c:\windows\Tasks\At1284.job
c:\windows\Tasks\At1285.job
c:\windows\Tasks\At1286.job
c:\windows\Tasks\At1287.job
c:\windows\Tasks\At1288.job
c:\windows\Tasks\At1289.job
c:\windows\Tasks\At1290.job
c:\windows\Tasks\At1291.job
c:\windows\Tasks\At1292.job
c:\windows\Tasks\At1293.job
c:\windows\Tasks\At1294.job
c:\windows\Tasks\At1295.job
c:\windows\Tasks\At1296.job
c:\windows\Tasks\At1297.job
c:\windows\Tasks\At1298.job
c:\windows\Tasks\At1299.job
c:\windows\Tasks\At130.job
c:\windows\Tasks\At1300.job
c:\windows\Tasks\At1301.job
c:\windows\Tasks\At1302.job
c:\windows\Tasks\At1303.job
c:\windows\Tasks\At1304.job
c:\windows\Tasks\At1305.job
c:\windows\Tasks\At1306.job
c:\windows\Tasks\At1307.job
c:\windows\Tasks\At1308.job
c:\windows\Tasks\At1309.job
c:\windows\Tasks\At131.job
c:\windows\Tasks\At1310.job
c:\windows\Tasks\At1311.job
c:\windows\Tasks\At1312.job
c:\windows\Tasks\At1313.job
c:\windows\Tasks\At1314.job
c:\windows\Tasks\At1315.job
c:\windows\Tasks\At1316.job
c:\windows\Tasks\At1317.job
c:\windows\Tasks\At1318.job
c:\windows\Tasks\At1319.job
c:\windows\Tasks\At1320.job
c:\windows\Tasks\At1321.job
c:\windows\Tasks\At1322.job
c:\windows\Tasks\At1323.job
c:\windows\Tasks\At1324.job
c:\windows\Tasks\At1325.job
c:\windows\Tasks\At1326.job
c:\windows\Tasks\At1327.job
c:\windows\Tasks\At1328.job
c:\windows\Tasks\At1329.job
c:\windows\Tasks\At133.job
c:\windows\Tasks\At1330.job
c:\windows\Tasks\At1331.job
c:\windows\Tasks\At1332.job
c:\windows\Tasks\At1333.job
c:\windows\Tasks\At1334.job
c:\windows\Tasks\At1335.job
c:\windows\Tasks\At1336.job
c:\windows\Tasks\At1337.job
c:\windows\Tasks\At1338.job
c:\windows\Tasks\At1339.job
c:\windows\Tasks\At134.job
c:\windows\Tasks\At1340.job
c:\windows\Tasks\At1341.job
c:\windows\Tasks\At1342.job
c:\windows\Tasks\At1343.job
c:\windows\Tasks\At1344.job
c:\windows\Tasks\At1345.job
c:\windows\Tasks\At1346.job
c:\windows\Tasks\At1347.job
c:\windows\Tasks\At1348.job
c:\windows\Tasks\At1349.job
c:\windows\Tasks\At1350.job
c:\windows\Tasks\At1351.job
c:\windows\Tasks\At1352.job
c:\windows\Tasks\At1353.job
c:\windows\Tasks\At1354.job
c:\windows\Tasks\At1355.job
c:\windows\Tasks\At1356.job
c:\windows\Tasks\At1357.job
c:\windows\Tasks\At1358.job
c:\windows\Tasks\At1359.job
c:\windows\Tasks\At136.job
c:\windows\Tasks\At1360.job
c:\windows\Tasks\At1361.job
c:\windows\Tasks\At1362.job
c:\windows\Tasks\At1363.job
c:\windows\Tasks\At1364.job
c:\windows\Tasks\At1365.job
c:\windows\Tasks\At1366.job
c:\windows\Tasks\At1367.job
c:\windows\Tasks\At1368.job
c:\windows\Tasks\At1369.job
c:\windows\Tasks\At137.job
c:\windows\Tasks\At1370.job
c:\windows\Tasks\At1371.job
c:\windows\Tasks\At1372.job
c:\windows\Tasks\At1373.job
c:\windows\Tasks\At1374.job
c:\windows\Tasks\At1375.job
c:\windows\Tasks\At1376.job
c:\windows\Tasks\At1377.job
c:\windows\Tasks\At1378.job
c:\windows\Tasks\At1379.job
c:\windows\Tasks\At1380.job
c:\windows\Tasks\At1381.job
c:\windows\Tasks\At1382.job
c:\windows\Tasks\At1383.job
c:\windows\Tasks\At1384.job
c:\windows\Tasks\At1385.job
c:\windows\Tasks\At1386.job
c:\windows\Tasks\At1387.job
c:\windows\Tasks\At1388.job
c:\windows\Tasks\At1389.job
c:\windows\Tasks\At139.job
c:\windows\Tasks\At1390.job
c:\windows\Tasks\At1391.job
c:\windows\Tasks\At1392.job
c:\windows\Tasks\At1393.job
c:\windows\Tasks\At1394.job
c:\windows\Tasks\At1395.job
c:\windows\Tasks\At1396.job
c:\windows\Tasks\At1397.job
c:\windows\Tasks\At1398.job
c:\windows\Tasks\At1399.job
c:\windows\Tasks\At140.job
c:\windows\Tasks\At1400.job
c:\windows\Tasks\At1401.job
c:\windows\Tasks\At1402.job
c:\windows\Tasks\At1403.job
c:\windows\Tasks\At1404.job
c:\windows\Tasks\At1405.job
c:\windows\Tasks\At1406.job
c:\windows\Tasks\At1407.job
c:\windows\Tasks\At1408.job
c:\windows\Tasks\At1409.job
c:\windows\Tasks\At1410.job
c:\windows\Temp\lsass.exe
c:\windows\TEMP\mdm .exe
c:\windows\TEMP\mdm .exe
c:\windows\TEMP\mdm .exe
c:\windows\Temp\mdm .exe
c:\windows\Temp\mdm .exe
c:\windows\TEMP\mdm .exe
c:\windows\TEMP\mdm .exe
c:\windows\TEMP\mdm .exe
c:\windows\Temp\mdm .exe
c:\windows\Temp\mdm .exe
c:\windows\TEMP\mdm .exe
c:\windows\TEMP\mdm .exe
c:\windows\TEMP\mdm .exe
c:\windows\TEMP\mdm .exe
c:\windows\TEMP\mdm .exe
c:\windows\TEMP\mdm .exe
c:\windows\TEMP\mdm .exe
c:\windows\TEMP\mdm .exe
c:\windows\TEMP\mdm .exe
c:\windows\TEMP\sysedit .exe
c:\windows\TEMP\sysedit .exe
c:\windows\TEMP\sysedit .exe
c:\windows\Temp\sysedit .exe
c:\windows\TEMP\sysedit .exe
c:\windows\Temp\sysedit .exe
c:\windows\Temp\sysedit .exe
c:\windows\Temp\sysedit .exe
c:\windows\Temp\sysedit .exe
c:\windows\Temp\sysedit .exe
c:\windows\Temp\sysedit .exe
c:\windows\TEMP\sysedit .exe
c:\windows\TEMP\sysedit .exe
c:\windows\Temp\user .exe
c:\windows\Temp\user .exe
c:\windows\TEMP\user .exe
c:\windows\TEMP\user .exe
c:\windows\TEMP\user .exe
c:\windows\Temp\user .exe
c:\windows\Temp\user .exe
c:\windows\TEMP\user .exe
c:\windows\Temp\user .exe
c:\windows\user .exe
c:\windows\user .exe
c:\windows\user .exe
c:\windows\user .exe
c:\windows\user .exe
c:\windows\user .exe
c:\windows\user .exe
c:\windows\user .exe
c:\windows\user.exe
c:\windows\win .exe
c:\windows\win .exe
c:\windows\win .exe
c:\windows\win .exe
c:\windows\win .exe
c:\windows\win .exe
c:\windows\win .exe
c:\windows\win .exe
c:\windows\win .exe
c:\windows\win .exe
c:\windows\win .exe
c:\windows\win .exe
c:\windows\win.exe
c:\windows\win16.exe
c:\windows\win32 .exe
c:\windows\win32 .exe
c:\windows\win32 .exe
c:\windows\win32 .exe
c:\windows\win32.exe
c:\windows\winamp .exe
c:\windows\winamp.exe
c:\windows\winlogon .exe
c:\windows\winlogon .exe
c:\windows\winlogon .exe
c:\windows\winlogon .exe
c:\windows\winlogon .exe
c:\windows\winlogon .exe
c:\windows\winlogon .exe
c:\windows\winlogon .exe
c:\windows\winlogon .exe
c:\windows\winlogon .exe
c:\windows\winlogon.exe
G:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_IAS
-------\Legacy_USERINIT
-------\Service_6to4
-------\Service_Ias
-------\Service_userinit
-------\Legacy_szserver
-------\Service_szserver


((((((((((((((((((((((((( Files Created from 2010-10-02 to 2010-11-02 )))))))))))))))))))))))))))))))
.

2010-11-02 04:13 . 2010-11-02 04:13 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-11-02 04:13 . 2010-11-02 04:13 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Logitech
2010-11-02 04:13 . 2010-11-02 04:13 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AT&T
2010-10-30 11:59 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-30 11:59 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-30 11:59 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-10-30 08:12 . 2010-10-30 08:12 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ATTYToolbar
2010-10-21 04:00 . 2010-10-21 04:00 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-10-19 04:28 . 2010-10-19 04:29 -------- d-----w- c:\program files\Cobian Backup 8
2010-10-19 03:54 . 2010-10-19 03:54 -------- d-sh--w- c:\documents and settings\Chad Gowens\IECompatCache
2010-10-18 18:00 . 2010-10-18 18:00 -------- d-sh--w- c:\documents and settings\NetworkService\IECompatCache
2010-10-15 14:53 . 2010-11-02 04:05 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-10-15 04:18 . 2010-10-15 04:18 -------- d-----w- C:\f101b6b0a747c29fc411
2010-10-13 18:59 . 2010-10-18 18:15 -------- d-----w- c:\program files\Trend Micro
2010-10-12 00:16 . 2010-10-12 00:16 -------- d-----w- C:\USMT.TMP
2010-10-11 23:26 . 2010-11-02 04:05 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-10-11 19:28 . 2010-10-11 19:28 -------- d--h--w- c:\windows\PIF
2010-10-11 19:21 . 2010-10-11 19:21 -------- d-----w- c:\documents and settings\Chad Gowens\Application Data\Malwarebytes
2010-10-11 19:20 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-11 19:20 . 2010-10-11 19:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-11 19:20 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-11 19:20 . 2010-10-16 14:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-10 14:24 . 2010-10-15 11:20 21636 ---ha-w- c:\windows\avp32 .exe
2010-10-10 14:14 . 2010-10-13 21:31 21636 ---ha-w- c:\windows\svchost .exe
2010-10-10 13:21 . 2010-10-10 14:15 94268 ---ha-w- c:\windows\system32\5wIih2.com
2010-10-10 12:54 . 2010-10-10 12:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-10-10 12:27 . 2010-10-10 12:27 -------- d-----w- c:\documents and settings\Chad Gowens\Application Data\SUPERAntiSpyware.com
2010-10-10 12:27 . 2010-10-10 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-10-10 11:56 . 2010-10-15 08:03 21636 ---ha-w- c:\windows\lsass .exe
2010-10-10 11:54 . 2010-10-12 01:17 21636 ---ha-w- c:\windows\install .exe
2010-10-09 20:47 . 2010-10-15 03:40 -------- d-----w- c:\documents and settings\Administrator
2010-10-09 19:49 . 2010-10-09 19:49 21636 ---ha-w- c:\windows\winlogon .exe
2010-10-09 19:34 . 2010-10-11 21:09 21636 ---ha-w- c:\windows\hexdump .exe
2010-10-09 19:34 . 2010-10-11 21:09 21636 ---ha-w- c:\windows\nvsvc32 .exe
2010-10-09 19:31 . 2010-10-11 22:30 21636 ---ha-w- c:\windows\smss .exe
2010-10-09 19:31 . 2010-10-10 11:56 21636 ---ha-w- c:\windows\debug .exe
2010-10-09 19:31 . 2010-10-17 14:06 21636 ---ha-w- c:\windows\user .exe
2010-10-09 19:31 . 2010-10-09 19:49 21636 ---ha-w- c:\windows\services .exe
2010-10-09 18:33 . 2010-10-09 18:33 21636 ---ha-w- c:\windows\system .exe
2010-10-09 18:33 . 2010-10-09 18:33 21636 ---ha-w- c:\windows\iexplarer .exe
2010-10-09 18:25 . 2010-10-09 18:25 21636 ---ha-w- c:\windows\cmd .exe
2010-10-09 18:25 . 2010-10-09 18:25 21636 ---ha-w- c:\windows\drweb .exe
2010-10-09 18:14 . 2010-10-09 18:14 21636 ---ha-w- c:\windows\wininst .exe
2010-10-09 14:57 . 2010-10-18 23:16 21636 ---ha-w- c:\windows\win32 .exe
2010-10-09 14:57 . 2010-10-09 14:57 21636 ---ha-w- c:\windows\setup .exe
2010-10-09 14:51 . 2010-10-09 14:51 21636 ---ha-w- c:\windows\mdm .exe
2010-10-09 13:44 . 2010-10-09 13:44 21636 ---ha-w- c:\windows\login .exe
2010-10-09 13:42 . 2010-10-09 13:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Mozilla
2010-10-09 09:43 . 2010-10-09 09:43 2256 ----a-w- c:\documents and settings\Chad Gowens\Application Data\444.bat
2010-10-09 09:43 . 2010-10-09 09:43 143 ----a-w- c:\documents and settings\Chad Gowens\Application Data\asdsada.bat
2010-10-09 09:36 . 2010-10-09 09:36 21636 ---ha-w- c:\windows\sysedit .exe
2010-10-09 09:33 . 2010-11-01 23:43 0 ----a-w- c:\windows\Smopas.bin
2010-10-09 09:27 . 2010-10-09 09:27 21636 ---ha-w- c:\windows\win .exe
2010-10-09 09:19 . 2010-10-09 09:19 21636 ---ha-w- c:\windows\taskmgr .exe
2010-10-09 09:19 . 2010-10-09 09:19 21636 ---ha-w- c:\windows\winamp .exe
2010-10-09 09:19 . 2010-11-02 04:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-10-09 09:14 . 2010-10-09 09:14 60004 ---ha-w- c:\windows\avp .exe
2010-10-09 09:14 . 2010-10-09 09:14 60004 ---ha-w- c:\windows\gdi32 .exe
2010-10-09 09:14 . 2010-10-09 09:14 60004 ---ha-w- c:\windows\spoolsv .exe
2010-10-09 09:14 . 2010-10-09 19:46 94224 ----a-w- c:\windows\win16 .exe
2010-10-09 09:14 . 2010-10-09 19:31 94216 ----a-w- c:\windows\win16 .exe
2010-10-09 09:14 . 2010-10-09 09:14 60004 ---ha-w- c:\windows\win16 .exe
2010-10-09 04:25 . 2010-10-09 04:25 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-10-09 04:25 . 2010-10-09 04:25 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2010-10-09 04:25 . 2010-10-09 04:25 -------- d-----w- c:\program files\McAfee Security Scan
2010-10-08 18:37 . 2010-10-08 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-10-08 18:37 . 2010-10-08 18:37 -------- d-----w- c:\program files\NOS
2010-10-08 18:34 . 2010-10-30 07:05 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2010-10-08 18:34 . 2010-10-30 07:05 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 17:23 . 2004-08-04 10:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-04 10:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-04 10:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-04 10:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51 . 2004-08-04 10:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-08-04 10:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-08-04 10:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-08-04 10:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-15 21:30 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2004-08-04 10:00 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-08-04 10:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.
<pre>
c:\program files\ATT-SST\McciTrayApp .exe
c:\program files\Common Files\Adobe\Updater5\AdobeUpdater .exe
c:\program files\HP\HP Software Update\HPWuSchd .exe
c:\program files\HP\hpcoretech\hpcmpmgr .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Lexmark 5600-6600 Series\fm3032 .exe
c:\program files\Lexmark 5600-6600 Series\lxduamon .exe
c:\program files\Lexmark 5600-6600 Series\lxdumon .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\Microsoft Security Essentials\msseces .exe
c:\program files\Microsoft Works\WkDetect .exe
c:\program files\QuickTime\QTTask .exe
c:\program files\Spybot - Search & Destroy\TeaTimer .exe
c:\windows\avp           .exe
c:\windows\avp32 .exe
c:\windows\cmd                    .exe
c:\windows\debug          .exe
c:\windows\drweb     .exe
c:\windows\gdi32    .exe
c:\windows\hexdump  .exe
c:\windows\iexplarer           .exe
c:\windows\install  .exe
c:\windows\KHALMNPR .exe
c:\windows\login            .exe
c:\windows\lsass   .exe
c:\windows\mdm  .exe
c:\windows\nvsvc32 .exe
c:\windows\services           .exe
c:\windows\setup          .exe
c:\windows\smss  .exe
c:\windows\spoolsv   .exe
c:\windows\svchost  .exe
c:\windows\sysedit           .exe
c:\windows\system    .exe
c:\windows\taskmgr .exe
c:\windows\user         .exe
c:\windows\win             .exe
c:\windows\win16   .exe
c:\windows\win16  .exe
c:\windows\win16 .exe
c:\windows\win32     .exe
c:\windows\winamp  .exe
c:\windows\wininst .exe
c:\windows\winlogon            .exe
c:\windows\system32\rundll32 .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [N/A]
"HomeAlarm"="c:\program files\Chameleon Clock\ChamClock .exe" [N/A]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [N/A]
"MKeuf"="c:\windows\spoolsv.exe" [N/A]
"MKZe"="c:\windows\avp.exe" [N/A]
"MKfPc"="c:\windows\win32.exe" [N/A]
"Nxavupalirik"="c:\windows\Prpurot.dll" [N/A]
"MKbMc"="c:\windows\gdi32.exe" [N/A]
"uPc+MV0NpvQaXms"="c:\windows\system32\cnzwnse8gs.dll" [N/A]
"MKerb"="c:\windows\taskmgr.exe" [N/A]
"MKfpe"="c:\windows\winamp.exe" [N/A]
"MKfa"="c:\windows\win.exe" [N/A]
"MKetc"="c:\windows\sysedit.exe" [N/A]
"{5A6CDB6F-D96F-B04E-E7C3-2383AF64D583}"="c:\documents and settings\Chad Gowens\Application Data\Nuxa\ipsuz.exe" [N/A]
"MKcrc"="c:\windows\login.exe" [N/A]
"MKfPK"="c:\windows\win32 .exe" [N/A]
"MKfpI"="c:\windows\winamp .exe" [N/A]
"MKeuN"="c:\windows\spoolsv .exe" [N/A]
"MKcrK"="c:\windows\login .exe" [N/A]
"MKfJ"="c:\windows\win .exe" [N/A]
"MKetK"="c:\windows\sysedit .exe" [N/A]
"MKbMK"="c:\windows\gdi32 .exe" [N/A]
"MKZN"="c:\windows\avp .exe" [N/A]
"MKcZ"="c:\windows\mdm.exe" [N/A]
"MKevc"="c:\windows\setup.exe" [N/A]
"MKayc"="c:\windows\csrss.exe" [N/A]
"MKfre"="c:\windows\wininst.exe" [N/A]
"MKasc"="c:\windows\drweb.exe" [N/A]
"MKaZ"="c:\windows\cmd.exe" [N/A]
"MKbuqc"="c:\windows\iexplarer.exe" [N/A]
"MKexe"="c:\windows\system.exe" [N/A]
"MKexI"="c:\windows\system .exe" [N/A]
"MKaH"="c:\windows\cmd .exe" [N/A]
"MKfFc"="c:\windows\win .exe" [N/A]
"MKbM0"="c:\windows\gdi32 .exe" [N/A]
"MKevK"="c:\windows\setup .exe" [N/A]
"MKetHc"="c:\windows\sysedit .exe" [N/A]
"MKcH"="c:\windows\mdm .exe" [N/A]
"MKcr0"="c:\windows\login .exe" [N/A]
"MKZJc"="c:\windows\avp .exe" [N/A]
"MKfP0"="c:\windows\win32 .exe" [N/A]
"MKeuKc"="c:\windows\spoolsv .exe" [N/A]
"MKayK"="c:\windows\csrss .exe" [N/A]
"MKasK"="c:\windows\drweb .exe" [N/A]
"MKex2"="c:\windows\system .exe" [N/A]
"MKbuqK"="c:\windows\iexplarer .exe" [N/A]
"MKbMj"="c:\windows\gdi32 .exe" [N/A]
"MKfFK"="c:\windows\win .exe" [N/A]
"MKaEc"="c:\windows\cmd .exe" [N/A]
"MKeta"="c:\windows\services.exe" [N/A]
"MKfsc"="c:\windows\winlogon.exe" [N/A]
"MKexzc"="c:\windows\system .exe" [N/A]
"MKfsZc"="c:\windows\winlogon .exe" [N/A]
"MKetWc"="c:\windows\services .exe" [N/A]
"MKZJK"="c:\windows\avp .exe" [N/A]
"MKfsZK"="c:\windows\winlogon .exe" [N/A]
"MKfsZ0"="c:\windows\winlogon .exe" [N/A]
"MKfsZj"="c:\windows\winlogon .exe" [N/A]
"MKfF0"="c:\windows\win .exe" [N/A]
"MKetW0"="c:\windows\services .exe" [N/A]
"MKasj"="c:\windows\drweb .exe" [N/A]
"MKfFgc"="c:\windows\win .exe" [N/A]
"MKbuqj"="c:\windows\iexplarer .exe" [N/A]
"MKevj"="c:\windows\setup .exe" [N/A]
"MKcrgc"="c:\windows\login .exe" [N/A]
"MKZJj"="c:\windows\avp .exe" [N/A]
"MKetH0"="c:\windows\sysedit .exe" [N/A]
"MKaE0"="c:\windows\cmd .exe" [N/A]
"MKetWj"="c:\windows\services .exe" [N/A]
"MKasgc"="c:\windows\drweb .exe" [N/A]
"MKevgc"="c:\windows\setup .exe" [N/A]
"MKfFgK"="c:\windows\win .exe" [N/A]
"MKbuqgc"="c:\windows\iexplarer .exe" [N/A]
"MKfsZgK"="c:\windows\winlogon .exe" [N/A]
"MKetHj"="c:\windows\sysedit .exe" [N/A]
"MKfsZg0"="c:\windows\winlogon .exe" [N/A]
"MKZJgc"="c:\windows\avp .exe" [N/A]
"MKcrgK"="c:\windows\login .exe" [N/A]
"MKaEj"="c:\windows\cmd .exe" [N/A]
"MKetWgc"="c:\windows\services .exe" [N/A]
"MKetHgc"="c:\windows\sysedit .exe" [N/A]
"MKfsZgj"="c:\windows\winlogon .exe" [N/A]
"MKaoc"="c:\windows\debug.exe" [N/A]
"MKetHgK"="c:\windows\sysedit .exe" [N/A]
"MKfsZggc"="c:\windows\winlogon .exe" [N/A]
"MKaoK"="c:\windows\debug .exe" [N/A]
"MKcrg0"="c:\windows\login .exe" [N/A]
"MKetHg0"="c:\windows\sysedit .exe" [N/A]
"MKfsZgg0"="c:\windows\winlogon .exe" [N/A]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [N/A]
"MKcrgj"="c:\windows\login .exe" [N/A]
"MKcrggc"="c:\windows\login .exe" [N/A]
"MKaoj"="c:\windows\debug .exe" [N/A]
"MKetHggc"="c:\windows\sysedit .exe" [N/A]
"MKcrggK"="c:\windows\login .exe" [N/A]
"MKcrgg0"="c:\windows\login .exe" [N/A]
"HNUEROXRnsc\CHADGO~1\LOCALS~1\Temp\drweb.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\drweb.exe" [N/A]
"HNUEROXRruf\CHADGO~1\LOCALS~1\Temp\spoolsv.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\spoolsv.exe" [N/A]
"MKbuqgK"="c:\windows\iexplarer .exe" [N/A]
"MKaog0"="c:\windows\debug .exe" [N/A]
"MKdw+"="c:\windows\nvsvc32.exe" [N/A]
"MKbtc"="c:\windows\hexdump.exe" [N/A]
"MKaEg0"="c:\windows\cmd .exe" [N/A]
"MKfFg0"="c:\windows\win .exe" [N/A]
"MKetWgj"="c:\windows\services .exe" [N/A]
"MKbuqgg0"="c:\windows\iexplarer .exe" [N/A]
"MKbta"="c:\windows\install.exe" [N/A]
"MKbtK"="c:\windows\hexdump .exe" [N/A]
"MKaoggc"="c:\windows\debug .exe" [N/A]
"MKfFggc"="c:\windows\win .exe" [N/A]
"MKaoggK"="c:\windows\debug .exe" [N/A]
"MKaEggc"="c:\windows\cmd .exe" [N/A]
"MKfFggK"="c:\windows\win .exe" [N/A]
"MKaEggK"="c:\windows\cmd .exe" [N/A]
"MKese"="c:\windows\svchost.exe" [N/A]
"MKesN"="c:\windows\svchost .exe" [N/A]
"MKcuc"="c:\windows\lsass.exe" [N/A]
"MKcuK"="c:\windows\lsass .exe" [N/A]
"MKcu0"="c:\windows\lsass .exe" [N/A]
"HNUEROXRaz2QCHADGO~1\LOCALS~1\Temp\2067137778.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\2067137778.exe" [N/A]
"MKeg"="c:\windows\smss.exe" [N/A]
"MKZSc"="c:\windows\avp32.exe" [N/A]
"HNUEROXRbyycCHADGO~1\LOCALS~1\Temp\315034142.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\315034142.exe" [N/A]
"HNUEROXRaz26CHADGO~1\LOCALS~1\Temp\2067137778 .exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\2067137778 .exe" [N/A]
"MKee"="c:\windows\user.exe" [N/A]
"MKeac"="c:\windows\user .exe" [N/A]
"MKeaK"="c:\windows\user .exe" [N/A]
"MKea0"="c:\windows\user .exe" [N/A]
"MKeaj"="c:\windows\user .exe" [N/A]
"MKeagc"="c:\windows\user .exe" [N/A]
"MKeagK"="c:\windows\user .exe" [N/A]
"MKeag0"="c:\windows\user .exe" [N/A]
"MKeagj"="c:\windows\user .exe" [N/A]
"HNUEROXRbyyKCHADGO~1\LOCALS~1\Temp\315034142 .exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\315034142 .exe" [N/A]
"MKfPj"="c:\windows\win32 .exe" [N/A]
"MKfPgc"="c:\windows\win32 .exe" [N/A]
"HNUEROXRa0zQCHADGO~1\LOCALS~1\Temp\2814338205.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\2814338205.exe" [N/A]
"HNUEROXRbz0PCHADGO~1\LOCALS~1\Temp\3417143844.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\3417143844.exe" [N/A]
"HNUEROXRa00QCHADGO~1\LOCALS~1\Temp\1287008906.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\1287008906.exe" [N/A]
"HNUEROXRay0QCHADGO~1\LOCALS~1\Temp\1090031766.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\1090031766.exe" [N/A]
"HNUEROXRb03PCHADGO~1\LOCALS~1\Temp\3608287582.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\3608287582.exe" [N/A]
"HNUEROXRa0zQCHADGO~1\LOCALS~1\Temp\2962241076.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\2962241076.exe" [N/A]
"HNUEROXRa20QCHADGO~1\LOCALS~1\Temp\1186950386.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\1186950386.exe" [N/A]
"HNUEROXRazzPCHADGO~1\LOCALS~1\Temp\1515220742.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\1515220742.exe" [N/A]
"HNUEROXRb0zPCHADGO~1\LOCALS~1\Temp\3380555052.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\3380555052.exe" [N/A]
"HNUEROXRay06CHADGO~1\LOCALS~1\Temp\1090031766 .exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\1090031766 .exe" [N/A]
"HNUEROXRb01QCHADGO~1\LOCALS~1\Temp\3681169158.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\3681169158.exe" [N/A]
"HNUEROXRa01PCHADGO~1\LOCALS~1\Temp\1252786172.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\1252786172.exe" [N/A]
"HNUEROXRay0QCHADGO~1\LOCALS~1\Temp\1604025278.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\1604025278.exe" [N/A]
"HNUEROXRa00PCHADGO~1\LOCALS~1\Temp\1036870482.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\1036870482.exe" [N/A]
"HNUEROXRbz1QCHADGO~1\LOCALS~1\Temp\3516078338.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\3516078338.exe" [N/A]
"HNUEROXRc3zcCHADGO~1\LOCALS~1\Temp\979581246.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\979581246.exe" [N/A]
"HNUEROXRa00PCHADGO~1\LOCALS~1\Temp\1338476602.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\1338476602.exe" [N/A]
"HNUEROXRbyzPCHADGO~1\LOCALS~1\Temp\3520373412.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\3520373412.exe" [N/A]
"HNUEROXRa02OCHADGO~1\LOCALS~1\Temp\1614657570.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\1614657570.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2000-08-08 311350]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [N/A]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [N/A]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [N/A]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [N/A]
"lxdumon.exe"="c:\program files\Lexmark 5600-6600 Series\lxdumon.exe" [N/A]
"lxduamon"="c:\program files\Lexmark 5600-6600 Series\lxduamon.exe" [N/A]
"Lexmark 5600-6600 Series Fax Server"="c:\program files\Lexmark 5600-6600 Series\fm3032.exe" [N/A]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [N/A]
"ISW.exe"="c:\program files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 2061816]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [N/A]
"MKfPc"="c:\windows\win32.exe" [N/A]
"MKbMc"="c:\windows\gdi32.exe" [N/A]
"uPc+MV0NpvQaXms"="c:\windows\system32\cnzwnse8gs.dll" [N/A]
"MKerb"="c:\windows\taskmgr.exe" [N/A]
"MKfpe"="c:\windows\winamp.exe" [N/A]
"MKfa"="c:\windows\win.exe" [N/A]
"Gpafowohow"="c:\windows\isimoheyevalan.dll" [N/A]
"MKetc"="c:\windows\sysedit.exe" [N/A]
"MKcrc"="c:\windows\login.exe" [N/A]
"MKfPK"="c:\windows\win32 .exe" [N/A]
"MKfpI"="c:\windows\winamp .exe" [N/A]
"MKeuN"="c:\windows\spoolsv .exe" [N/A]
"MKcrK"="c:\windows\login .exe" [N/A]
"MKfJ"="c:\windows\win .exe" [N/A]
"MKetK"="c:\windows\sysedit .exe" [N/A]
"MKbMK"="c:\windows\gdi32 .exe" [N/A]
"MKZN"="c:\windows\avp .exe" [N/A]
"MKcZ"="c:\windows\mdm.exe" [N/A]
"MKevc"="c:\windows\setup.exe" [N/A]
"MKeuf"="c:\windows\spoolsv.exe" [N/A]
"MKayc"="c:\windows\csrss.exe" [N/A]
"MKfre"="c:\windows\wininst.exe" [N/A]
"MKasc"="c:\windows\drweb.exe" [N/A]
"MKaZ"="c:\windows\cmd.exe" [N/A]
"MKbuqc"="c:\windows\iexplarer.exe" [N/A]
"MKexe"="c:\windows\system.exe" [N/A]
"MKZe"="c:\windows\avp.exe" [N/A]
"MKexI"="c:\windows\system .exe" [N/A]
"MKaH"="c:\windows\cmd .exe" [N/A]
"MKfFc"="c:\windows\win .exe" [N/A]
"MKbM0"="c:\windows\gdi32 .exe" [N/A]
"MKevK"="c:\windows\setup .exe" [N/A]
"MKcH"="c:\windows\mdm .exe" [N/A]
"MKetHc"="c:\windows\sysedit .exe" [N/A]
"MKcr0"="c:\windows\login .exe" [N/A]
"MKZJc"="c:\windows\avp .exe" [N/A]
"MKfP0"="c:\windows\win32 .exe" [N/A]
"MKeuKc"="c:\windows\spoolsv .exe" [N/A]
"MKayK"="c:\windows\csrss .exe" [N/A]
"MKasK"="c:\windows\drweb .exe" [N/A]
"MKex2"="c:\windows\system .exe" [N/A]
"MKbuqK"="c:\windows\iexplarer .exe" [N/A]
"MKbMj"="c:\windows\gdi32 .exe" [N/A]
"MKfFK"="c:\windows\win .exe" [N/A]
"MKaEc"="c:\windows\cmd .exe" [N/A]
"MKeta"="c:\windows\services.exe" [N/A]
"MKfsc"="c:\windows\winlogon.exe" [N/A]
"MKexzc"="c:\windows\system .exe" [N/A]
"MKfsZc"="c:\windows\winlogon .exe" [N/A]
"MKetWc"="c:\windows\services .exe" [N/A]
"MKZJK"="c:\windows\avp .exe" [N/A]
"MKfsZK"="c:\windows\winlogon .exe" [N/A]
"MKfsZ0"="c:\windows\winlogon .exe" [N/A]
"MKfsZj"="c:\windows\winlogon .exe" [N/A]
"MKetW0"="c:\windows\services .exe" [N/A]
"MKasj"="c:\windows\drweb .exe" [N/A]
"MKfFgc"="c:\windows\win .exe" [N/A]
"MKbuqj"="c:\windows\iexplarer .exe" [N/A]
"MKevj"="c:\windows\setup .exe" [N/A]
"MKZJj"="c:\windows\avp .exe" [N/A]
"MKcrgc"="c:\windows\login .exe" [N/A]
"MKetH0"="c:\windows\sysedit .exe" [N/A]
"MKaE0"="c:\windows\cmd .exe" [N/A]
"MKetWj"="c:\windows\services .exe" [N/A]
"MKasgc"="c:\windows\drweb .exe" [N/A]
"MKevgc"="c:\windows\setup .exe" [N/A]
"MKfFgK"="c:\windows\win .exe" [N/A]
"MKbuqgc"="c:\windows\iexplarer .exe" [N/A]
"MKfsZgK"="c:\windows\winlogon .exe" [N/A]
"MKetHj"="c:\windows\sysedit .exe" [N/A]
"MKfsZg0"="c:\windows\winlogon .exe" [N/A]
"MKZJgc"="c:\windows\avp .exe" [N/A]
"MKcrgK"="c:\windows\login .exe" [N/A]
"MKaEj"="c:\windows\cmd .exe" [N/A]
"MKetWgc"="c:\windows\services .exe" [N/A]
"MKetHgc"="c:\windows\sysedit .exe" [N/A]
"MKfsZgj"="c:\windows\winlogon .exe" [N/A]
"MKaoc"="c:\windows\debug.exe" [N/A]
"MKetHgK"="c:\windows\sysedit .exe" [N/A]
"MKfsZggc"="c:\windows\winlogon .exe" [N/A]
"MKaoK"="c:\windows\debug .exe" [N/A]
"MKao0"="c:\windows\debug .exe" [N/A]
"MKfsZggK"="c:\windows\winlogon .exe" [N/A]
"MKcrg0"="c:\windows\login .exe" [N/A]
"MKetHg0"="c:\windows\sysedit .exe" [N/A]
"MKfsZgg0"="c:\windows\winlogon .exe" [N/A]
"MKetHgj"="c:\windows\sysedit .exe" [N/A]
"MKcrgj"="c:\windows\login .exe" [N/A]
"MKcrggc"="c:\windows\login .exe" [N/A]
"MKaoj"="c:\windows\debug .exe" [N/A]
"MKetHggc"="c:\windows\sysedit .exe" [N/A]
"MKcrggK"="c:\windows\login .exe" [N/A]
"MKcrgg0"="c:\windows\login .exe" [N/A]
"MKcrggj"="c:\windows\login .exe" [N/A]
"HNUEROXRnsc\CHADGO~1\LOCALS~1\Temp\drweb.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\drweb.exe" [N/A]
"HNUEROXRruf\CHADGO~1\LOCALS~1\Temp\spoolsv.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\spoolsv.exe" [N/A]
"MKbuqgK"="c:\windows\iexplarer .exe" [N/A]
"MKbuqg0"="c:\windows\iexplarer .exe" [N/A]
"MKbuqgj"="c:\windows\iexplarer .exe" [N/A]
"MKbuqggc"="c:\windows\iexplarer .exe" [N/A]
"MKbuqggK"="c:\windows\iexplarer .exe" [N/A]
"MKaog0"="c:\windows\debug .exe" [N/A]
"MKdw+"="c:\windows\nvsvc32.exe" [N/A]
"MKbtc"="c:\windows\hexdump.exe" [N/A]
"MKaEg0"="c:\windows\cmd .exe" [N/A]
"MKfFg0"="c:\windows\win .exe" [N/A]
"MKetWgj"="c:\windows\services .exe" [N/A]
"MKbuqgg0"="c:\windows\iexplarer .exe" [N/A]
"MKbta"="c:\windows\install.exe" [N/A]
"MKbtK"="c:\windows\hexdump .exe" [N/A]
"MKaoggc"="c:\windows\debug .exe" [N/A]
"MKfFggc"="c:\windows\win .exe" [N/A]
"MKaoggK"="c:\windows\debug .exe" [N/A]
"MKaEggc"="c:\windows\cmd .exe" [N/A]
"MKfFggK"="c:\windows\win .exe" [N/A]
"MKaEggK"="c:\windows\cmd .exe" [N/A]
"MKaEgg0"="c:\windows\cmd .exe" [N/A]
"MKfFgg0"="c:\windows\win .exe" [N/A]
"MKaEggj"="c:\windows\cmd .exe" [N/A]
"MKaEgggc"="c:\windows\cmd .exe" [N/A]
"MKaEgggK"="c:\windows\cmd .exe" [N/A]
"MKaEggg0"="c:\windows\cmd .exe" [N/A]
"MKaEgggj"="c:\windows\cmd .exe" [N/A]
"MKese"="c:\windows\svchost.exe" [N/A]
"MKesN"="c:\windows\svchost .exe" [N/A]
"MKaEggggc"="c:\windows\cmd .exe" [N/A]
"MKaEggggK"="c:\windows\cmd .exe" [N/A]
"MKcuc"="c:\windows\lsass.exe" [N/A]
"MKcuK"="c:\windows\lsass .exe" [N/A]
"MKcu0"="c:\windows\lsass .exe" [N/A]
"HNUEROXRaz2QCHADGO~1\LOCALS~1\Temp\2067137778.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\2067137778.exe" [N/A]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [N/A]
"MKeg"="c:\windows\smss.exe" [N/A]
"MKZSc"="c:\windows\avp32.exe" [N/A]
"HNUEROXRbyycCHADGO~1\LOCALS~1\Temp\315034142.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\315034142.exe" [N/A]
"HNUEROXRaz26CHADGO~1\LOCALS~1\Temp\2067137778 .exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\2067137778 .exe" [N/A]
"MKee"="c:\windows\user.exe" [N/A]
"MKeac"="c:\windows\user .exe" [N/A]
"MKeaK"="c:\windows\user .exe" [N/A]
"MKea0"="c:\windows\user .exe" [N/A]
"MKeaj"="c:\windows\user .exe" [N/A]
"MKeagc"="c:\windows\user .exe" [N/A]
"MKeagK"="c:\windows\user .exe" [N/A]
"MKeag0"="c:\windows\user .exe" [N/A]
"MKeagj"="c:\windows\user .exe" [N/A]
"HNUEROXRbyyKCHADGO~1\LOCALS~1\Temp\315034142 .exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\315034142 .exe" [N/A]
"MKfPj"="c:\windows\win32 .exe" [N/A]
"MKfPgc"="c:\windows\win32 .exe" [N/A]
"HNUEROXRa0zQCHADGO~1\LOCALS~1\Temp\2814338205.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\2814338205.exe" [N/A]
"HNUEROXRbz0PCHADGO~1\LOCALS~1\Temp\3417143844.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\3417143844.exe" [N/A]
"HNUEROXRa00QCHADGO~1\LOCALS~1\Temp\1287008906.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\1287008906.exe" [N/A]
"HNUEROXRay0QCHADGO~1\LOCALS~1\Temp\1090031766.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\1090031766.exe" [N/A]
"HNUEROXRb03PCHADGO~1\LOCALS~1\Temp\3608287582.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\3608287582.exe" [N/A]
"HNUEROXRa0zQCHADGO~1\LOCALS~1\Temp\2962241076.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\2962241076.exe" [N/A]
"HNUEROXRa20QCHADGO~1\LOCALS~1\Temp\1186950386.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\1186950386.exe" [N/A]
"HNUEROXRazzPCHADGO~1\LOCALS~1\Temp\1515220742.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\1515220742.exe" [N/A]
"HNUEROXRb0zPCHADGO~1\LOCALS~1\Temp\3380555052.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\3380555052.exe" [N/A]
"HNUEROXRay06CHADGO~1\LOCALS~1\Temp\1090031766 .exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\1090031766 .exe" [N/A]
"HNUEROXRb01QCHADGO~1\LOCALS~1\Temp\3681169158.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\3681169158.exe" [N/A]
"HNUEROXRa01PCHADGO~1\LOCALS~1\Temp\1252786172.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\1252786172.exe" [N/A]
"HNUEROXRay0QCHADGO~1\LOCALS~1\Temp\1604025278.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\1604025278.exe" [N/A]
"HNUEROXRa00PCHADGO~1\LOCALS~1\Temp\1036870482.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\1036870482.exe" [N/A]
"HNUEROXRbz1QCHADGO~1\LOCALS~1\Temp\3516078338.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\3516078338.exe" [N/A]
"HNUEROXRc3zcCHADGO~1\LOCALS~1\Temp\979581246.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\979581246.exe" [N/A]
"HNUEROXRa00PCHADGO~1\LOCALS~1\Temp\1338476602.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\1338476602.exe" [N/A]
"HNUEROXRbyzPCHADGO~1\LOCALS~1\Temp\3520373412.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\3520373412.exe" [N/A]
"HNUEROXRa02OCHADGO~1\LOCALS~1\Temp\1614657570.exe"="c:\docume~1\CHADGO~1\LOCALS~1\Temp\1614657570.exe" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MKao0"="c:\windows\debug .exe" [N/A]
"MKfsZggK"="c:\windows\winlogon .exe" [N/A]
"MKetHgj"="c:\windows\sysedit .exe" [N/A]
"uPc+MV0NpvQaXms"="c:\windows\system32\cnzwnse8gs.dll" [N/A]
"MKerb"="c:\windows\taskmgr.exe" [N/A]
"MKexe"="c:\windows\system.exe" [N/A]
"MKeuf"="c:\windows\spoolsv.exe" [N/A]
"MKayc"="c:\windows\csrss.exe" [N/A]
"MKfPc"="c:\windows\win16.exe" [N/A]
"MKcZ"="c:\windows\mdm.exe" [N/A]
"MKfpe"="c:\windows\winamp.exe" [N/A]
"MKasc"="c:\windows\drweb.exe" [N/A]
"MKfsc"="c:\windows\winlogon.exe" [N/A]
"MKcrgg0"="c:\windows\login .exe" [N/A]
"MKcrggj"="c:\windows\login .exe" [N/A]
"MKbuqg0"="c:\windows\iexplarer .exe" [N/A]
"MKbuqgj"="c:\windows\iexplarer .exe" [N/A]
"MKbuqggc"="c:\windows\iexplarer .exe" [N/A]
"MKbuqggK"="c:\windows\iexplarer .exe" [N/A]
"MKaEgg0"="c:\windows\cmd .exe" [N/A]
"MKfFgg0"="c:\windows\win .exe" [N/A]
"MKaEggj"="c:\windows\cmd .exe" [N/A]
"MKaEgggc"="c:\windows\cmd .exe" [N/A]
"MKaEgggK"="c:\windows\cmd .exe" [N/A]
"MKaEggg0"="c:\windows\cmd .exe" [N/A]
"MKaEgggj"="c:\windows\cmd .exe" [N/A]
"MKaEggggK"="c:\windows\cmd .exe" [N/A]
"MKfPK"="c:\windows\win32 .exe" [N/A]
"MKfre"="c:\windows\wininst.exe" [N/A]
"MKbtc"="c:\windows\hexdump.exe" [N/A]
"MKevc"="c:\windows\setup.exe" [N/A]
"MKfa"="c:\windows\win.exe" [N/A]
"MKbMc"="c:\windows\gdi32.exe" [N/A]
"MKetc"="c:\windows\sysedit.exe" [N/A]
"MKeta"="c:\windows\services.exe" [N/A]
"MKbuqc"="c:\windows\iexplarer.exe" [N/A]
"MKcrc"="c:\windows\login.exe" [N/A]
"MKbM0"="c:\windows\gdi32 .exe" [N/A]
"MKaoc"="c:\windows\debug.exe" [N/A]
"MKZSc"="c:\windows\avp32.exe" [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-12-18 784912]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-8-8 65588]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-8-8 24633]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2007-11-15 16:10 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxducoms.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 szkg5;szkg;c:\windows\system32\drivers\SZKG.sys [12/12/2007 1:28 PM 30208]
S0 gjgvirvd;gjgvirvd; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/5/2010 9:35 PM 135664]
S2 HWiNFO32;HWiNFO32 Kernel Driver;c:\program files\HWiNFO32\HWiNFO32.SYS [12/22/2007 9:59 AM 8192]
S2 lxdu_device;lxdu_device;c:\windows\system32\lxducoms.exe -service --> c:\windows\system32\lxducoms.exe -service [?]
S2 lxduCATSCustConnectService;lxduCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxduserv.exe [1/15/2009 12:44 AM 98984]
S3 BFAIFILT;BFAIFILT;c:\windows\system32\drivers\BFAIFILT.SYS [1/8/2009 5:48 PM 3264]
S3 DFBCFDBA;DFBCFDBA; [x]
S3 U2KG54;BUFFALO WLI-U2-KG54 Wireless LAN Adapter Service;c:\windows\system32\drivers\U2KG54.SYS [1/8/2009 5:48 PM 245376]
S3 vbma93e3;Virtual Bus for Microsoft ACPI-Compliant System; [x]
S4 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232]
S4 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 5:00 AM 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-10-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34]

2010-11-01 c:\windows\Tasks\At102.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At105.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At108.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At111.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At114.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-10-31 c:\windows\Tasks\At117.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-10-31 c:\windows\Tasks\At120.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-10-31 c:\windows\Tasks\At123.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At126.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-10-31 c:\windows\Tasks\At129.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At132.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At135.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-02 c:\windows\Tasks\At138.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-02 c:\windows\Tasks\At141.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-02 c:\windows\Tasks\At142.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-02 c:\windows\Tasks\At143.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-02 c:\windows\Tasks\At144.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At313.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At314.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At315.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At316.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At317.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At318.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At319.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At320.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At321.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At322.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At323.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At324.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-10-31 c:\windows\Tasks\At325.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-10-31 c:\windows\Tasks\At326.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-10-31 c:\windows\Tasks\At327.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At328.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-10-31 c:\windows\Tasks\At329.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At330.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At331.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-02 c:\windows\Tasks\At332.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-02 c:\windows\Tasks\At333.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-02 c:\windows\Tasks\At334.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-02 c:\windows\Tasks\At335.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-02 c:\windows\Tasks\At336.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At361.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At362.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At363.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At364.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At365.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At366.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At367.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At368.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At369.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At370.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At371.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At372.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-10-31 c:\windows\Tasks\At373.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-10-31 c:\windows\Tasks\At374.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-10-31 c:\windows\Tasks\At375.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At376.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-10-31 c:\windows\Tasks\At377.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At378.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At379.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-02 c:\windows\Tasks\At380.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-02 c:\windows\Tasks\At381.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-02 c:\windows\Tasks\At382.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-02 c:\windows\Tasks\At383.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-02 c:\windows\Tasks\At384.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At385.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At386.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At387.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At388.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At389.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At390.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At391.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At392.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At393.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At394.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At395.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At396.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-10-31 c:\windows\Tasks\At397.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-10-31 c:\windows\Tasks\At398.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-10-31 c:\windows\Tasks\At399.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At400.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-10-31 c:\windows\Tasks\At401.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At402.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At403.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-02 c:\windows\Tasks\At404.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-02 c:\windows\Tasks\At405.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-02 c:\windows\Tasks\At406.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-02 c:\windows\Tasks\At407.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-02 c:\windows\Tasks\At408.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At409.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At410.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At411.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At412.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At413.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At414.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At415.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At416.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At417.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At418.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At419.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At420.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-10-31 c:\windows\Tasks\At421.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-10-31 c:\windows\Tasks\At422.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-10-31 c:\windows\Tasks\At423.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At424.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-10-31 c:\windows\Tasks\At425.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At426.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At427.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-02 c:\windows\Tasks\At428.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-02 c:\windows\Tasks\At429.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-02 c:\windows\Tasks\At430.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-02 c:\windows\Tasks\At431.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-02 c:\windows\Tasks\At432.job
- c:\windows\system32\5wIih2.com [2010-10-10 14:15]

2010-11-01 c:\windows\Tasks\At667.job
- c:\documents and settings\LocalService\Local Settings\Application Data\5wIih2.exe [2010-10-16 12:19]

2010-11-01 c:\windows\Tasks\At668.job
- c:\documents and settings\LocalService\Local Settings\Application Data\5wIih2.exe [2010-10-16 12:19]

2010-11-01 c:\windows\Tasks\At669.job
- c:\documents and settings\LocalService\Local Settings\Application Data\5wIih2.exe [2010-10-16 12:19]

2010-11-01 c:\windows\Tasks\At670.job
- c:\documents and settings\LocalService\Local Settings\Application Data\5wIih2.exe [2010-10-16 12:19]

2010-11-01 c:\windows\Tasks\At671.job
- c:\documents and settings\LocalService\Local Settings\Application Data\5wIih2.exe [2010-10-16 12:19]

2010-11-01 c:\windows\Tasks\At672.job
- c:\documents and settings\LocalService\Local Settings\Application Data\5wIih2.exe [2010-10-16 12:19]

2010-11-01 c:\windows\Tasks\At673.job
- c:\documents and settings\LocalService\Local Settings\Application Data\5wIih2.exe [2010-10-16 12:19]

2010-11-01 c:\windows\Tasks\At674.job
- c:\documents and settings\LocalService\Local Settings\Application Data\5wIih2.exe [2010-10-16 12:19]

2010-11-01 c:\windows\Tasks\At675.job
- c:\documents and settings\LocalService\Local Settings\Application Data\5wIih2.exe [2010-10-16 12:19]

2010-11-01 c:\windows\Tasks\At676.job
- c:\documents and settings\LocalService\Local Settings\Application Data\5wIih2.exe [2010-10-16 12:19]

2010-11-01 c:\windows\Tasks\At677.job
- c:\documents and settings\LocalService\Local Settings\Application Data\5wIih2.exe [2010-10-16 12:19]

2010-11-01 c:\windows\Tasks\At678.job
- c:\documents and settings\LocalService\Local Settings\Application Data\5wIih2.exe [2010-10-16 12:19]

2010-10-31 c:\windows\Tasks\At679.job
- c:\documents and settings\LocalService\Local Settings\Application Data\5wIih2.exe [2010-10-16 12:19]

2010-10-31 c:\windows\Tasks\At680.job
- c:\documents and settings\LocalService\Local Settings\Application Data\5wIih2.exe [2010-10-16 12:19]

2010-10-31 c:\windows\Tasks\At681.job
- c:\documents and settings\LocalService\Local Settings\Application Data\5wIih2.exe [2010-10-16 12:19]

2010-11-01 c:\windows\Tasks\At682.job
- c:\documents and settings\LocalService\Local Settings\Application Data\5wIih2.exe [2010-10-16 12:19]

2010-10-31 c:\windows\Tasks\At683.job
- c:\documents and settings\LocalService\Local Settings\Application Data\5wIih2.exe [2010-10-16 12:19]

2010-11-01 c:\windows\Tasks\At684.job
- c:\documents and settings\LocalService\Local Settings\Application Data\5wIih2.exe [2010-10-16 12:19]

2010-11-01 c:\windows\Tasks\At685.job
- c:\documents and settings\LocalService\Local Settings\Application Data\5wIih2.exe [2010-10-16 12:19]

2010-11-02 c:\windows\Tasks\At686.job
- c:\documents and settings\LocalService\Local Settings\Application Data\5wIih2.exe [2010-10-16 12:19]

2010-11-02 c:\windows\Tasks\At687.job
- c:\documents and settings\LocalService\Local Settings\Application Data\5wIih2.exe [2010-10-16 12:19]

2010-11-02 c:\windows\Tasks\At688.job
- c:\documents and settings\LocalService\Local Settings\Application Data\5wIih2.exe [2010-10-16 12:19]

2010-11-02 c:\windows\Tasks\At689.job
- c:\documents and settings\LocalService\Local Settings\Application Data\5wIih2.exe [2010-10-16 12:19]

2010-11-02 c:\windows\Tasks\At690.job
- c:\documents and settings\LocalService\Local Settings\Application Data\5wIih2.exe [2010-10-16 12:19]

2010-11-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-22 21:18]

2010-11-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 02:35]

2010-11-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 02:35]

2010-10-31 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 02:40]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &Define - c:\program files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
IE: Look Up in &Encyclopedia - c:\program files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
LSP: c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
LSP: mswsock.dll
Trusted Zone: 0.0.0.0
Trusted Zone: motive.com\patttbc.att
DPF: {E0FEE963-BB53-4215-81AD-B28C77384644} - hxxps://pattcw.att.motive.com/wizlet/DSLActivation/static/installer/ATTInternetInstaller.cab
FF - ProfilePath - c:\documents and settings\Chad Gowens\Application Data\Mozilla\Firefox\Profiles\3wp9mgsh.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.fast-find.net/?sid=10101063100&s=
FF - component: c:\documents and settings\Chad Gowens\Application Data\Mozilla\Firefox\Profiles\3wp9mgsh.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - plugin: c:\documents and settings\Chad Gowens\Application Data\Mozilla\Firefox\Profiles\3wp9mgsh.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Common Files\Motive\npMotive.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.fast-find.net/?sid=10101063100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-01 23:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HNUEROXRrvgggc=R0lGODlhyAA8APcAAAAAAIAAAACAAICAAAAAgIAAgACAgICAgMDAwP8AAAD/AP//AAAA//8A/wD/ /////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMwAAZgAAmQAAzAAA/wAzAAAzMwAzZgAzmQAzzAAz/wBm AABmMwBmZgBmmQBmzABm/wCZAACZMwCZZgCZmQCZzACZ/wDMAADMMwDMZgDMmQDMzADM/wD/AAD/ MwD/ZgD/mQD/zAD//zMAADMAMzMAZjMAmTMAzDMA/zMzADMzMzMzZjMzmTMzzDMz/zNmADNmMzNm ZjNmmTNmzDNm/zOZADOZMzOZZjOZmTOZzDOZ/zPMADPMMzPMZjPMmTPMzDPM/zP/ADP/MzP/ZjP/ mTP/zDP//2YAAGYAM2YAZmYAmWYAzGYA/2YzAGYzM2YzZmYzmWYzzGYz/2ZmAGZmM2ZmZmZmmWZm zGZm/2aZAGaZM2aZZmaZmWaZzGaZ/2bMAGbMM2bMZmbMmWbMzGbM/2b/AGb/M2b/Zmb/mWb/zGb/ /5kAAJkAM5kAZpkAmZkAzJkA/5kzAJkzM5kzZpkzmZkzzJkz/5lmAJlmM5lmZplmmZlmzJlm/5mZ AJmZM5mZZpmZmZmZzJmZ/5nMAJnMM5nMZpnMmZnMzJnM/5n/AJn/M5n/Zpn/mZn/zJn//8wAAMwA M8wAZswAmcwAzMwA/8wzAMwzM8wzZswzmcwzzMwz/8xmAMxmM8xmZsxmmcxmzMxm/8yZAMyZM8yZ ZsyZmcyZzMyZ/8zMAMzMM8zMZszMmczMzMzM/8z/AMz/M8z/Zsz/mcz/zMz///8AAP8AM/8AZv8A mf8AzP8A//8zAP8zM/8zZv8zmf8zzP8z//9mAP9mM/9mZv9mmf9mzP9m//+ZAP+ZM/+ZZv+Zmf+Z zP+Z///MAP/MM//MZv/Mmf/MzP/M////AP//M///Zv//mf//zP///yH5BAEAABAALAAAAADIADwA AAj/AP8JHEjwHzVqqRIiXJiKIUOFDSM6LEixosWLGDNq3FjwIDWOIEOKHElSYyo/CCFGTMiypcqW KV3KZEnNz8mZLAd+xLjToMCFPX+WFBn0Z9GhSEMeJbmUIkKbfjbSnBrzYUqHK1MlRdp0a9eRUQkW 7UlWp86DPpdC1YrRj80p/9hmPBjR7FezTisu3Wt3q9+NYSvKRZrQ5uCCa21SPCwW7d/HFu+WlDxS rtvLbikL3XkzsFDMb6U6NjhaM16QPae+fInWI2Sucz0TPAm6dtSdhg93dstxMN3RGFVLHM5a+EPG cz2aRn1abPOvHwN/5Dzdp9PLU2zztu4TZ9aGx727/xS4+zJtqG7PqzefvmPzuEC5C31NXzbpimuf pk9cXvv+zgAW1llNAOa2Fn0afQQegkMFVV6B/YEGIXvbMUcRZtm5lWF7Yh1WHUd8gWiWVsgBx5Ng y0EmW3SJhZXiRcplVFt25zHYW1xziSQTUX3NpldfUW1YYVo45jUfd2S51qN7AtmUWpMa+pHdlFKi 1BCR1ZV1pHN1ZSkfkVsOZGBCXzYYUoHOWQgjaS8uNpuJBRVGoVI/LRjZjx2NZ2Nj80l5nmyeybWT ZB/GF2aYH5Z5Ep9lkRkjZUnaWeaSMeV2JZh4wtYkgICRlylPMU7GpFFxCfomckRdmuakVua0kIh+ Tf933qBIxnlpVL6Vhpeho55opHWqPkWaq7V25WBDUMF4E0zwkYnpoQZVmd1ry5GJ63uNwekrU00N h617QT1kX6k0nfUqtIjtx6FftNFaWSpTuNuRtn9pSd5RJkqaJjVT9FslSvMu6yx5Eo0VLry1gdur USsZ6W9mSn1oWLZtJnWQkz4uRtdFJ/VLZYY01YQiQkamV9NlkybVarLVdfywtolu9huvq27r6Z2b iZkZehJWd22ltHkstMdWsplWa9FSidl04T6bqWmZteRilFOoCmJpSKObEWMTFohZjmupWtiUD0s5 pYIM/cPzujAK/W+A9NY8amrLYvcwY6kpqRWg4NH/5pva6vL8p2ILX8zbWGy2xlKrB7mtM9EzYonp WKmgkF5C/Vr+1hQoVNyb1NJOa+5Re/OHHtns2XwiWshCrGR343l0acf/Xkw0XDHzqJBOflguFuGq b5vkx2aDvLZ2zjU+dIaJK+f8o8/DDmXYnWEqqWFDX4qQ0Fp5mSBeV/bk8YhsIS4S9S0aL62T0wUu O6YbEl91WQqmDCyJoOd02m9xosQi84iZEqq05qb5cM4+A9TLemrEsQy1hl9+KljiwPO+6LhNfux7 nuziwzSZ8Kx50VOO9ppEtAuV8HtegplAUOA7ez3JYmI5m5cE1p20vQlw64ML1cymQaShLTdMu9dl /zbItCxBTzlRuk1a4OWxFMYteT064Fzw9pwiHhFwojOfQRQiu5D5ryZkixeGQvck0wWrVK7ZnmHQ tkUuRoYtCOvXDIXGmYD1EChE9AgK+nWW2YRPPk4EkYagY8XdFRF7GYpXY4i3o5TkSX+eys+w7vK6 uBSPZLz710CsxpV+lah7q0sVAL/llMVREIJEI8vY/IU7HCLMUqyrE8n048TcTYoae/TXTX7CvQ8l UG4UYaFsBsaorQySbpgMjh+D9rbx0C47LSNX6ZZ1ri2eTDp68aFeincSBWkFdfChE088mTFR/UpB VQribFBiKWCVpXgyfKDyPLa4UOkEdFVS2zUplv+3It5nIG67zd64V6ecuXBNBtljWIhJyqFU6W9b W83iPlYXItGObSPCCpwWOC5KJs1sRfoIlQYjtorBCwW729MmR9nHxcxkjS47G8EEFFM5SmSmDmmc Z9oHPBzazmi/YqIna6IgzpHzntniE85wyUeVEkRDDJ3pS3dZkNsBTKJKoyBMtEqmdpWmah4KytLi Bjm1bRF1uslTQ5/KuSfWy5LQVFuAzHqgOHEHnpebycfmx8VHSWRpiRvivbz3JZ7+Y1pChSZKhha9 UtXwppLjTENYyEkbvU1kpZoYqX4F138ttHwnU1pMUrpF6+jHN14lLKywk0NuGsV51vsUHOVoP2P/ jk1KBEJZU/I1rNZWzUXP5OaCqFcYo0VJQEOELc6UKrsLMjaZhIvO88oXp9TskbpeEUzQBjOuI+XN URgsm28ZKlln9VVwyZ2XW5tXJ3hCLmrqeapd5ElMfh3QllspLhgV05OO9ogxOxyae+VIv74URpW1 6epCMMYmrb4PiphjJR1vhkPscBJ/IjRlezxnEpTZFUSovWd4a/c9oTBLSTEqlz3VWWLSDO09zkJv MvOC39d0TC0lpkt9Nxm6kRYUmJHdqkfWmEaYoJjFSo2hJ0FpqnA6WT0bcqE9qdWVXxIMydmKVyU3 ub/Xego4WbEVfoeDRy0SZH4WBbO8LPI1GPkz/1aRNatBZ+pk+HRQrJu8yW+6lMak5rmy5GOvabXq 5X/iZs52dg1E/Gtmp035MfVz6bfOVV4rKTd3wDmWlfun3sJWsIZiovHfognkVdnLTJ36s10HxVUB ianAJt7fA6O7VvwgKWuDnuUSW7KlgckqOv/kbK0Q9JXcjG5jNHXUUZRYZcc4BpIb+cqOoOiUWOpt JUUD5VMXlbPlUqvL1nTJ6yBkPm1i07v+pKq3lSXJJulqULD9bpnJF7LUnFvQ8sFuvWA7MFyJmzlP IVEodVxqjunJSNC+0144OCkmV/NTBGSKS/HH6y7lyET6qVCSDtQ0YUsNocPmduEe5aJmKVe9o/+V Sm1FNW06Qwu/BpteNzVb8D87yi89BTKWJ6naJSkThjxe3Jcq+sfBtlE8cANli+wz47lC0Vg/chDG Gv3aR+95xY5O8lBcnVMNyjfiZ4KIQ8yzVUuJx5HSpIpmonoR6eB6XkCVqy03zZWHN5ioDiYzmROV JLf+adP+kdJ812h2D0JoVYymV5kXlSg5dbdBgHbaSGZ2x+lOhDzJWveFHmQejuScW8ZSHH9Q7Z4R dlth5txsjsK94KXtHSuTXvl8RK75MtmTP6cMIoeD59TX1NUiBXNe7u/o1OpRcr0RqzGxd1840HjX 59HWqN6lT7Nhm6uw1+cw8yXee+v8p/ZOpXwa8F9vxcggf2HCfmv6YbgXBjb01Co9/tVfHxAAOw== = c:\docume~1\CHADGO~1\LOCALS~1\Temp\setup .exe
MKeg = c:\windows\smss.exe
MKZSc = c:\windows\avp32.exe
HNUEROXRbyycCHADGO~1\LOCALS~1\Temp\315034142.exe = c:\docume~1\CHADGO~1\LOCALS~1\Temp\315034142.exe
HNUEROXRaz26CHADGO~1\LOCALS~1\Temp\2067137778 .exe = c:\docume~1\CHADGO~1\LOCALS~1\Temp\2067137778 .exe
MKee = c:\windows\user.exe
MKeac = c:\windows\user .exe
MKeaK = c:\windows\user .exe
MKea0 = c:\windows\user .exe
MKeaj = c:\windows\user .exe
MKeagc = c:\windows\user .exe
MKeagK = c:\windows\user .exe
MKeag0 = c:\windows\user .exe
MKeagj = c:\windows\user .exe
HNUEROXRbyyKCHADGO~1\LOCALS~1\Temp\315034142 .exe = c:\docume~1\CHADGO~1\LOCALS~1\Temp\315034142 .exe
MKfPj = c:\windows\win32 .exe
MKfPgc = c:\windows\win32 .exe
HNUEROXRa0zQCHADGO~1\LOCALS~1\Temp\2814338205.exe = c:\docume~1\CHADGO~1\LOCALS~1\Temp\2814338205.exe
HNUEROXRbz0PCHADGO~1\LOCALS~1\Temp\3417143844.exe = c:\docume~1\CHADGO~1\LOCALS~1\Temp\3417143844.exe
QuickTime Task = "c:\program files\QuickTime\qttask .exe" -atboottime
HNUEROXRa00QCHADGO~1\LOCALS~1\Temp\1287008906.exe = c:\docume~1\CHADGO~1\LOCALS~1\Temp\1287008906.exe
HNUEROXRay0QCHADGO~1\LOCALS~1\Temp\1090031766.exe = c:\docume~1\CHADGO~1\LOCALS~1\Temp\1090031766.exe
HNUEROXRb03PCHADGO~1\LOCALS~1\Temp\3608287582.exe = c:\docume~1\CHADGO~1\LOCALS~1\Temp\3608287582.exe
HNUEROXRa0zQCHADGO~1\LOCALS~1\Temp\2962241076.exe = c:\docume~1\CHADGO~1\LOCALS~1\Temp\2962241076.exe
HNUEROXRa20QCHADGO~1\LOCALS~1\Temp\1186950386.exe = c:\docume~1\CHADGO~1\LOCALS~1\Temp\1186950386.exe
HNUEROXRazzPCHADGO~1\LOCALS~1\Temp\1515220742.exe = c:\docume~1\CHADGO~1\LOCALS~1\Temp\1515220742.exe
HNUEROXRb0zPCHADGO~1\LOCALS~1\Temp\3380555052.exe = c:\docume~1\CHADGO~1\LOCALS~1\Temp\3380555052.exe
HNUEROXRay06CHADGO~1\LOCALS~1\Temp\1090031766 .exe = c:\docume~1\CHADGO~1\LOCALS~1\Temp\1090031766 .exe
HNUEROXRb01QCHADGO~1\LOCALS~1\Temp\3681169158.exe = c:\docume~1\CHADGO~1\LOCALS~1\Temp\3681169158.exe
HNUEROXRa01PCHADGO~1\LOCALS~1\Temp\1252786172.exe = c:\docume~1\CHADGO~1\LOCALS~1\Temp\1252786172.exe
HNUEROXRay0QCHADGO~1\LOCALS~1\Temp\1604025278.exe = c:\docume~1\CHADGO~1\LOCALS~1\Temp\1604025278.exe
HNUEROXRa00PCHADGO~1\LOCALS~1\Temp\1036870482.exe = c:\docume~1\CHADGO~1\LOCALS~1\Temp\1036870482.exe
HNUEROXRbz1QCHADGO~1\LOCALS~1\Temp\3516078338.exe = c:\docume~1\CHADGO~1\LOCALS~1\Temp\3516078338.exe
HNUEROXRc3zcCHADGO~1\LOCALS~1\Temp\979581246.exe = c:\docume~1\CHADGO~1\LOCALS~1\Temp\979581246.exe
HNUEROXRa00PCHADGO~1\LOCALS~1\Temp\1338476602.exe = c:\docume~1\CHADGO~1\LOCALS~1\Temp\1338476602.exe
HNUEROXRbyzPCHADGO~1\LOCALS~1\Temp\3520373412.exe = c:\docume~1\CHADGO~1\LOCALS~1\Temp\3520373412.exe
HNUEROXRa02OCHADGO~1\LOCALS~1\Temp\1614657570.exe = c:\docume~1\CHADGO~1\LOCALS~1\Temp\1614657570.exe

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HNUEROXRrvgggc=R0lGODlhyAA8APcAAAAAAIAAAACAAICAAAAAgIAAgACAgICAgMDAwP8AAAD/AP//AAAA//8A/wD/
/////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMwAAZgAAmQAAzAAA/wAzAAAzMwAzZgAzmQAzzAAz/wBm
AABmMwBmZgBmmQBmzABm/wCZAACZMwCZZgCZmQCZzACZ/wDMAADMMwDMZgDMmQDMzADM/wD/AAD/
MwD/ZgD/mQD/zAD//zMAADMAMzMAZjMAmTMAzDMA/zMzADMzMzMzZjMzmTMzzDMz/zNmADNmMzNm
ZjNmmTNmzDNm/zOZADOZMzOZZjOZmTOZzDOZ/zPMADPMMzPMZjPMmTPMzDPM/zP/ADP/MzP/ZjP/
mTP/zDP//2YAAGYAM2YAZmYAmWYAzGYA/2YzAGYzM2YzZmYzmWYzzGYz/2ZmAGZmM2ZmZmZmmWZm
zGZm/2aZAGaZM2aZZmaZmWaZzGaZ/2bMAGbMM2bMZmbMmWbMzGbM/2b/AGb/M2b/Zmb/mWb/zGb/
/5kAAJkAM5kAZpkAmZkAzJkA/5kzAJkzM5kzZpkzmZkzzJkz/5lmAJlmM5lmZplmmZlmzJlm/5mZ
AJmZM5mZZpmZmZmZzJmZ/5nMAJnMM5nMZpnMmZnMzJnM/5n/AJn/M5n/Zpn/mZn/zJn//8wAAMwA
M8wAZswAmcwAzMwA/8wzAMwzM8wzZswzmcwzzMwz/8xmAMxmM8xmZsxmmcxmzMxm/8yZAMyZM8yZ
ZsyZmcyZzMyZ/8zMAMzMM8zMZszMmczMzMzM/8z/AMz/M8z/Zsz/mcz/zMz///8AAP8AM/8AZv8A
mf8AzP8A//8zAP8zM/8zZv8zmf8zzP8z//9mAP9mM/9mZv9mmf9mzP9m//+ZAP+ZM/+ZZv+Zmf+Z
zP+Z///MAP/MM//MZv/Mmf/MzP/M////AP//M///Zv//mf//zP///yH5BAEAABAALAAAAADIADwA
AAj/AP8JHEjwHzVqqRIiXJiKIUOFDSM6LEixosWLGDNq3FjwIDWOIEOKHElSYyo/CCFGTMiypcqW
KV3KZEnNz8mZLAd+xLjToMCFPX+WFBn0Z9GhSEMeJbmUIkKbfjbSnBrzYUqHK1MlRdp0a9eRUQkW
7UlWp86DPpdC1YrRj80p/9hmPBjR7FezTisu3Wt3q9+NYSvKRZrQ5uCCa21SPCwW7d/HFu+WlDxS
rtvLbikL3XkzsFDMb6U6NjhaM16QPae+fInWI2Sucz0TPAm6dtSdhg93dstxMN3RGFVLHM5a+EPG
cz2aRn1abPOvHwN/5Dzdp9PLU2zztu4TZ9aGx727/xS4+zJtqG7PqzefvmPzuEC5C31NXzbpimuf
pk9cXvv+zgAW1llNAOa2Fn0afQQegkMFVV6B/YEGIXvbMUcRZtm5lWF7Yh1WHUd8gWiWVsgBx5Ng
y0EmW3SJhZXiRcplVFt25zHYW1xziSQTUX3NpldfUW1YYVo45jUfd2S51qN7AtmUWpMa+pHdlFKi
1BCR1ZV1pHN1ZSkfkVsOZGBCXzYYUoHOWQgjaS8uNpuJBRVGoVI/LRjZjx2NZ2Nj80l5nmyeybWT
ZB/GF2aYH5Z5Ep9lkRkjZUnaWeaSMeV2JZh4wtYkgICRlylPMU7GpFFxCfomckRdmuakVua0kIh+
Tf933qBIxnlpVL6Vhpeho55opHWqPkWaq7V25WBDUMF4E0zwkYnpoQZVmd1ry5GJ63uNwekrU00N
h617QT1kX6k0nfUqtIjtx6FftNFaWSpTuNuRtn9pSd5RJkqaJjVT9FslSvMu6yx5Eo0VLry1gdur
USsZ6W9mSn1oWLZtJnWQkz4uRtdFJ/VLZYY01YQiQkamV9NlkybVarLVdfywtolu9huvq27r6Z2b
iZkZehJWd22ltHkstMdWsplWa9FSidl04T6bqWmZteRilFOoCmJpSKObEWMTFohZjmupWtiUD0s5
pYIM/cPzujAK/W+A9NY8amrLYvcwY6kpqRWg4NH/5pva6vL8p2ILX8zbWGy2xlKrB7mtM9EzYonp
WKmgkF5C/Vr+1hQoVNyb1NJOa+5Re/OHHtns2XwiWshCrGR343l0acf/Xkw0XDHzqJBOflguFuGq
b5vkx2aDvLZ2zjU+dIaJK+f8o8/DDmXYnWEqqWFDX4qQ0Fp5mSBeV/bk8YhsIS4S9S0aL62T0wUu
O6YbEl91WQqmDCyJoOd02m9xosQi84iZEqq05qb5cM4+A9TLemrEsQy1hl9+KljiwPO+6LhNfux7
nuziwzSZ8Kx50VOO9ppEtAuV8HtegplAUOA7ez3JYmI5m5cE1p20vQlw64ML1cymQaShLTdMu9dl
/zbItCxBTzlRuk1a4OWxFMYteT064Fzw9pwiHhFwojOfQRQiu5D5ryZkixeGQvck0wWrVK7ZnmHQ
tkUuRoYtCOvXDIXGmYD1EChE9AgK+nWW2YRPPk4EkYagY8XdFRF7GYpXY4i3o5TkSX+eys+w7vK6
uBSPZLz710CsxpV+lah7q0sVAL/llMVREIJEI8vY/IU7HCLMUqyrE8n048TcTYoae/TXTX7CvQ8l
UG4UYaFsBsaorQySbpgMjh+D9rbx0C47LSNX6ZZ1ri2eTDp68aFeincSBWkFdfChE088mTFR/UpB
VQribFBiKWCVpXgyfKDyPLa4UOkEdFVS2zUplv+3It5nIG67zd64V6ecuXBNBtljWIhJyqFU6W9b
W83iPlYXItGObSPCCpwWOC5KJs1sRfoIlQYjtorBCwW729MmR9nHxcxkjS47G8EEFFM5SmSmDmmc
Z9oHPBzazmi/YqIna6IgzpHzntniE85wyUeVEkRDDJ3pS3dZkNsBTKJKoyBMtEqmdpWmah4KytLi
Bjm1bRF1uslTQ5/KuSfWy5LQVFuAzHqgOHEHnpebycfmx8VHSWRpiRvivbz3JZ7+Y1pChSZKhha9
UtXwppLjTENYyEkbvU1kpZoYqX4F138ttHwnU1pMUrpF6+jHN14lLKywk0NuGsV51vsUHOVoP2P/
jk1KBEJZU/I1rNZWzUXP5OaCqFcYo0VJQEOELc6UKrsLMjaZhIvO88oXp9TskbpeEUzQBjOuI+XN
URgsm28ZKlln9VVwyZ2XW5tXJ3hCLmrqeapd5ElMfh3QllspLhgV05OO9ogxOxyae+VIv74URpW1
6epCMMYmrb4PiphjJR1vhkPscBJ/IjRlezxnEpTZFUSovWd4a/c9oTBLSTEqlz3VWWLSDO09zkJv
MvOC39d0TC0lpkt9Nxm6kRYUmJHdqkfWmEaYoJjFSo2hJ0FpqnA6WT0bcqE9qdWVXxIMydmKVyU3
ub/Xego4WbEVfoeDRy0SZH4WBbO8LPI1GPkz/1aRNatBZ+pk+HRQrJu8yW+6lMak5rmy5GOvabXq
5X/iZs52dg1E/Gtmp035MfVz6bfOVV4rKTd3wDmWlfun3sJWsIZiovHfognkVdnLTJ36s10HxVUB
ianAJt7fA6O7VvwgKWuDnuUSW7KlgckqOv/kbK0Q9JXcjG5jNHXUUZRYZcc4BpIb+cqOoOiUWOpt
JUUD5VMXlbPlUqvL1nTJ6yBkPm1i07v+pKq3lSXJJulqULD9bpnJF7LUnFvQ8sFuvWA7MFyJmzlP
IVEodVxqjunJSNC+0144OCkmV/NTBGSKS/HH6y7lyET6qVCSDtQ0YUsNocPmduEe5aJmKVe9o/+V
Sm1FNW06Qwu/BpteNzVb8D87yi89BTKWJ6naJSkThjxe3Jcq+sfBtlE8cANli+wz47lC0Vg/chDG
Gv3aR+95xY5O8lBcnVMNyjfiZ4KIQ8yzVUuJx5HSpIpmonoR6eB6XkCVqy03zZWHN5ioDiYzmROV
JLf+adP+kdJ812h2D0JoVYymV5kXlSg5dbdBgHbaSGZ2x+lOhDzJWveFHmQejuScW8ZSHH9Q7Z4R
dlth5txsjsK94KXtHSuTXvl8RK75MtmTP6cMIoeD59TX1NUiBXNe7u/o1OpRcr0RqzGxd1840HjX
59HWqN6lT7Nhm6uw1+cw8yXee+v8p/ZOpXwa8F9vxcggf2HCfmv6YbgXBjb01Co9/tVfHxAAOw=="="c:\\DOCUME~1\\CHADGO~1\\LOCALS~1\\Temp\\setup .exe"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e5,36,08,03,e0,62,63,41,95,27,c8,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e5,36,08,03,e0,62,63,41,95,27,c8,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(204)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\windows\system32\L3CODECA.ACM
c:\windows\system32\ac3acm.acm
c:\windows\system32\lameACM.acm
c:\windows\system32\IEFRAME.dll
.
Completion time: 2010-11-01 23:52:14
ComboFix-quarantined-files.txt 2010-11-02 04:52

Pre-Run: 6,245,748,736 bytes free
Post-Run: 6,206,537,728 bytes free

- - End Of File - - 5E7FFEBB6AAEFF3C2123F8CB0566621C

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:20 AM

Posted 02 November 2010 - 01:17 AM

Greetings

WOW that is a big list there - still have alot to do

Try to run in normal mode and see if it will run - if it does not I want you to go back into safe mode but this time choose Safe mode with networking let it install the recovery console if it needs to


:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

RenV::
c:\program files\ATT-SST\McciTrayApp .exe 
c:\program files\Common Files\Adobe\Updater5\AdobeUpdater .exe 
c:\program files\HP\HP Software Update\HPWuSchd .exe 
c:\program files\HP\hpcoretech\hpcmpmgr .exe 
c:\program files\iTunes\iTunesHelper .exe 
c:\program files\Lexmark 5600-6600 Series\fm3032 .exe 
c:\program files\Lexmark 5600-6600 Series\lxduamon .exe 
c:\program files\Lexmark 5600-6600 Series\lxdumon .exe 
c:\program files\Messenger\msmsgs .exe 
c:\program files\Microsoft Security Essentials\msseces .exe 
c:\program files\Microsoft Works\WkDetect .exe 
c:\program files\QuickTime\QTTask .exe 
c:\program files\Spybot - Search & Destroy\TeaTimer .exe 
c:\windows\avp           .exe 
c:\windows\avp32 .exe 
c:\windows\cmd                    .exe 
c:\windows\debug          .exe 
c:\windows\drweb     .exe 
c:\windows\gdi32    .exe 
c:\windows\hexdump  .exe 
c:\windows\iexplarer           .exe 
c:\windows\install  .exe 
c:\windows\KHALMNPR .exe 
c:\windows\login            .exe 
c:\windows\lsass   .exe 
c:\windows\mdm  .exe 
c:\windows\nvsvc32 .exe 
c:\windows\services           .exe 
c:\windows\setup          .exe 
c:\windows\smss  .exe 
c:\windows\spoolsv   .exe 
c:\windows\svchost  .exe 
c:\windows\sysedit           .exe 
c:\windows\system    .exe 
c:\windows\taskmgr .exe 
c:\windows\user         .exe 
c:\windows\win             .exe 
c:\windows\win16   .exe 
c:\windows\win16  .exe 
c:\windows\win16 .exe 
c:\windows\win32     .exe 
c:\windows\winamp  .exe 
c:\windows\wininst .exe 
c:\windows\winlogon            .exe 
c:\windows\system32\rundll32 .exe 

AtJob::

File::
c:\windows\system32\5wIih2.com
c:\documents and settings\LocalService\Local Settings\Application Data\5wIih2.exe


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 elonkra

elonkra
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 02 November 2010 - 09:35 PM

Hello again. Want to be sure I am following your instructions correctly here.

As I understand, you want me to do the following, in order:

1. Try to run combofix in normal mode
2. If it runs, provide you with the log (I've already tried, by the way, and it didn't run)
3. If it does not run, reboot in safe mode with networking, and run combofix, allowing it to install the recovery console, if asked

Assuming that my understanding is correct, I'm confused as to when exactly in this process you want me to drag CFScript.txt into combofix

Thanks!

P.S.: This may be more information than you want, at this juncture, but I wanted to mention a couple of new things that I've experienced, in the course of our most recent progress:

1. In the course of rebooting in normal mode now, I get four small "RUNDLL" windows that pop up simultaneously, each of which say there's an error loading one of the following, and that the specified module cannot be found:

-C:\WINDOWS\isimoheyevelan.dll
-C:\WINDOWS\Prpurot.dll
-C:\WINDOWS\system32\cnzwnse8gs.dll (2 occurrences of this one)

2. During at least one reboot (or was it a reboot after a crash? I'm not sure), I saw the following text, in white, on the blue windows xp welcome screen:

Checking file system on G:
The type of the file system is FAT32

One of your disks needs to be checked for consistency. You may cancel the disk check, but it is strongly recommended that you continue.
Windows will not check the disk.
Volume serial number is B3E1-E5A6
Windows is verifying files and folders...
6 percent completed...

I think (but am not 100% sure) that I abandoned this process because I didn't trust it and it was taking forever. In any event, I wanted to provide you with this info, in case it is helpful.

Thanks!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users