Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Heavily Infected with Viruses [RESOLVED]


  • This topic is locked This topic is locked

#1
abryenton

abryenton

    Member

  • Member
  • PipPip
  • 20 posts
Hey guys,

I need some serious help. I can't log into my pc under the normal mode, as soon as I log in, everything freezes. I've run McAfee and Malewarebytes in Safemode, and it's picked up tons of stuff, but when I reboot back into Normal mode it's as if I havn't removed anything.

Any help will be greatly appreciated!

Thanks,
Aaron

My Hijack This log is posted below.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:24:54 PM, on 5/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\system32\xwusuhzh.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.forceunleashed.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\xwusuhzh.exe,
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - M:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "M:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [BM93b340a6] Rundll32.exe "C:\WINDOWS\system32\noeujqfw.dll",s
O4 - HKLM\..\Run: [9080733a] rundll32.exe "C:\WINDOWS\system32\ncytwnbw.dll",b
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DriverUpdaterPro] C:\Program Files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe -t
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WintelUpdate] C:\qnruns.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = M:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: Append to existing PDF - res://M:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://M:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://M:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://M:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://M:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://M:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://M:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://M:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driver...driveragent.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MBAMService (mbamservice) - Malwarebytes - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Windows Action Script (windows action script) - Unknown owner - C:\WINDOWS\system32\scvhost.exe (file missing)

--
End of file - 9223 bytes
  • 0

Advertisements


#2
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello Aaron, my name is fenzodahl512 and welcome to Geekstogo.. I'm looking at your log now and currently consulting with the experts regarding your malware problem.. I will be back as soon as possible..

Thank you for your patience and understanding..


Regards
fenzodahl512
  • 0

#3
abryenton

abryenton

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Thanks,

I know you guys are busy, so I don't mind waiting. In the mean time i've been running every scanner available like Spybot, MalwareBytes, Trojan Hunter, Super AntiSpyware and a bunch of others. It takes the majority off, but everytime I run a scan it picks up different ones.
  • 0

#4
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello abryenton, my name is fenzodahl512 and welcome to Geekstogo.. Please do the following..


Please temporarily disable your McAfee prior to our fix. Please visit this webpage if you do not know how..


Please go to UploadMalware to upload a suspicious file for analysis.
  • Enter your username from this forum: abryenton
  • Copy and paste the link to this thread: http://www.geekstogo...es-t198754.html
  • Browse for this filename: C:\qnruns.exe
  • In the comments, please mention that fenzodahl512 asked you to upload this file
  • Click on Send File

Please repeat above step with C:\WINDOWS\system32\xwusuhzh.exe file..




NEXT


Please download SDFix by Andy Manchesta and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • A new folder will be extracted to your %systemdrive%, typically C:\SDFix
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt along with any other requested logs at the end of these instructions.




NEXT


Please visit below webpage for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. DO NOT select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix (located in C:\combofix.txt) when you've accomplished that.



Please re-enable your McAfee after performing all steps above..



Please post the following logs in your next reply..

1. SDFix log
2. ComboFix log
3. A fresh HijackThis log (after ComboFix step)


Regards
fenzodahl512
  • 0

#5
abryenton

abryenton

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
I ran SDfix and everything went the way you said it would. When it finished and booted back in, the first thing that happened is Maleware Bytes popped up saying:

Infection Detected:
File attempted to execute:
C:\WINDOWS\system32\iifebcyX.dll

Detected as:
Trojan.Vundo

Memory location:
0 (memory module)

Then when SDfix tried to load the report in notepad a Microsoft box popped up and said:

Data Execution Prevention - Microsoft Windows

To help protect your computer, Windows has closed this program

Notepad

Close message

Should I still run the Combo Fix? I can't even access this website, my explorer or firefox just freezes. I'm doing this from my laptop.
  • 0

#6
abryenton

abryenton

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
I managed to find the report, it's attacted below.

I tried following the instructions for the combo fix but it wont execute, not even in safe mode. It's not the file because it ran fine on my laptop. When I double click it doesn't do anything.


SDFix: Version 1.184
Run by Nitro on Wed 05/21/2008 at 09:35 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDfix\SDFix

Checking Services :

Name :
gsbgqpwwfw

Path :
\??\C:\WINDOWS\system32\gsbgqpwwfw.sys

gsbgqpwwfw - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\-18706~1 - Deleted
C:\WINDOWS\explore.exe - Deleted
C:\WINDOWS\explorer32.exe - Deleted
C:\WINDOWS\internet.exe - Deleted
C:\WINDOWS\svchost32.exe - Deleted
C:\WINDOWS\system32\gsbgqpwwfw.sys - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 21:47:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\clb.dll]
"0"=hex:00,00,28,0a,01,00,05,00
"1"=hex:b6,00,b6,eb,2f,6b,03,cb,5a,e8,c3,ac,b9,40,38,e1
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\clbcatex.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:cf,24,2a,85,a4,d7,fe,3c,03,76,96,fe,18,b6,ec,d3
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\clbcatq.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:6a,b7,9d,1d,7d,d8,1d,46,23,79,12,2a,da,6a,19,42
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\clbdriver.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\clbdriver]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clb.dll]
"0"=hex:00,00,28,0a,01,00,05,00
"1"=hex:b6,00,b6,eb,2f,6b,03,cb,5a,e8,c3,ac,b9,40,38,e1
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clbcatex.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:cf,24,2a,85,a4,d7,fe,3c,03,76,96,fe,18,b6,ec,d3
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clbcatq.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:6a,b7,9d,1d,7d,d8,1d,46,23,79,12,2a,da,6a,19,42
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\clbdriver.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\clbdriver]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clb.dll]
"0"=hex:00,00,28,0a,01,00,05,00
"1"=hex:b6,00,b6,eb,2f,6b,03,cb,5a,e8,c3,ac,b9,40,38,e1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clbcatex.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:cf,24,2a,85,a4,d7,fe,3c,03,76,96,fe,18,b6,ec,d3
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clbcatq.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:6a,b7,9d,1d,7d,d8,1d,46,23,79,12,2a,da,6a,19,42
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\clbdriver.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\clbdriver]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Nls\MUILanguages\RCV2\clb.dll]
"0"=hex:00,00,28,0a,01,00,05,00
"1"=hex:b6,00,b6,eb,2f,6b,03,cb,5a,e8,c3,ac,b9,40,38,e1
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Nls\MUILanguages\RCV2\clbcatex.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:cf,24,2a,85,a4,d7,fe,3c,03,76,96,fe,18,b6,ec,d3
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Nls\MUILanguages\RCV2\clbcatq.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:6a,b7,9d,1d,7d,d8,1d,46,23,79,12,2a,da,6a,19,42
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\SafeBoot\Network\clbdriver.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\clbdriver]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Control\Nls\MUILanguages\RCV2\clb.dll]
"0"=hex:00,00,28,0a,01,00,05,00
"1"=hex:b6,00,b6,eb,2f,6b,03,cb,5a,e8,c3,ac,b9,40,38,e1
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Control\Nls\MUILanguages\RCV2\clbcatex.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:cf,24,2a,85,a4,d7,fe,3c,03,76,96,fe,18,b6,ec,d3
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Control\Nls\MUILanguages\RCV2\clbcatq.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:6a,b7,9d,1d,7d,d8,1d,46,23,79,12,2a,da,6a,19,42
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Control\SafeBoot\Network\clbdriver.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\clbdriver]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\??\globalroot\systemroot\system32\drivers\clbdriver.sys"

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\clbimagedata]
"affid"="7"
"subid"="run04"
"control"=hex:1a,00,15,13,07,11,18,1f,14,0a,49,09,4b,1a,09,50,11,e5,f5
"prov"="10010"
"googleadserver"="pagead2.googlesyndication.com"
"flagged"=dword:00000001

scanning hidden files ...

C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatex.dll 110080 bytes executable
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatq.dll 498688 bytes executable
C:\WINDOWS\system32\clb.dll 10752 bytes executable
C:\WINDOWS\system32\clbcatex.dll 110080 bytes executable
C:\WINDOWS\system32\clbcatq.dll 498688 bytes executable
C:\WINDOWS\system32\clbdll.dll 31560 bytes executable
C:\WINDOWS\system32\clbinit.dll 1695 bytes
C:\WINDOWS\system32\drivers\clbdriver.sys 6656 bytes executable
C:\WINDOWS\system32\dllcache\clb.dll 10752 bytes executable
C:\WINDOWS\ServicePackFiles\i386\clbcatex.dll 110080 bytes executable
C:\WINDOWS\ServicePackFiles\i386\clbcatq.dll 501248 bytes executable
C:\WINDOWS\$NtServicePackUninstall$\clbcatex.dll 100864 bytes executable
C:\WINDOWS\$NtServicePackUninstall$\clbcatq.dll 468480 bytes executable
C:\WINDOWS\$NtUninstallKB902400$\clbcatex.dll 110080 bytes executable
C:\WINDOWS\$NtUninstallKB902400$\clbcatq.dll 501248 bytes executable

scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 15


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"="C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe:*:Enabled:Adobe Version Cue CS3 Server"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"="C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\SDfix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 10 May 2008 68,756 ...H. --- "C:\Program Files\EDraw Max\EDraw.exe-Toolbars"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Thu 24 Apr 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Thu 24 Apr 2008 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Tue 22 Apr 2008 12,419,886 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\743d342802b0f1361afc382ea340bf3a\BIT66.tmp"
Wed 30 Apr 2008 15,019,089 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a04477c32a6fb7024bddf15f1c7beff3\BIT125.tmp"

Finished!
  • 0

#7
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello abryenton... Thanks for the following.. Now I see what's really bugging you.. Please do the following..


Please temporarily Disable your McAfee prior to our fix.. Please re-enable them back after you performing all below steps..


**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**




NEXT


Please download GMER and unzip it to your Desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.



Please post the following logs in your next reply...

1. Combo-Fix
2. GMER
3. A fresh HijackThis log (after GMER step)


Regards
fenzodahl512
  • 0

#8
abryenton

abryenton

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Ok everything went great with ComboFix, I've noticed a huge difference already. It's still really laggy though.

Combo fix log:

ComboFix 08-05-21.3 - Nitro 2008-05-23 1:24:08.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1649 [GMT -3:00]
Running from: C:\Documents and Settings\Nitro\Desktop\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Google\googletoolbar1.dll
C:\WINDOWS\BM93b340a6.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\afwqfnhp.exe
C:\WINDOWS\system32\awtqoMdd.dll
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\dwsxleot.dll
C:\WINDOWS\system32\elqdiwao.dll
C:\WINDOWS\system32\FgMlkUtv.ini
C:\WINDOWS\system32\FgMlkUtv.ini2
C:\WINDOWS\system32\hfnfsffn.dll
C:\WINDOWS\system32\iumftfhi.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mnTsttwa.ini
C:\WINDOWS\system32\mnTsttwa.ini2
C:\WINDOWS\system32\noeujqfw.dll
C:\WINDOWS\system32\rcoytiwk.exe
C:\WINDOWS\system32\ruscvrau.dll
C:\WINDOWS\system32\sbomrfik.dll
C:\WINDOWS\system32\wpfdcxpj.exe
C:\WINDOWS\system32\wwtdaduo.dll
C:\WINDOWS\system32\yualryip.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER


((((((((((((((((((((((((( Files Created from 2008-04-23 to 2008-05-23 )))))))))))))))))))))))))))))))
.

2008-05-21 21:26 . 2008-05-21 21:26 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-21 21:25 . 2008-05-21 21:25 <DIR> d-------- C:\SDfix
2008-05-21 03:04 . 2008-05-21 03:04 <DIR> d-------- C:\Documents and Settings\Nitro\Application Data\TrojanHunter
2008-05-20 23:31 . 2008-05-20 23:32 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2008-05-19 22:34 . 2008-05-19 22:34 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-19 22:34 . 2008-05-19 22:34 <DIR> d-------- C:\Documents and Settings\Nitro\Application Data\SUPERAntiSpyware.com
2008-05-19 22:34 . 2008-05-19 22:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-19 22:32 . 2008-05-22 22:45 326 --a------ C:\WINDOWS\wininit.ini
2008-05-18 20:21 . 2008-05-18 20:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-18 20:20 . 2008-05-18 20:20 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-18 20:20 . 2008-05-18 20:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-18 16:29 . 2008-05-18 16:29 <DIR> d-------- C:\Program Files\CCleaner
2008-05-18 16:15 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\000001_.tmp
2008-05-18 16:15 . 2004-08-04 00:56 10,752 --a------ C:\WINDOWS\system32\smtpapi.dll
2008-05-18 16:15 . 2004-08-04 00:56 9,728 --a------ C:\WINDOWS\system32\rwnh.dll
2008-05-18 16:04 . 2008-05-18 16:04 0 --a------ C:\WINDOWS\system32\HFX11C9.tmp
2008-05-18 16:02 . 2008-05-18 16:02 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-05-18 16:02 . 2008-05-18 16:02 <DIR> d-------- C:\WINDOWS\system32\en
2008-05-18 16:02 . 2008-05-18 16:05 <DIR> d-------- C:\WINDOWS\system32\bits
2008-05-18 16:02 . 2008-05-18 16:02 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-18 16:02 . 2008-04-14 05:42 354,304 --a------ C:\WINDOWS\system32\SETFAA.tmp
2008-05-18 16:02 . 2008-04-14 05:40 177,152 --a------ C:\WINDOWS\system32\SETFDC.tmp
2008-05-18 16:00 . 2008-04-14 05:42 8,461,312 --a------ C:\WINDOWS\system32\SET1B6.tmp
2008-05-18 15:59 . 2007-10-26 00:36 8,454,656 --a------ C:\WINDOWS\system32\dllcache\shell32.dll
2008-05-18 15:56 . 2008-05-18 16:04 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-18 01:17 . 2001-08-23 09:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-05-18 01:16 . 2008-05-18 01:16 4 --a------ C:\WINDOWS\system32\hljwugsf.bin
2008-05-18 01:15 . 2008-05-18 01:15 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-18 01:15 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-18 01:15 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-17 00:30 . 2008-05-17 00:30 <DIR> d-------- C:\Deckard
2008-05-17 00:24 . 2008-05-22 21:16 <DIR> d-------- C:\HJT
2008-05-17 00:17 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-05-17 00:16 . 2008-05-17 00:16 <DIR> d-------- C:\Program Files\MSBuild
2008-05-17 00:16 . 2008-05-17 00:16 <DIR> d-------- C:\Program Files\Microsoft Works
2008-05-17 00:15 . 2008-05-17 00:15 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-05-17 00:13 . 2008-05-17 00:13 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-05-17 00:12 . 2008-05-17 00:15 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-05-17 00:12 . 2008-05-17 00:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-17 00:11 . 2008-05-17 00:11 <DIR> dr-h----- C:\MSOCache
2008-05-16 21:24 . 2008-05-17 15:46 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-16 21:24 . 2008-05-16 21:24 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-16 03:57 . 2008-05-16 03:57 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-15 20:53 . 2008-05-15 20:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-15 19:53 . 2008-05-15 19:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers Headquarters
2008-05-15 19:33 . 2008-05-15 19:33 1,160 --a------ C:\WINDOWS\mozver.dat
2008-05-15 15:21 . 2008-05-15 15:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Nero
2008-05-15 15:21 . 2008-05-15 15:21 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-15 01:52 . 2008-05-15 01:52 <DIR> d-------- C:\WINDOWS\Application Data
2008-05-15 00:16 . 2008-05-15 01:03 41,776,360 --a------ C:\WINDOWS\system32\amtmp.wav
2008-05-15 00:16 . 2008-05-15 01:03 326,368 --a------ C:\amt1
2008-05-15 00:14 . 2008-05-15 01:03 521 --a------ C:\WINDOWS\MP3trtg.ini
2008-05-15 00:08 . 2008-05-15 00:12 <DIR> d-------- C:\Program Files\Coding Workshop Ringtone Converter
2008-05-15 00:08 . 2004-02-19 05:11 511,488 --a------ C:\WINDOWS\system32\cwmdtl50a.dll
2008-05-15 00:08 . 1998-10-07 05:53 305,432 --a------ C:\WINDOWS\system32\Threed20.ocx
2008-05-15 00:08 . 2003-06-30 16:39 102,400 --a------ C:\WINDOWS\system32\cwsmaf40.dll
2008-05-12 20:02 . 2008-05-12 20:02 <DIR> d-------- C:\Documents and Settings\Nitro\Application Data\CSOdessa
2008-05-12 20:01 . 2008-05-13 00:46 <DIR> d-------- C:\Program Files\CS Odessa
2008-05-11 15:22 . 2008-05-11 15:22 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2008-05-11 15:22 . 2008-05-11 15:22 <DIR> d-------- C:\Program Files\Common Files\TechSmith Shared
2008-05-11 15:22 . 2008-05-11 15:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TechSmith
2008-05-11 15:22 . 2007-08-27 10:53 107,864 --a------ C:\WINDOWS\system32\tsccvid.dll
2008-05-11 15:21 . 2008-05-11 15:21 <DIR> d-------- C:\Program Files\TechSmith
2008-05-10 21:57 . 2008-05-10 22:54 <DIR> d-------- C:\Program Files\EDraw Max
2008-05-10 20:32 . 2004-03-05 01:13 644,400 --a------ C:\WINDOWS\system32\MSCOMCT2.OCX
2008-05-10 20:29 . 2008-05-10 20:29 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-05-10 19:42 . 2008-05-10 19:42 <DIR> d-------- C:\Program Files\IGC
2008-05-10 18:52 . 2008-05-10 18:52 <DIR> d-------- C:\Documents and Settings\Nitro\Application Data\Apple Computer
2008-05-10 18:50 . 2008-05-10 18:50 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-10 18:50 . 2008-05-10 18:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-10 18:50 . 2008-05-10 18:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-05-10 17:13 . 2008-05-10 17:17 <DIR> d-------- C:\Documents and Settings\Nitro\Application Data\DivX
2008-05-10 17:12 . 2008-05-10 19:47 <DIR> d-------- C:\Program Files\DivX
2008-05-10 17:12 . 2008-01-04 18:58 120,056 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2008-05-10 17:12 . 2008-01-04 18:58 118,520 --a------ C:\WINDOWS\system32\pxinsi64.exe
2008-05-09 00:04 . 2008-05-09 00:04 <DIR> d-------- C:\Program Files\IMSI
2008-05-08 23:58 . 2008-05-09 21:55 <DIR> d-------- C:\Program Files\MagicISO
2008-05-08 20:08 . 2008-05-08 20:08 22,328 --a------ C:\Documents and Settings\Nitro\Application Data\PnkBstrK.sys
2008-05-08 19:50 . 2008-05-08 19:50 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-05-07 19:53 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-05-07 19:53 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2008-05-07 19:53 . 2007-07-19 18:14 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2008-05-06 22:15 . 2008-05-06 22:15 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-01 21:33 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2008-05-01 21:33 . 2007-05-16 16:45 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2008-05-01 21:33 . 2007-05-16 16:45 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2008-05-01 21:33 . 2007-05-31 19:30 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2008-05-01 21:33 . 2007-05-31 19:29 18,280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll
2008-05-01 21:32 . 2008-05-01 21:32 319 --a------ C:\WINDOWS\game.ini
2008-05-01 21:22 . 2008-05-01 21:22 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-04-30 23:39 . 2008-04-30 23:45 <DIR> d-------- C:\Documents and Settings\Nitro\Application Data\HP
2008-04-30 23:39 . 2006-04-12 22:04 49,664 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-04-30 23:39 . 2006-04-12 22:04 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-04-30 23:26 . 2008-04-30 23:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-04-30 23:25 . 2008-04-30 23:26 <DIR> d-------- C:\Program Files\Common Files\HP
2008-04-30 23:23 . 2008-04-30 23:23 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-04-30 23:23 . 2008-04-30 23:23 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-04-30 23:18 . 2008-04-30 23:40 117,132 --a------ C:\WINDOWS\hpoins11.dat
2008-04-30 22:44 . 2006-01-04 06:12 77,824 -ra------ C:\WINDOWS\system32\HPZIDS01.dll
2008-04-30 22:44 . 2006-04-10 14:03 38,400 --a------ C:\WINDOWS\system32\hpz3l054.dll
2008-04-30 22:43 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-04-30 22:43 . 2006-03-03 21:03 282,680 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-04-30 22:43 . 2006-03-03 21:02 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-04-30 22:43 . 2006-03-03 21:02 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-04-30 22:43 . 2006-03-03 21:03 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-04-30 22:43 . 2006-03-03 21:03 65,536 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-04-30 22:43 . 2006-03-03 21:02 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-04-30 00:54 . 2008-05-10 19:48 <DIR> d-------- C:\Documents and Settings\Nitro\Application Data\Microsoft Games
2008-04-28 23:51 . 2008-04-28 23:51 <DIR> d-------- C:\Documents and Settings\Nitro\System
2008-04-28 23:51 . 2008-04-29 00:23 <DIR> d-------- C:\Documents and Settings\Nitro\Application Data\SmartDraw
2008-04-28 23:38 . 2008-05-09 21:58 <DIR> d-------- C:\Program Files\SmartDraw 2008
2008-04-28 21:34 . 2007-03-12 16:42 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2008-04-28 21:34 . 2007-03-12 16:42 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2008-04-28 21:34 . 2007-03-15 16:57 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2008-04-28 21:34 . 2007-04-04 18:55 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll
2008-04-28 21:34 . 2007-01-24 15:27 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2008-04-27 23:23 . 2008-05-10 17:59 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-04-26 19:54 . 2008-04-26 19:54 <DIR> d-------- C:\Program Files\Common Files\Control Panels
2008-04-26 19:51 . 2008-04-26 19:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ALM
2008-04-26 19:44 . 2008-05-10 18:51 <DIR> d-------- C:\Program Files\QuickTime
2008-04-26 19:40 . 2007-02-20 16:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2008-04-26 19:40 . 2007-02-20 16:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-04-26 19:33 . 2008-04-26 19:33 <DIR> d-------- C:\Program Files\Bonjour
2008-04-26 19:23 . 2008-04-26 19:23 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-04-25 19:42 . 2008-05-23 01:32 51 --a------ C:\WINDOWS\iTouch.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-23 04:24 --------- d-----w C:\Program Files\Google
2008-05-23 04:07 --------- d-----w C:\Documents and Settings\Nitro\Application Data\uTorrent
2008-05-21 02:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-18 04:19 --------- d-----w C:\Program Files\Driver Magician
2008-05-15 22:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-01 02:26 --------- d-----w C:\Program Files\HP
2008-04-25 22:38 --------- d-----w C:\Program Files\Logitech
2008-04-25 22:37 --------- d-----w C:\Program Files\Common Files\Logitech
2008-04-23 21:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-04-23 02:47 --------- d-----w C:\Program Files\DIFX
2008-04-23 02:42 --------- d-----w C:\Program Files\NVIDIA Corporation
2008-04-23 01:53 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-23 01:05 --------- d-----w C:\Documents and Settings\Nitro\Application Data\InstallShield
2008-04-22 23:25 --------- d-----w C:\Program Files\uTorrent
2008-04-22 22:27 --------- d-----w C:\Program Files\XPC Tools
2008-04-22 21:43 --------- d-----w C:\Program Files\Realtek
2008-04-22 21:11 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-04-22 08:58 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-14 08:45 218,134 ----a-w C:\WINDOWS\AppPatch\SET4FC.tmp
2008-04-14 08:45 204,396 ----a-w C:\WINDOWS\AppPatch\SET4FB.tmp
2008-04-14 08:45 1,202,774 ----a-w C:\WINDOWS\AppPatch\SET4FA.tmp
2008-04-14 08:41 97,280 ----a-w C:\WINDOWS\system32\SET2E6.tmp
2008-04-14 08:39 9,344 ----a-w C:\WINDOWS\system32\SET33B.tmp
2008-04-14 08:39 285,696 ----a-w C:\WINDOWS\system32\SET3EF.tmp
2008-04-14 02:07 208,384 ----a-w C:\WINDOWS\system32\SET1DB.tmp
2008-04-14 01:56 94,208 ----a-w C:\WINDOWS\system32\SET22E.tmp
2008-04-14 01:56 90,112 ----a-w C:\WINDOWS\system32\SET199.tmp
2008-04-14 01:56 12,288 ----a-w C:\WINDOWS\system32\SET2B1.tmp
2008-04-14 01:56 12,288 ----a-w C:\WINDOWS\system32\SET22B.tmp
2008-04-14 01:54 20,480 ----a-w C:\WINDOWS\system32\SET289.tmp
2008-04-14 01:33 63,488 ----a-w C:\WINDOWS\system32\SET3E2.tmp
2008-04-14 01:33 549,376 ----a-w C:\WINDOWS\system32\SET1B8.tmp
2008-04-14 00:53 48,128 ----a-w C:\WINDOWS\system32\SET284.tmp
2008-04-14 00:09 884,736 ----a-w C:\WINDOWS\system32\SET296.tmp
2008-03-26 21:37 4,713,472 ----a-w C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-03-26 19:14 16,859,136 ----a-w C:\WINDOWS\RTHDCPL.exe
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\_006192_.tmp.dll
2008-03-05 21:07 520,192 ----a-w C:\WINDOWS\RtlExUpd.dll
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{78ED0603-1147-4185-ADF5-43A82C4511E3}]
C:\WINDOWS\system32\vtUklMgF.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E9E4E7D5-2E98-4FB5-8A5E-1A7FB287171C}]
C:\WINDOWS\system32\cbXNGwwt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-22 18:15 68856]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2007-12-13 19:10 1688872]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-13 12:43 1510640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-03-26 16:14 16859136 C:\WINDOWS\RTHDCPL.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 09:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-04-09 09:23 200704]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-03-27 03:35 36352]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-08-24 18:57 36640]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 14:21 2213160]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2002-11-23 02:15 631362]
"Acrobat Assistant 8.0"="M:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 23:24 620152]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 16:40 1884160]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"9080733a"="C:\WINDOWS\system32\purxxgha.dll" [ ]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [2008-03-25 19:08 1047712]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2008-04-26 19:44:04 295606]
Adobe Acrobat Synchronizer.lnk - M:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2008-04-25 19:38:39 169472]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 13:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-04-22 18:15 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R2 mbamdrvservice;MBAMDrvService;C:\WINDOWS\system32\drivers\mbam.sys [2008-05-05 20:46]
R2 mbamservice;MBAMService;"C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [2008-05-05 20:46]
R3 hcw18bda;Hauppauge WinTV 418 Driver;C:\WINDOWS\system32\drivers\hcw18bda.sys [2007-04-18 16:30]
R3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2003-12-17 09:50]
S2 windows action script;Windows Action Script;"C:\WINDOWS\system32\scvhost.exe" []
S3 MBAMCatchMe;MBAMCatchMe;C:\WINDOWS\system32\drivers\mbamcatchme.sys [2008-05-05 20:46]

*Newly Created Service* - SITEADVISOR_SERVICE
.
Contents of the 'Scheduled Tasks' folder
"2008-05-15 04:07:21 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-05-01 04:17:02 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-23 01:32:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamtrayctrl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-05-23 1:37:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-23 04:37:20

Pre-Run: 28,423,901,184 bytes free
Post-Run: 28,305,932,288 bytes free

356 --- E O F --- 2008-04-23 21:52:47



GMER log:

GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-05-23 18:08:34
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT \??\C:\WINDOWS\system32\drivers\mbam.sys ZwCreateSection [0xB0EAB700]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB15F7F20]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB153C9AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB153C958]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB153C96C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB153C9EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB153C930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB153C944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB153C9BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB153C996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB153C982]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB153CA19]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB153CA00]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB153C9D4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwYieldExecution 80503FC8 7 Bytes JMP B153C9D8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[344] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 0137F6E0 C:\Program Files\SiteAdvisor\6261\saPlugin.dll
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[344] kernel32.dll!SetUnhandledExceptionFilter 7C84467D 5 Bytes JMP 0056DBBD C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe (Windows Live Messenger/Microsoft Corporation)
.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00FE0076
.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00FE0F81
.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00FE0F92
.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00FE005B
.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00FE0FC3
.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00FE00BF
.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00FE00AE
.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00FE00EB
.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00FE00DA
.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00FE00FC
.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00FE004A
.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00FE000A
.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00FE0087
.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00FE0FD4
.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00FE0025
.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00FE0F5C
.text C:\WINDOWS\system32\services.exe[808] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00FD0F9E
.text C:\WINDOWS\system32\services.exe[808] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00FD0025
.text C:\WINDOWS\system32\services.exe[808] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00FD0FB9
.text C:\WINDOWS\system32\services.exe[808] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00FD0FCA
.text C:\WINDOWS\system32\services.exe[808] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00FD0F72
.text C:\WINDOWS\system32\services.exe[808] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00FD0F8D
.text C:\WINDOWS\system32\services.exe[808] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00FD0FE5
.text C:\WINDOWS\system32\services.exe[808] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00FD0014
.text C:\WINDOWS\system32\services.exe[808] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A40FEF
.text C:\WINDOWS\system32\lsass.exe[820] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00F70FEF
.text C:\WINDOWS\system32\lsass.exe[820] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00F70F79
.text C:\WINDOWS\system32\lsass.exe[820] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00F70F94
.text C:\WINDOWS\system32\lsass.exe[820] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00F70FA5
.text C:\WINDOWS\system32\lsass.exe[820] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00F70062
.text C:\WINDOWS\system32\lsass.exe[820] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00F70051
.text C:\WINDOWS\system32\lsass.exe[820] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00F70093
.text C:\WINDOWS\system32\lsass.exe[820] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00F70F57
.text C:\WINDOWS\system32\lsass.exe[820] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00F700BF
.text C:\WINDOWS\system32\lsass.exe[820] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00F70F30
.text C:\WINDOWS\system32\lsass.exe[820] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00F70F15
.text C:\WINDOWS\system32\lsass.exe[820] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00F70FCA
.text C:\WINDOWS\system32\lsass.exe[820] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00F7000A
.text C:\WINDOWS\system32\lsass.exe[820] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00F70F68
.text C:\WINDOWS\system32\lsass.exe[820] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00F70036
.text C:\WINDOWS\system32\lsass.exe[820] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00F7001B
.text C:\WINDOWS\system32\lsass.exe[820] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00F700AE
.text C:\WINDOWS\system32\lsass.exe[820] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00F6001B
.text C:\WINDOWS\system32\lsass.exe[820] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00F60F68
.text C:\WINDOWS\system32\lsass.exe[820] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00F60FD4
.text C:\WINDOWS\system32\lsass.exe[820] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00F60FE5
.text C:\WINDOWS\system32\lsass.exe[820] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00F60F83
.text C:\WINDOWS\system32\lsass.exe[820] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00F60F94
.text C:\WINDOWS\system32\lsass.exe[820] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00F60000
.text C:\WINDOWS\system32\lsass.exe[820] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00F60FAF
.text C:\WINDOWS\system32\lsass.exe[820] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00920FEF
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00920093
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00920F9E
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00920FAF
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 0092006C
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00920036
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00920F55
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00920F66
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00920F04
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00920F15
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 009200C2
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00920051
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00920FDE
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00920F83
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00920025
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00920014
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00920F3A
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00910FB9
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 0091004A
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00910FCA
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00910FE5
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00910F83
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 0091002F
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00910000
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00910FA8
.text C:\WINDOWS\system32\svchost.exe[1000] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 008D0000
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00B10FEF
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00B100AC
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00B10FB7
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00B10FC8
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00B10087
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00B1005B
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00B100F5
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00B100D8
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00B10F92
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00B1012B
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00B10F81
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00B10076
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00B10014
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00B100C7
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00B10036
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00B10025
.text C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00B10110
.text C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00B00FC3
.text C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00B0006F
.text C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00B00FDE
.text C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00B00FEF
.text C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00B00FA8
.text C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00B00054
.text C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00B0000A
.text C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00B00039
.text C:\WINDOWS\system32\svchost.exe[1084] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00AE0000
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01F8000A
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01F80FB7
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01F800A2
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01F80091
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01F80080
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01F80FD4
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 01F80F95
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01F80FA6
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01F80F69
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01F80F7A
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 01F80F58
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 01F8005B
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 01F80FE5
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 01F800C7
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 01F80036
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 01F8001B
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 01F800F8
.text C:\WINDOWS\System32\svchost.exe[1180] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 01F00FB9
.text C:\WINDOWS\System32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 01F0001B
.text C:\WINDOWS\System32\svchost.exe[1180] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 01F00FCA
.text C:\WINDOWS\System32\svchost.exe[1180] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 01F00FDB
.text C:\WINDOWS\System32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 01F00F5E
.text C:\WINDOWS\System32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 01F00F79
.text C:\WINDOWS\System32\svchost.exe[1180] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 01F00000
.text C:\WINDOWS\System32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 01F00F94
.text C:\WINDOWS\System32\svchost.exe[1180] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 01EE0000
.text C:\WINDOWS\System32\svchost.exe[1180] WININET.dll!InternetOpenA 42C2C851 5 Bytes JMP 01ED0FEF
.text C:\WINDOWS\System32\svchost.exe[1180] WININET.dll!InternetOpenW 42C2CE81 5 Bytes JMP 01ED000A
.text C:\WINDOWS\System32\svchost.exe[1180] WININET.dll!InternetOpenUrlA 42C30BAA 5 Bytes JMP 01ED0FD4
.text C:\WINDOWS\System32\svchost.exe[1180] WININET.dll!InternetOpenUrlW 42C7AE09 5 Bytes JMP 01ED0025
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 007A0000
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 007A007A
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 007A0F8F
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 007A0FA0
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 007A0069
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 007A0033
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 007A00B2
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 007A0095
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 007A0F34
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 007A00C3
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 007A00F2
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!LoadLibraryW
  • 0

#9
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello.. Thanks for the reply.. Please do the following...


1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
windows action script

File::
C:\WINDOWS\000001_.tmp
C:\WINDOWS\system32\HFX11C9.tmp
C:\WINDOWS\system32\SETFAA.tmp
C:\WINDOWS\system32\SETFDC.tmp
C:\WINDOWS\system32\SET1B6.tmp
C:\WINDOWS\AppPatch\SET4FC.tmp
C:\WINDOWS\AppPatch\SET4FB.tmp
C:\WINDOWS\AppPatch\SET4FA.tmp
C:\WINDOWS\system32\SET2E6.tmp
C:\WINDOWS\system32\SET33B.tmp
C:\WINDOWS\system32\SET3EF.tmp
C:\WINDOWS\system32\SET1DB.tmp
C:\WINDOWS\system32\SET22E.tmp
C:\WINDOWS\system32\SET199.tmp
C:\WINDOWS\system32\SET2B1.tmp
C:\WINDOWS\system32\SET22B.tmp
C:\WINDOWS\system32\SET289.tmp
C:\WINDOWS\system32\SET3E2.tmp
C:\WINDOWS\system32\SET1B8.tmp
C:\WINDOWS\system32\SET284.tmp
C:\WINDOWS\system32\SET296.tmp
C:\WINDOWS\system32\vtUklMgF.dll
C:\WINDOWS\system32\cbXNGwwt.dll
C:\WINDOWS\system32\purxxgha.dll
C:\WINDOWS\system32\scvhost.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{78ED0603-1147-4185-ADF5-43A82C4511E3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E9E4E7D5-2E98-4FB5-8A5E-1A7FB287171C}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"9080733a"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combo-Fix.txt
  • A new HijackThis log.



Regards
fenzodahl512
  • 0

#10
abryenton

abryenton

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hi,

That cleared up a lot of the laggyness, it's still a little laggy when i'm booting up IE or Firefox. I had to do the ComboFix thing in safemode, I hope that was ok, it wouldn't run in normal mode.

My Combo Fix log:

ComboFix 08-05-21.3 - Nitro 2008-05-25 19:30:15.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1758 [GMT -3:00]
Running from: C:\Documents and Settings\Nitro\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\Nitro\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\000001_.tmp
C:\WINDOWS\AppPatch\SET4FA.tmp
C:\WINDOWS\AppPatch\SET4FB.tmp
C:\WINDOWS\AppPatch\SET4FC.tmp
C:\WINDOWS\system32\cbXNGwwt.dll
C:\WINDOWS\system32\HFX11C9.tmp
C:\WINDOWS\system32\purxxgha.dll
C:\WINDOWS\system32\scvhost.exe
C:\WINDOWS\system32\SET199.tmp
C:\WINDOWS\system32\SET1B6.tmp
C:\WINDOWS\system32\SET1B8.tmp
C:\WINDOWS\system32\SET1DB.tmp
C:\WINDOWS\system32\SET22B.tmp
C:\WINDOWS\system32\SET22E.tmp
C:\WINDOWS\system32\SET284.tmp
C:\WINDOWS\system32\SET289.tmp
C:\WINDOWS\system32\SET296.tmp
C:\WINDOWS\system32\SET2B1.tmp
C:\WINDOWS\system32\SET2E6.tmp
C:\WINDOWS\system32\SET33B.tmp
C:\WINDOWS\system32\SET3E2.tmp
C:\WINDOWS\system32\SET3EF.tmp
C:\WINDOWS\system32\SETFAA.tmp
C:\WINDOWS\system32\SETFDC.tmp
C:\WINDOWS\system32\vtUklMgF.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Nitro\Application Data\inst.exe
C:\WINDOWS\000001_.tmp
C:\WINDOWS\AppPatch\SET4FA.tmp
C:\WINDOWS\AppPatch\SET4FB.tmp
C:\WINDOWS\AppPatch\SET4FC.tmp
C:\WINDOWS\system32\_006190_.tmp.dll
C:\WINDOWS\system32\_006192_.tmp.dll
C:\WINDOWS\system32\_006201_.tmp.dll
C:\WINDOWS\system32\_006202_.tmp.dll
C:\WINDOWS\system32\_006204_.tmp.dll
C:\WINDOWS\system32\_006205_.tmp.dll
C:\WINDOWS\system32\_006208_.tmp.dll
C:\WINDOWS\system32\_006209_.tmp.dll
C:\WINDOWS\system32\_006212_.tmp.dll
C:\WINDOWS\system32\_006213_.tmp.dll
C:\WINDOWS\system32\_006215_.tmp.dll
C:\WINDOWS\system32\_006218_.tmp.dll
C:\WINDOWS\system32\_006219_.tmp.dll
C:\WINDOWS\system32\_006224_.tmp.dll
C:\WINDOWS\system32\_006226_.tmp.dll
C:\WINDOWS\system32\_006229_.tmp.dll
C:\WINDOWS\system32\_006234_.tmp.dll
C:\WINDOWS\system32\_006235_.tmp.dll
C:\WINDOWS\system32\_006239_.tmp.dll
C:\WINDOWS\system32\_006240_.tmp.dll
C:\WINDOWS\system32\_006241_.tmp.dll
C:\WINDOWS\system32\_006242_.tmp.dll
C:\WINDOWS\system32\_006247_.tmp.dll
C:\WINDOWS\system32\_006249_.tmp.dll
C:\WINDOWS\system32\HFX11C9.tmp
C:\WINDOWS\system32\SET199.tmp
C:\WINDOWS\system32\SET1B6.tmp
C:\WINDOWS\system32\SET1B8.tmp
C:\WINDOWS\system32\SET1DB.tmp
C:\WINDOWS\system32\SET22B.tmp
C:\WINDOWS\system32\SET22E.tmp
C:\WINDOWS\system32\SET284.tmp
C:\WINDOWS\system32\SET289.tmp
C:\WINDOWS\system32\SET296.tmp
C:\WINDOWS\system32\SET2B1.tmp
C:\WINDOWS\system32\SET2E6.tmp
C:\WINDOWS\system32\SET33B.tmp
C:\WINDOWS\system32\SET3E2.tmp
C:\WINDOWS\system32\SET3EF.tmp
C:\WINDOWS\system32\SETFAA.tmp
C:\WINDOWS\system32\SETFDC.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_windows_action_script
-------\Service_windows action script


((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 )))))))))))))))))))))))))))))))
.

2008-05-23 01:55 . 2008-05-23 01:55 250 --a------ C:\WINDOWS\gmer.ini
2008-05-21 21:26 . 2008-05-21 21:26 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-21 21:25 . 2008-05-21 21:25 <DIR> d-------- C:\SDfix
2008-05-21 03:04 . 2008-05-21 03:04 <DIR> d-------- C:\Documents and Settings\Nitro\Application Data\TrojanHunter
2008-05-20 23:31 . 2008-05-20 23:32 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2008-05-19 22:34 . 2008-05-19 22:34 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-19 22:34 . 2008-05-19 22:34 <DIR> d-------- C:\Documents and Settings\Nitro\Application Data\SUPERAntiSpyware.com
2008-05-19 22:34 . 2008-05-19 22:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-19 22:32 . 2008-05-22 22:45 326 --a------ C:\WINDOWS\wininit.ini
2008-05-18 20:21 . 2008-05-18 20:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-18 20:20 . 2008-05-18 20:20 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-18 20:20 . 2008-05-18 20:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-18 16:29 . 2008-05-18 16:29 <DIR> d-------- C:\Program Files\CCleaner
2008-05-18 16:15 . 2004-08-04 00:56 10,752 --a------ C:\WINDOWS\system32\smtpapi.dll
2008-05-18 16:15 . 2004-08-04 00:56 9,728 --a------ C:\WINDOWS\system32\rwnh.dll
2008-05-18 16:02 . 2008-05-18 16:02 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-05-18 16:02 . 2008-05-18 16:02 <DIR> d-------- C:\WINDOWS\system32\en
2008-05-18 16:02 . 2008-05-18 16:05 <DIR> d-------- C:\WINDOWS\system32\bits
2008-05-18 16:02 . 2008-05-18 16:02 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-18 16:00 . 2008-04-14 05:42 1,499,136 --a------ C:\WINDOWS\system32\SET1B7.tmp
2008-05-18 15:59 . 2007-10-26 00:36 8,454,656 --a------ C:\WINDOWS\system32\dllcache\shell32.dll
2008-05-18 15:56 . 2008-05-18 16:04 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-18 01:17 . 2001-08-23 09:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-05-18 01:16 . 2008-05-18 01:16 4 --a------ C:\WINDOWS\system32\hljwugsf.bin
2008-05-18 01:15 . 2008-05-18 01:15 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-18 01:15 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-18 01:15 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-17 00:30 . 2008-05-17 00:30 <DIR> d-------- C:\Deckard
2008-05-17 00:24 . 2008-05-23 18:11 <DIR> d-------- C:\HJT
2008-05-17 00:17 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-05-17 00:16 . 2008-05-17 00:16 <DIR> d-------- C:\Program Files\MSBuild
2008-05-17 00:16 . 2008-05-17 00:16 <DIR> d-------- C:\Program Files\Microsoft Works
2008-05-17 00:15 . 2008-05-17 00:15 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-05-17 00:13 . 2008-05-17 00:13 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-05-17 00:12 . 2008-05-17 00:15 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-05-17 00:12 . 2008-05-17 00:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-17 00:11 . 2008-05-17 00:11 <DIR> dr-h----- C:\MSOCache
2008-05-16 21:24 . 2008-05-17 15:46 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-16 21:24 . 2008-05-16 21:24 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-16 03:57 . 2008-05-16 03:57 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-15 20:53 . 2008-05-15 20:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-15 19:53 . 2008-05-15 19:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers Headquarters
2008-05-15 19:33 . 2008-05-15 19:33 1,160 --a------ C:\WINDOWS\mozver.dat
2008-05-15 15:21 . 2008-05-15 15:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Nero
2008-05-15 15:21 . 2008-05-15 15:21 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-15 01:52 . 2008-05-15 01:52 <DIR> d-------- C:\WINDOWS\Application Data
2008-05-15 00:16 . 2008-05-15 01:03 41,776,360 --a------ C:\WINDOWS\system32\amtmp.wav
2008-05-15 00:16 . 2008-05-15 01:03 326,368 --a------ C:\amt1
2008-05-15 00:14 . 2008-05-15 01:03 521 --a------ C:\WINDOWS\MP3trtg.ini
2008-05-15 00:08 . 2008-05-15 00:12 <DIR> d-------- C:\Program Files\Coding Workshop Ringtone Converter
2008-05-15 00:08 . 2004-02-19 05:11 511,488 --a------ C:\WINDOWS\system32\cwmdtl50a.dll
2008-05-15 00:08 . 1998-10-07 05:53 305,432 --a------ C:\WINDOWS\system32\Threed20.ocx
2008-05-15 00:08 . 2003-06-30 16:39 102,400 --a------ C:\WINDOWS\system32\cwsmaf40.dll
2008-05-12 20:02 . 2008-05-12 20:02 <DIR> d-------- C:\Documents and Settings\Nitro\Application Data\CSOdessa
2008-05-12 20:01 . 2008-05-13 00:46 <DIR> d-------- C:\Program Files\CS Odessa
2008-05-11 15:22 . 2008-05-11 15:22 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2008-05-11 15:22 . 2008-05-11 15:22 <DIR> d-------- C:\Program Files\Common Files\TechSmith Shared
2008-05-11 15:22 . 2008-05-11 15:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TechSmith
2008-05-11 15:22 . 2007-08-27 10:53 107,864 --a------ C:\WINDOWS\system32\tsccvid.dll
2008-05-11 15:21 . 2008-05-11 15:21 <DIR> d-------- C:\Program Files\TechSmith
2008-05-10 21:57 . 2008-05-10 22:54 <DIR> d-------- C:\Program Files\EDraw Max
2008-05-10 20:32 . 2004-03-05 01:13 644,400 --a------ C:\WINDOWS\system32\MSCOMCT2.OCX
2008-05-10 20:29 . 2008-05-10 20:29 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-05-10 19:42 . 2008-05-10 19:42 <DIR> d-------- C:\Program Files\IGC
2008-05-10 18:52 . 2008-05-10 18:52 <DIR> d-------- C:\Documents and Settings\Nitro\Application Data\Apple Computer
2008-05-10 18:50 . 2008-05-10 18:50 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-10 18:50 . 2008-05-10 18:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-10 18:50 . 2008-05-10 18:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-05-10 17:13 . 2008-05-10 17:17 <DIR> d-------- C:\Documents and Settings\Nitro\Application Data\DivX
2008-05-10 17:12 . 2008-05-10 19:47 <DIR> d-------- C:\Program Files\DivX
2008-05-10 17:12 . 2008-01-04 18:58 120,056 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2008-05-10 17:12 . 2008-01-04 18:58 118,520 --a------ C:\WINDOWS\system32\pxinsi64.exe
2008-05-09 00:04 . 2008-05-09 00:04 <DIR> d-------- C:\Program Files\IMSI
2008-05-08 23:58 . 2008-05-09 21:55 <DIR> d-------- C:\Program Files\MagicISO
2008-05-08 20:08 . 2008-05-08 20:08 22,328 --a------ C:\Documents and Settings\Nitro\Application Data\PnkBstrK.sys
2008-05-08 19:50 . 2008-05-08 19:50 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-05-07 19:53 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-05-07 19:53 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2008-05-07 19:53 . 2007-07-19 18:14 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2008-05-06 22:15 . 2008-05-06 22:15 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-01 21:33 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2008-05-01 21:33 . 2007-05-16 16:45 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2008-05-01 21:33 . 2007-05-16 16:45 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2008-05-01 21:33 . 2007-05-31 19:30 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2008-05-01 21:33 . 2007-05-31 19:29 18,280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll
2008-05-01 21:32 . 2008-05-01 21:32 319 --a------ C:\WINDOWS\game.ini
2008-05-01 21:22 . 2008-05-01 21:22 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-04-30 23:39 . 2008-04-30 23:45 <DIR> d-------- C:\Documents and Settings\Nitro\Application Data\HP
2008-04-30 23:39 . 2006-04-12 22:04 49,664 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-04-30 23:39 . 2006-04-12 22:04 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-04-30 23:26 . 2008-04-30 23:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-04-30 23:25 . 2008-04-30 23:26 <DIR> d-------- C:\Program Files\Common Files\HP
2008-04-30 23:23 . 2008-04-30 23:23 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-04-30 23:23 . 2008-04-30 23:23 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-04-30 23:18 . 2008-04-30 23:40 117,132 --a------ C:\WINDOWS\hpoins11.dat
2008-04-30 22:44 . 2006-01-04 06:12 77,824 -ra------ C:\WINDOWS\system32\HPZIDS01.dll
2008-04-30 22:44 . 2006-04-10 14:03 38,400 --a------ C:\WINDOWS\system32\hpz3l054.dll
2008-04-30 22:43 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-04-30 22:43 . 2006-03-03 21:03 282,680 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-04-30 22:43 . 2006-03-03 21:02 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-04-30 22:43 . 2006-03-03 21:02 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-04-30 22:43 . 2006-03-03 21:03 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-04-30 22:43 . 2006-03-03 21:03 65,536 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-04-30 22:43 . 2006-03-03 21:02 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-04-30 00:54 . 2008-05-10 19:48 <DIR> d-------- C:\Documents and Settings\Nitro\Application Data\Microsoft Games
2008-04-28 23:51 . 2008-04-28 23:51 <DIR> d-------- C:\Documents and Settings\Nitro\System
2008-04-28 23:51 . 2008-04-29 00:23 <DIR> d-------- C:\Documents and Settings\Nitro\Application Data\SmartDraw
2008-04-28 23:38 . 2008-05-09 21:58 <DIR> d-------- C:\Program Files\SmartDraw 2008
2008-04-28 21:34 . 2007-03-12 16:42 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2008-04-28 21:34 . 2007-03-12 16:42 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2008-04-28 21:34 . 2007-03-15 16:57 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2008-04-28 21:34 . 2007-04-04 18:55 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll
2008-04-28 21:34 . 2007-01-24 15:27 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2008-04-27 23:23 . 2008-05-10 17:59 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-04-26 19:54 . 2008-04-26 19:54 <DIR> d-------- C:\Program Files\Common Files\Control Panels
2008-04-26 19:51 . 2008-04-26 19:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ALM
2008-04-26 19:44 . 2008-05-10 18:51 <DIR> d-------- C:\Program Files\QuickTime
2008-04-26 19:40 . 2007-02-20 16:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2008-04-26 19:40 . 2007-02-20 16:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-04-26 19:33 . 2008-04-26 19:33 <DIR> d-------- C:\Program Files\Bonjour
2008-04-26 19:23 . 2008-04-26 19:23 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-04-25 19:42 . 2008-05-25 19:33 51 --a------ C:\WINDOWS\iTouch.ini
2008-04-25 19:40 . 2008-04-25 19:40 <DIR> d-------- C:\Program Files\VID_0E8F&PID_0003
2008-04-25 19:38 . 2008-04-25 19:38 81,920 -r------- C:\WINDOWS\bwUnin-6.1.4.36-8876480L.exe
2008-04-25 19:37 . 2002-11-23 12:15 322,832 --a------ C:\WINDOWS\system32\MFC30.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-25 06:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-23 04:43 --------- d-----w C:\Program Files\SiteAdvisor
2008-05-23 04:24 --------- d-----w C:\Program Files\Google
2008-05-23 04:07 --------- d-----w C:\Documents and Settings\Nitro\Application Data\uTorrent
2008-05-18 04:19 --------- d-----w C:\Program Files\Driver Magician
2008-05-15 22:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-01 02:26 --------- d-----w C:\Program Files\HP
2008-04-29 23:53 --------- d-----w C:\Documents and Settings\Nitro\Application Data\SiteAdvisor
2008-04-28 23:53 --------- d-----w C:\Documents and Settings\Nitro\Application Data\Vso
2008-04-27 17:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-04-26 22:57 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-25 22:38 --------- d-----w C:\Program Files\Logitech
2008-04-25 22:37 --------- d-----w C:\Program Files\Common Files\Logitech
2008-04-24 23:10 --------- d-----w C:\Program Files\Microsoft Plus!
2008-04-24 22:25 --------- d-----w C:\Documents and Settings\Nitro\Application Data\Malwarebytes
2008-04-24 22:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-24 04:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\vsosdk
2008-04-24 03:39 --------- d-----w C:\Program Files\McAfee
2008-04-24 00:27 --------- d-----w C:\Documents and Settings\Nitro\Application Data\Nero
2008-04-24 00:26 --------- d-----w C:\Program Files\Common Files\Nero
2008-04-24 00:24 --------- d-----w C:\Program Files\Nero
2008-04-24 00:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-04-23 22:51 --------- d-----w C:\Program Files\Trend Micro
2008-04-23 22:22 --------- d-----w C:\Documents and Settings\Nitro\Application Data\Winamp
2008-04-23 22:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-23 22:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-04-23 22:19 --------- d-----w C:\Program Files\McAfee.com
2008-04-23 22:19 --------- d-----w C:\Program Files\Common Files\McAfee
2008-04-23 22:17 --------- d-----w C:\Program Files\Winamp
2008-04-23 22:07 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-04-23 22:07 47,360 ----a-w C:\Documents and Settings\Nitro\Application Data\pcouffin.sys
2008-04-23 22:07 --------- d-----w C:\Program Files\VSO
2008-04-23 21:49 --------- d-----w C:\Program Files\PowerISO
2008-04-23 21:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-04-23 04:47 --------- d-----w C:\Program Files\GlobalSCAPE
2008-04-23 04:47 --------- d-----w C:\Documents and Settings\Nitro\Application Data\GlobalSCAPE
2008-04-23 04:00 --------- d-----w C:\Program Files\CONEXANT
2008-04-23 03:55 --------- d-----w C:\Program Files\WinTV
2008-04-23 02:47 --------- d-----w C:\Program Files\DIFX
2008-04-23 02:42 --------- d-----w C:\Program Files\NVIDIA Corporation
2008-04-23 01:53 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-23 01:05 --------- d-----w C:\Documents and Settings\Nitro\Application Data\InstallShield
2008-04-22 23:25 --------- d-----w C:\Program Files\uTorrent
2008-04-22 22:27 --------- d-----w C:\Program Files\XPC Tools
2008-04-22 21:43 --------- d-----w C:\Program Files\Realtek
2008-04-22 21:11 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-04-22 08:58 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-14 08:41 95,744 ----a-w C:\WINDOWS\system32\SET597.tmp
2008-03-26 21:37 4,713,472 ----a-w C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-03-26 19:14 16,859,136 ----a-w C:\WINDOWS\RTHDCPL.exe
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-05 21:07 520,192 ----a-w C:\WINDOWS\RtlExUpd.dll
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-23_ 1.37.00.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-23 04:31:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-25 22:33:23 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-23 04:54:59 819,200 ----a-w C:\WINDOWS\gmer.dll
+ 2008-03-03 23:29:06 761,856 ----a-w C:\WINDOWS\gmer.exe
- 2008-05-23 04:09:07 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-05-25 20:29:38 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-05-23 04:09:07 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-25 20:29:38 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-23 04:54:59 86,097 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-22 18:15 68856]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2007-12-13 19:10 1688872]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-13 12:43 1510640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-03-26 16:14 16859136 C:\WINDOWS\RTHDCPL.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 09:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-04-09 09:23 200704]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-03-27 03:35 36352]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-08-24 18:57 36640]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 14:21 2213160]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2002-11-23 02:15 631362]
"Acrobat Assistant 8.0"="M:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 23:24 620152]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 16:40 1884160]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [2008-03-25 19:08 1047712]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2008-04-26 19:44:04 295606]
Adobe Acrobat Synchronizer.lnk - M:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2008-04-25 19:38:39 169472]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 13:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-04-22 18:15 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R2 MBAMDrvService;MBAMDrvService;C:\WINDOWS\system32\drivers\mbam.sys [2008-05-05 20:46]
R2 mbamservice;MBAMService;"C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [2008-05-05 20:46]
R3 hcw18bda;Hauppauge WinTV 418 Driver;C:\WINDOWS\system32\drivers\hcw18bda.sys [2007-04-18 16:30]
R3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2003-12-17 09:50]

*Newly Created Service* - mbamdrvservice
.
Contents of the 'Scheduled Tasks' folder
"2008-05-15 04:07:21 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-05-01 04:17:02 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 19:33:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE
-> C:\Program Files\SiteAdvisor\6261\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamtrayctrl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-05-25 19:38:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-25 22:37:49
ComboFix2.txt 2008-05-23 04:37:55

Pre-Run: 26,556,510,208 bytes free
Post-Run: 26,526,998,528 bytes free

425 --- E O F --- 2008-04-23 21:52:47




A fresh HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:01:25 PM, on 5/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
M:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamtrayctrl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.forceunleashed.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - M:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "M:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = M:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: Append to existing PDF - res://M:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://M:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://M:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://M:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://M:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://M:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://M:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://M:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MBAMService (mbamservice) - Malwarebytes - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe

--
End of file - 10567 bytes
  • 0

Advertisements


#11
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello Aaron, thanks for the reply.. Please do the following..

Please show hidden files and folders. Please visit HERE if you don't know how.

Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

    • C:\WINDOWS\system32\hljwugsf.bin
  • Click on the submit button
  • Please repeat the step with this file:
    C:\WINDOWS\bwUnin-6.1.4.36-8876480L.exe
  • Please post the results in your next reply.
If Jotti server is too busy, please submit the file to VirusTotal instead.




NEXT


1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\SET1B7.tmp
C:\WINDOWS\system32\SET597.tmp

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the ComboFix log in your next reply..




NEXT


I noticed that you already have MalwareBytes' Anti-Malware. Please update and run it and do the following..
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.





NEXT


I also noticed that you already have GMER. Please double-click it and do the following..
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.



Please post the following in your next reply.. These logs will not be fit in a single post. Please post each log in separate post

1. ComboFix log
2. MalwareBytes' log
3. GMER log
4. A fresh HijackThis log (after GMER step)

Regards
fenzodahl512
  • 0

#12
abryenton

abryenton

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
It's weird.. i'm still getting that weird Data Execution thing from Microsoft.

Both those files came back clean, I did them on both sites.

Here's my ComboFix:

ComboFix 08-05-21.3 - Nitro 2008-05-27 1:24:45.3 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1746 [GMT -3:00]
Running from: C:\Documents and Settings\Nitro\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\Nitro\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\SET1B7.tmp
C:\WINDOWS\system32\SET597.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\SET1B7.tmp
C:\WINDOWS\system32\SET597.tmp

.
((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 )))))))))))))))))))))))))))))))
.

2008-05-26 21:13 . 2008-05-26 21:13 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-05-26 21:11 . 2008-05-26 21:11 268 --ah----- C:\sqmdata00.sqm
2008-05-26 21:11 . 2008-05-26 21:11 244 --ah----- C:\sqmnoopt00.sqm
2008-05-23 01:55 . 2008-05-23 01:55 250 --a------ C:\WINDOWS\gmer.ini
2008-05-21 21:26 . 2008-05-21 21:26 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-21 21:25 . 2008-05-21 21:25 <DIR> d-------- C:\SDfix
2008-05-21 03:04 . 2008-05-21 03:04 <DIR> d-------- C:\Documents and Settings\Nitro\Application Data\TrojanHunter
2008-05-20 23:31 . 2008-05-20 23:32 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2008-05-19 22:34 . 2008-05-19 22:34 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-19 22:34 . 2008-05-19 22:34 <DIR> d-------- C:\Documents and Settings\Nitro\Application Data\SUPERAntiSpyware.com
2008-05-19 22:34 . 2008-05-19 22:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-19 22:32 . 2008-05-22 22:45 326 --a------ C:\WINDOWS\wininit.ini
2008-05-18 20:21 . 2008-05-18 20:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-18 20:20 . 2008-05-18 20:20 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-18 20:20 . 2008-05-18 20:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-18 16:29 . 2008-05-18 16:29 <DIR> d-------- C:\Program Files\CCleaner
2008-05-18 16:15 . 2004-08-04 00:56 10,752 --a------ C:\WINDOWS\system32\smtpapi.dll
2008-05-18 16:15 . 2004-08-04 00:56 9,728 --a------ C:\WINDOWS\system32\rwnh.dll
2008-05-18 16:02 . 2008-05-18 16:02 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-05-18 16:02 . 2008-05-18 16:02 <DIR> d-------- C:\WINDOWS\system32\en
2008-05-18 16:02 . 2008-05-18 16:05 <DIR> d-------- C:\WINDOWS\system32\bits
2008-05-18 16:02 . 2008-05-18 16:02 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-18 16:00 . 2008-04-14 05:42 727,040 --a------ C:\WINDOWS\system32\SET15A.tmp
2008-05-18 15:59 . 2007-10-26 00:36 8,454,656 --a------ C:\WINDOWS\system32\dllcache\shell32.dll
2008-05-18 15:56 . 2008-05-18 16:04 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-18 01:17 . 2001-08-23 09:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-05-18 01:16 . 2008-05-18 01:16 4 --a------ C:\WINDOWS\system32\hljwugsf.bin
2008-05-18 01:15 . 2008-05-18 01:15 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-18 01:15 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-18 01:15 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-17 00:30 . 2008-05-17 00:30 <DIR> d-------- C:\Deckard
2008-05-17 00:24 . 2008-05-25 20:01 <DIR> d-------- C:\HJT
2008-05-17 00:17 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-05-17 00:16 . 2008-05-17 00:16 <DIR> d-------- C:\Program Files\MSBuild
2008-05-17 00:16 . 2008-05-17 00:16 <DIR> d-------- C:\Program Files\Microsoft Works
2008-05-17 00:15 . 2008-05-17 00:15 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-05-17 00:13 . 2008-05-17 00:13 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-05-17 00:12 . 2008-05-17 00:15 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-05-17 00:12 . 2008-05-17 00:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-17 00:11 . 2008-05-17 00:11 <DIR> dr-h----- C:\MSOCache
2008-05-16 21:24 . 2008-05-17 15:46 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-16 21:24 . 2008-05-16 21:24 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-16 03:57 . 2008-05-16 03:57 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-15 20:53 . 2008-05-15 20:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-15 19:53 . 2008-05-15 19:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers Headquarters
2008-05-15 19:33 . 2008-05-15 19:33 1,160 --a------ C:\WINDOWS\mozver.dat
2008-05-15 15:21 . 2008-05-15 15:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Nero
2008-05-15 15:21 . 2008-05-15 15:21 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-15 01:52 . 2008-05-15 01:52 <DIR> d-------- C:\WINDOWS\Application Data
2008-05-15 00:16 . 2008-05-15 01:03 41,776,360 --a------ C:\WINDOWS\system32\amtmp.wav
2008-05-15 00:16 . 2008-05-15 01:03 326,368 --a------ C:\amt1
2008-05-15 00:14 . 2008-05-15 01:03 521 --a------ C:\WINDOWS\MP3trtg.ini
2008-05-15 00:08 . 2008-05-15 00:12 <DIR> d-------- C:\Program Files\Coding Workshop Ringtone Converter
2008-05-15 00:08 . 2004-02-19 05:11 511,488 --a------ C:\WINDOWS\system32\cwmdtl50a.dll
2008-05-15 00:08 . 1998-10-07 05:53 305,432 --a------ C:\WINDOWS\system32\Threed20.ocx
2008-05-15 00:08 . 2003-06-30 16:39 102,400 --a------ C:\WINDOWS\system32\cwsmaf40.dll
2008-05-12 20:02 . 2008-05-12 20:02 <DIR> d-------- C:\Documents and Settings\Nitro\Application Data\CSOdessa
2008-05-12 20:01 . 2008-05-13 00:46 <DIR> d-------- C:\Program Files\CS Odessa
2008-05-11 15:22 . 2008-05-11 15:22 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2008-05-11 15:22 . 2008-05-11 15:22 <DIR> d-------- C:\Program Files\Common Files\TechSmith Shared
2008-05-11 15:22 . 2008-05-11 15:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TechSmith
2008-05-11 15:22 . 2007-08-27 10:53 107,864 --a------ C:\WINDOWS\system32\tsccvid.dll
2008-05-11 15:21 . 2008-05-11 15:21 <DIR> d-------- C:\Program Files\TechSmith
2008-05-10 21:57 . 2008-05-10 22:54 <DIR> d-------- C:\Program Files\EDraw Max
2008-05-10 20:32 . 2004-03-05 01:13 644,400 --a------ C:\WINDOWS\system32\MSCOMCT2.OCX
2008-05-10 20:29 . 2008-05-10 20:29 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-05-10 19:42 . 2008-05-10 19:42 <DIR> d-------- C:\Program Files\IGC
2008-05-10 18:52 . 2008-05-10 18:52 <DIR> d-------- C:\Documents and Settings\Nitro\Application Data\Apple Computer
2008-05-10 18:50 . 2008-05-10 18:50 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-10 18:50 . 2008-05-10 18:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-10 18:50 . 2008-05-10 18:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-05-10 17:13 . 2008-05-10 17:17 <DIR> d-------- C:\Documents and Settings\Nitro\Application Data\DivX
2008-05-10 17:12 . 2008-05-10 19:47 <DIR> d-------- C:\Program Files\DivX
2008-05-10 17:12 . 2008-01-04 18:58 120,056 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2008-05-10 17:12 . 2008-01-04 18:58 118,520 --a------ C:\WINDOWS\system32\pxinsi64.exe
2008-05-09 00:04 . 2008-05-09 00:04 <DIR> d-------- C:\Program Files\IMSI
2008-05-08 23:58 . 2008-05-09 21:55 <DIR> d-------- C:\Program Files\MagicISO
2008-05-08 20:08 . 2008-05-08 20:08 22,328 --a------ C:\Documents and Settings\Nitro\Application Data\PnkBstrK.sys
2008-05-08 19:50 . 2008-05-08 19:50 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-05-07 19:53 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-05-07 19:53 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2008-05-07 19:53 . 2007-07-19 18:14 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2008-05-06 22:15 . 2008-05-06 22:15 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-01 21:33 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2008-05-01 21:33 . 2007-05-16 16:45 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2008-05-01 21:33 . 2007-05-16 16:45 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2008-05-01 21:33 . 2007-05-31 19:30 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2008-05-01 21:33 . 2007-05-31 19:29 18,280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll
2008-05-01 21:32 . 2008-05-01 21:32 319 --a------ C:\WINDOWS\game.ini
2008-05-01 21:22 . 2008-05-01 21:22 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-04-30 23:39 . 2008-04-30 23:45 <DIR> d-------- C:\Documents and Settings\Nitro\Application Data\HP
2008-04-30 23:39 . 2006-04-12 22:04 49,664 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-04-30 23:39 . 2006-04-12 22:04 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-04-30 23:26 . 2008-04-30 23:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-04-30 23:25 . 2008-04-30 23:26 <DIR> d-------- C:\Program Files\Common Files\HP
2008-04-30 23:23 . 2008-04-30 23:23 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-04-30 23:23 . 2008-04-30 23:23 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-04-30 23:18 . 2008-04-30 23:40 117,132 --a------ C:\WINDOWS\hpoins11.dat
2008-04-30 22:44 . 2006-01-04 06:12 77,824 -ra------ C:\WINDOWS\system32\HPZIDS01.dll
2008-04-30 22:44 . 2006-04-10 14:03 38,400 --a------ C:\WINDOWS\system32\hpz3l054.dll
2008-04-30 22:43 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-04-30 22:43 . 2006-03-03 21:03 282,680 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-04-30 22:43 . 2006-03-03 21:02 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-04-30 22:43 . 2006-03-03 21:02 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-04-30 22:43 . 2006-03-03 21:03 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-04-30 22:43 . 2006-03-03 21:03 65,536 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-04-30 22:43 . 2006-03-03 21:02 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-04-30 00:54 . 2008-05-10 19:48 <DIR> d-------- C:\Documents and Settings\Nitro\Application Data\Microsoft Games
2008-04-28 23:51 . 2008-04-28 23:51 <DIR> d-------- C:\Documents and Settings\Nitro\System
2008-04-28 23:51 . 2008-04-29 00:23 <DIR> d-------- C:\Documents and Settings\Nitro\Application Data\SmartDraw
2008-04-28 23:38 . 2008-05-09 21:58 <DIR> d-------- C:\Program Files\SmartDraw 2008
2008-04-28 21:34 . 2007-03-12 16:42 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2008-04-28 21:34 . 2007-03-12 16:42 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2008-04-28 21:34 . 2007-03-15 16:57 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2008-04-28 21:34 . 2007-04-04 18:55 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll
2008-04-28 21:34 . 2007-01-24 15:27 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2008-04-27 23:23 . 2008-05-26 21:06 69 --a------ C:\WINDOWS\NeroDigital.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-27 04:24 --------- d-----w C:\Documents and Settings\Nitro\Application Data\Vso
2008-05-27 00:11 --------- d-----w C:\Documents and Settings\Nitro\Application Data\uTorrent
2008-05-26 15:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-23 04:43 --------- d-----w C:\Program Files\SiteAdvisor
2008-05-23 04:24 --------- d-----w C:\Program Files\Google
2008-05-18 04:19 --------- d-----w C:\Program Files\Driver Magician
2008-05-15 22:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-10 21:51 --------- d-----w C:\Program Files\QuickTime
2008-05-01 02:26 --------- d-----w C:\Program Files\HP
2008-04-29 23:53 --------- d-----w C:\Documents and Settings\Nitro\Application Data\SiteAdvisor
2008-04-27 17:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-04-26 22:57 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-26 22:54 --------- d-----w C:\Program Files\Common Files\Control Panels
2008-04-26 22:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\ALM
2008-04-26 22:33 --------- d-----w C:\Program Files\Bonjour
2008-04-26 22:23 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-04-25 22:40 --------- d-----w C:\Program Files\VID_0E8F&PID_0003
2008-04-25 22:38 81,920 ------r C:\WINDOWS\bwUnin-6.1.4.36-8876480L.exe
2008-04-25 22:38 --------- d-----w C:\Program Files\Logitech
2008-04-25 22:37 --------- d-----w C:\Program Files\Common Files\Logitech
2008-04-25 21:43 --------- d-----w C:\Program Files\Notepad++
2008-04-25 21:43 --------- d-----w C:\Documents and Settings\Nitro\Application Data\Notepad++
2008-04-25 21:00 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-25 21:00 --------- d-----w C:\Program Files\Windows Live
2008-04-25 20:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-24 23:10 --------- d-----w C:\Program Files\Microsoft Plus!
2008-04-24 22:25 --------- d-----w C:\Documents and Settings\Nitro\Application Data\Malwarebytes
2008-04-24 22:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-24 04:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\vsosdk
2008-04-24 03:39 --------- d-----w C:\Program Files\McAfee
2008-04-24 00:27 --------- d-----w C:\Documents and Settings\Nitro\Application Data\Nero
2008-04-24 00:26 --------- d-----w C:\Program Files\Common Files\Nero
2008-04-24 00:24 --------- d-----w C:\Program Files\Nero
2008-04-24 00:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-04-23 22:51 --------- d-----w C:\Program Files\Trend Micro
2008-04-23 22:22 --------- d-----w C:\Documents and Settings\Nitro\Application Data\Winamp
2008-04-23 22:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-23 22:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-04-23 22:19 --------- d-----w C:\Program Files\McAfee.com
2008-04-23 22:19 --------- d-----w C:\Program Files\Common Files\McAfee
2008-04-23 22:17 --------- d-----w C:\Program Files\Winamp
2008-04-23 22:07 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-04-23 22:07 47,360 ----a-w C:\Documents and Settings\Nitro\Application Data\pcouffin.sys
2008-04-23 22:07 --------- d-----w C:\Program Files\VSO
2008-04-23 21:49 --------- d-----w C:\Program Files\PowerISO
2008-04-23 21:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-04-23 04:47 --------- d-----w C:\Program Files\GlobalSCAPE
2008-04-23 04:47 --------- d-----w C:\Documents and Settings\Nitro\Application Data\GlobalSCAPE
2008-04-23 04:00 --------- d-----w C:\Program Files\CONEXANT
2008-04-23 03:55 --------- d-----w C:\Program Files\WinTV
2008-04-23 02:47 --------- d-----w C:\Program Files\DIFX
2008-04-23 02:42 --------- d-----w C:\Program Files\NVIDIA Corporation
2008-04-23 01:53 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-23 01:05 --------- d-----w C:\Documents and Settings\Nitro\Application Data\InstallShield
2008-04-22 23:25 --------- d-----w C:\Program Files\uTorrent
2008-04-22 22:27 --------- d-----w C:\Program Files\XPC Tools
2008-04-22 21:43 --------- d-----w C:\Program Files\Realtek
2008-04-22 21:11 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-04-22 08:58 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-14 08:41 94,720 ----a-w C:\WINDOWS\system32\SET30C.tmp
2008-03-26 19:14 16,859,136 ----a-w C:\WINDOWS\RTHDCPL.exe
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-05 21:07 520,192 ----a-w C:\WINDOWS\RtlExUpd.dll
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-23_ 1.37.00.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-23 04:31:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-27 04:27:53 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-23 04:54:59 819,200 ----a-w C:\WINDOWS\gmer.dll
+ 2008-03-03 23:29:06 761,856 ----a-w C:\WINDOWS\gmer.exe
- 2008-05-23 04:09:07 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-05-26 23:34:55 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-05-23 04:09:07 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-26 23:34:55 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-23 04:54:59 86,097 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-22 18:15 68856]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2007-12-13 19:10 1688872]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-13 12:43 1510640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-03-26 16:14 16859136 C:\WINDOWS\RTHDCPL.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 09:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-04-09 09:23 200704]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-03-27 03:35 36352]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-08-24 18:57 36640]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 14:21 2213160]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2002-11-23 02:15 631362]
"Acrobat Assistant 8.0"="M:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 23:24 620152]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 16:40 1884160]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [2008-03-25 19:08 1047712]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2008-04-26 19:44:04 295606]
Adobe Acrobat Synchronizer.lnk - M:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2008-04-25 19:38:39 169472]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 13:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-04-22 18:15 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R2 MBAMDrvService;MBAMDrvService;C:\WINDOWS\system32\drivers\mbam.sys [2008-05-05 20:46]
R2 mbamservice;MBAMService;"C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [2008-05-05 20:46]
R3 hcw18bda;Hauppauge WinTV 418 Driver;C:\WINDOWS\system32\drivers\hcw18bda.sys [2007-04-18 16:30]
R3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2003-12-17 09:50]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-15 04:07:21 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-05-01 04:17:02 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-27 01:28:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamtrayctrl.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-05-27 1:32:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-27 04:32:25
ComboFix2.txt 2008-05-25 22:38:19
ComboFix3.txt 2008-05-23 04:37:55

Pre-Run: 28,127,490,048 bytes free
Post-Run: 28,112,056,320 bytes free

353 --- E O F --- 2008-04-23 21:52:47


Maleware Bytes Log:

Malwarebytes' Anti-Malware 1.12
Database version: 785

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|K:\|L:\|M:\|N:\|P:\|Q:\|)
Objects scanned: 247974
Time elapsed: 1 hour(s), 27 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\system32\wwtdaduo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3AE34D90-0539-47CD-A219-BCD6A54BCC8B}\RP12\A0023061.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3AE34D90-0539-47CD-A219-BCD6A54BCC8B}\RP13\A0024189.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3AE34D90-0539-47CD-A219-BCD6A54BCC8B}\RP13\A0024191.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3AE34D90-0539-47CD-A219-BCD6A54BCC8B}\RP13\A0024222.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Edited by abryenton, 29 May 2008 - 03:51 PM.

  • 0

#13
abryenton

abryenton

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-05-29 19:05:55
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT \??\C:\WINDOWS\system32\drivers\mbam.sys ZwCreateSection [0xB13E4700]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB2095F20]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB1FDA9AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB1FDA958]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB1FDA96C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB1FDA9EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB1FDA930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB1FDA944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB1FDA9BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB1FDA996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB1FDA982]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB1FDAA19]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB1FDAA00]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB1FDA9D4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwYieldExecution 80503FC8 7 Bytes JMP B1FDA9D8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[440] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 0130F6E0 C:\Program Files\SiteAdvisor\6261\saPlugin.dll
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[440] kernel32.dll!SetUnhandledExceptionFilter 7C84467D 5 Bytes JMP 0056DBBD C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe (Windows Live Messenger/Microsoft Corporation)
.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0004005D
.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00040F68
.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00040042
.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00040F79
.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00040025
.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00040F3C
.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00040084
.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00040EFC
.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 0004009F
.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00040EEB
.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00040F9E
.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 0004000A
.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00040F4D
.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00040FB9
.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00040FD4
.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00040F21
.text C:\WINDOWS\system32\services.exe[808] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00070014
.text C:\WINDOWS\system32\services.exe[808] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 0007004A
.text C:\WINDOWS\system32\services.exe[808] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00070FB9
.text C:\WINDOWS\system32\services.exe[808] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[808] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 0007002F
.text C:\WINDOWS\system32\services.exe[808] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00070F97
.text C:\WINDOWS\system32\services.exe[808] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[808] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00070FA8
.text C:\WINDOWS\system32\services.exe[808] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\lsass.exe[832] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00C00FE5
.text C:\WINDOWS\system32\lsass.exe[832] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00C00F52
.text C:\WINDOWS\system32\lsass.exe[832] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00C00F6D
.text C:\WINDOWS\system32\lsass.exe[832] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00C00047
.text C:\WINDOWS\system32\lsass.exe[832] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00C00F8A
.text C:\WINDOWS\system32\lsass.exe[832] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00C00025
.text C:\WINDOWS\system32\lsass.exe[832] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00C00F15
.text C:\WINDOWS\system32\lsass.exe[832] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00C00F26
.text C:\WINDOWS\system32\lsass.exe[832] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00C00F04
.text C:\WINDOWS\system32\lsass.exe[832] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00C0009D
.text C:\WINDOWS\system32\lsass.exe[832] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00C00EF3
.text C:\WINDOWS\system32\lsass.exe[832] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00C00036
.text C:\WINDOWS\system32\lsass.exe[832] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00C00FD4
.text C:\WINDOWS\system32\lsass.exe[832] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00C00F37
.text C:\WINDOWS\system32\lsass.exe[832] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00C00FB9
.text C:\WINDOWS\system32\lsass.exe[832] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00C0000A
.text C:\WINDOWS\system32\lsass.exe[832] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00C00078
.text C:\WINDOWS\system32\lsass.exe[832] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00E20FCA
.text C:\WINDOWS\system32\lsass.exe[832] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00E20FA5
.text C:\WINDOWS\system32\lsass.exe[832] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00E2001B
.text C:\WINDOWS\system32\lsass.exe[832] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00E2000A
.text C:\WINDOWS\system32\lsass.exe[832] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00E20062
.text C:\WINDOWS\system32\lsass.exe[832] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00E20051
.text C:\WINDOWS\system32\lsass.exe[832] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00E20FEF
.text C:\WINDOWS\system32\lsass.exe[832] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00E20036
.text C:\WINDOWS\system32\lsass.exe[832] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00CD0FE5
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00CC0FE5
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00CC0F53
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00CC0F64
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00CC003E
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00CC0F75
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00CC0F97
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00CC0F25
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00CC0F42
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00CC0088
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00CC0EF9
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00CC0099
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00CC0F86
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00CC0FCA
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00CC0063
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00CC0FA8
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00CC0FB9
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00CC0F0A
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00CF001E
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00CF0F72
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00CF0FC3
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00CF0FD4
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00CF0F97
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00CF0FB2
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00CF0FEF
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00CF0039
.text C:\WINDOWS\system32\svchost.exe[988] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00CD0FE5
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00BA0000
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00BA0FA5
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00BA00A4
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00BA0087
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00BA0FD4
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00BA0076
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00BA00EB
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00BA00D0
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00BA0121
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00BA0F7E
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00BA0F6D
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00BA001B
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00BA00BF
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00BA005B
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00BA0036
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00BA00FC
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00BD0051
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00BD0098
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00BD0036
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00BD001B
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00BD0087
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00BD006C
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00BD0FE5
.text C:\WINDOWS\system32\svchost.exe[1044] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00BB0000
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 012B0FEF
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 012B0F7A
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 012B0F95
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 012B006F
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 012B0054
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 012B0FBC
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 012B0094
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 012B0F4E
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 012B00CA
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 012B00B9
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 012B0F0C
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 012B0043
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 012B0FDE
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 012B0F69
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 012B0028
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 012B0FCD
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 012B0F31
.text C:\WINDOWS\System32\svchost.exe[1140] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 0247003D
.text C:\WINDOWS\System32\svchost.exe[1140] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 02470F9B
.text C:\WINDOWS\System32\svchost.exe[1140] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 02470022
.text C:\WINDOWS\System32\svchost.exe[1140] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 02470011
.text C:\WINDOWS\System32\svchost.exe[1140] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 02470FAC
.text C:\WINDOWS\System32\svchost.exe[1140] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 02470058
.text C:\WINDOWS\System32\svchost.exe[1140] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 02470000
.text C:\WINDOWS\System32\svchost.exe[1140] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 02470FC7
.text C:\WINDOWS\System32\svchost.exe[1140] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 02450FEF
.text C:\WINDOWS\System32\svchost.exe[1140] WININET.dll!InternetOpenA 42C2C851 5 Bytes JMP 012C000A
.text C:\WINDOWS\System32\svchost.exe[1140] WININET.dll!InternetOpenW 42C2CE81 5 Bytes JMP 012C0FE5
.text C:\WINDOWS\System32\svchost.exe[1140] WININET.dll!InternetOpenUrlA 42C30BAA 5 Bytes JMP 012C0025
.text C:\WINDOWS\System32\svchost.exe[1140] WININET.dll!InternetOpenUrlW 42C7AE09 5 Bytes JMP 012C0036
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00800FE5
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00800053
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00800042
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00800F68
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00800025
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00800F94
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 0080009C
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0080007F
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00800F2F
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008000C8
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 008000D9
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00800F79
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00800FD4
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 0080006E
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00800000
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00800FAF
.text C:\WINDOWS\System32\svchost.exe[1244] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 008000AD
.text C:\WINDOWS\System32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00830FE5
.text C:\WINDOWS\System32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00830076
.text C:\WINDOWS\System32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 0083002C
.text C:\WINDOWS\System32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 0083001B
.text C:\WINDOWS\System32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00830FB9
.text C:\WINDOWS\System32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00830FCA
.text C:\WINDOWS\System32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00830000
.text C:\WINDOWS\System32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00830051
.text C:\WINDOWS\System32\svchost.exe[1244] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00810000
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 006F0000
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 006F0087
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 006F0076
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 006F0065
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 006F0054
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 006F0FC3
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 006F0F5C
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 006F0098
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 006F00DA
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 006F00BF
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 006F00FF
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 006F0FB2
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 006F001B
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 006F0F77
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 006F0FD4
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 006F0FE5
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 006F0F41
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00980FB2
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00980F8D
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00980FCD
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00980FDE
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00980040
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 0098002F
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00980FEF
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00980014
.text C:\WINDOWS\system32\svchost.exe[1340] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00710FE5
.text C:\WINDOWS\system32\svchost.exe[1340] WININET.dll!InternetOpenA 42C2C851 5 Bytes JMP 0070000A
.text C:\WINDOWS\system32\svchost.exe[1340] WININET.dll!InternetOpenW 42C2CE81 5 Bytes JMP 0070001B
.text C:\WINDOWS\system32\svchost.exe[1340] WININET.dll!InternetOpenUrlA 42C30BAA 5 Bytes JMP 00700036
.text C:\WINDOWS\system32\svchost.exe[1340] WININET.dll!InternetOpenUrlW 42C7AE09 5 Bytes JMP 00700FEF
.text C:\WINDOWS\system32\wuauclt.exe[1476] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001B0FE5
.text C:\WINDOWS\system32\wuauclt.exe[1476] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001B0F52
.text C:\WINDOWS\system32\wuauclt.exe[1476] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001B0F6D
.text C:\WINDOWS\system32\wuauclt.exe[1476] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001B0047
.text C:\WINDOWS\system32\wuauclt.exe[1476] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001B0036
.text C:\WINDOWS\system32\wuauclt.exe[1476] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001B0FAF
.text C:\WINDOWS\system32\wuauclt.exe[1476] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001B0F15
.text C:\WINDOWS\system32\wuauclt.exe[1476] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001B0F26
.text C:\WINDOWS\system32\wuauclt.exe[1476] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001B0EE6
.text C:\WINDOWS\system32\wuauclt.exe[1476] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001B007F
.text C:\WINDOWS\system32\wuauclt.exe[1476] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 001B0ECB
.text C:\WINDOWS\system32\wuauclt.exe[1476] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 001B0F9E
.text C:\WINDOWS\system32\wuauclt.exe[1476] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 001B0000
.text C:\WINDOWS\system32\wuauclt.exe[1476] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 001B0F41
.text C:\WINDOWS\system32\wuauclt.exe[1476] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 001B0025
.text C:\WINDOWS\system32\wuauclt.exe[1476] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 001B0FD4
.text C:\WINDOWS\system32\wuauclt.exe[1476] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 001B006E
.text C:\WINDOWS\system32\wuauclt.exe[1476] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 002A0FB9
.text C:\WINDOWS\system32\wuauclt.exe[1476] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 002A0F7C
.text C:\WINDOWS\system32\wuauclt.exe[1476] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 002A0FCA
.text C:\WINDOWS\system32\wuauclt.exe[1476] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 002A0FDB
.text C:\WINDOWS\system32\wuauclt.exe[1476] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 002A0039
.text C:\WINDOWS\system32\wuauclt.exe[1476] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 002A0F97
.text C:\WINDOWS\system32\wuauclt.exe[1476] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 002A0000
.text C:\WINDOWS\system32\wuauclt.exe[1476] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 002A0FA8
.text C:\WINDOWS\system32\wuauclt.exe[1476] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 003B0FEF
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1636] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1636] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\Explorer.EXE[1792] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00C00FE5
.text C:\WINDOWS\Explorer.EXE[1792] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00C0006F
.text C:\WINDOWS\Explorer.EXE[1792] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00C00F7A
.text C:\WINDOWS\Explorer.EXE[1792] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00C00FA1
.text C:\WINDOWS\Explorer.EXE[1792] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00C00FB2
.text C:\WINDOWS\Explorer.EXE[1792] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00C0004A
.text C:\WINDOWS\Explorer.EXE[1792] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00C00F42
.text C:\WINDOWS\Explorer.EXE[1792] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00C0008A
.text C:\WINDOWS\Explorer.EXE[1792] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00C00F16
.text C:\WINDOWS\Explorer.EXE[1792] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00C000AF
.text C:\WINDOWS\Explorer.EXE[1792] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00C00EFB
.text C:\WINDOWS\Explorer.EXE[1792] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00C00FC3
.text C:\WINDOWS\Explorer.EXE[1792] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00C00FD4
.text C:\WINDOWS\Explorer.EXE[1792] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00C00F5F
.text C:\WINDOWS\Explorer.EXE[1792] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00C00025
.text C:\WINDOWS\Explorer.EXE[1792] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00C00014
.text C:\WINDOWS\Explorer.EXE[1792] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00C00F31
.text C:\WINDOWS\Explorer.EXE[1792] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 01710FDB
.text C:\WINDOWS\Explorer.EXE[1792] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 01710F94
.text C:\WINDOWS\Explorer.EXE[1792] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 01710022
.text C:\WINDOWS\Explorer.EXE[1792] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 01710011
.text C:\WINDOWS\Explorer.EXE[1792] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 01710051
.text C:\WINDOWS\Explorer.EXE[1792] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 01710FAF
.text C:\WINDOWS\Explorer.EXE[1792] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 01710000
.text C:\WINDOWS\Explorer.EXE[1792] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 01710FC0
.text C:\WINDOWS\Explorer.EXE[1792] WININET.dll!InternetOpenA 42C2C851 5 Bytes JMP 00CD000A
.text C:\WINDOWS\Explorer.EXE[1792] WININET.dll!InternetOpenW 42C2CE81 5 Bytes JMP 00CD0FEF
.text C:\WINDOWS\Explorer.EXE[1792] WININET.dll!InternetOpenUrlA 42C30BAA 5 Bytes JMP 00CD0FD4
.text C:\WINDOWS\Explorer.EXE[1792] WININET.dll!InternetOpenUrlW 42C7AE09 5 Bytes JMP 00CD0025
.text C:\WINDOWS\Explorer.EXE[1792] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00D50000
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 009C0000
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 009C0078
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 009C0F83
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 009C0067
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 009C0040
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 009C0FB9
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 009C0F5E
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 009C00A6
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 009C00D5
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 009C0F3C
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 009C00E6
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 009C0F9E
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 009C0FE5
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 009C0089
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 009C0025
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 009C0FD4
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 009C0F4D
.text C:\WINDOWS\System32\svchost.exe[2604] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 009B0036
.text C:\WINDOWS\System32\svchost.exe[2604] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 009B0F94
.text C:\WINDOWS\System32\svchost.exe[2604] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 009B0FE5
.text C:\WINDOWS\System32\svchost.exe[2604] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 009B0011
.text C:\WINDOWS\System32\svchost.exe[2604] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 009B0051
.text C:\WINDOWS\System32\svchost.exe[2604] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 009B0FAF
.text C:\WINDOWS\System32\svchost.exe[2604] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 009B0000
.text C:\WINDOWS\System32\svchost.exe[2604] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 009B0FCA
.text C:\WINDOWS\System32\svchost.exe[3548] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001A000A
.text C:\WINDOWS\System32\svchost.exe[3548] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001A009D
.text C:\WINDOWS\System32\svchost.exe[3548] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001A0F9E
.text C:\WINDOWS\System32\svchost.exe[3548] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001A0078
.text C:\WINDOWS\System32\svchost.exe[3548] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001A0051
.text C:\WINDOWS\System32\svchost.exe[3548] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001A0040
.text C:\WINDOWS\System32\svchost.exe[3548] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001A0F5F
.text C:\WINDOWS\System32\svchost.exe[3548] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001A0F7C
.text C:\WINDOWS\System32\svchost.exe[3548] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001A00E0
.text C:\WINDOWS\System32\svchost.exe[3548] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001A0F3D
.text C:\WINDOWS\System32\svchost.exe[3548] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 001A0F22
.text C:\WINDOWS\System32\svchost.exe[3548] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 001A0FB9
.text C:\WINDOWS\System32\svchost.exe[3548] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\System32\svchost.exe[3548] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 001A0F8D
.text C:\WINDOWS\System32\svchost.exe[3548] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 001A0025
.text C:\WINDOWS\System32\svchost.exe[3548] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\System32\svchost.exe[3548] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 001A0F4E
.text C:\WINDOWS\System32\svchost.exe[3548] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00280FB9
.text C:\WINDOWS\System32\svchost.exe[3548] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00280F7C
.text C:\WINDOWS\System32\svchost.exe[3548] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00280FD4
.text C:\WINDOWS\System32\svchost.exe[3548] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00280FEF
.text C:\WINDOWS\System32\svchost.exe[3548] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00280F97
.text C:\WINDOWS\System32\svchost.exe[3548] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00280039
.text C:\WINDOWS\System32\svchost.exe[3548] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0028000A
.text C:\WINDOWS\System32\svchost.exe[3548] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00280FA8
.text C:\WINDOWS\System32\svchost.exe[3548] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 006D0FE5

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- EOF - GMER 1.0.14 ----

Edited by abryenton, 29 May 2008 - 04:08 PM.

  • 0

#14
abryenton

abryenton

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
HIjack this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:09:03 PM, on 5/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
M:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamtrayctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
M:\Program Files\Adobe\Adobe Photoshop CS3\Photoshop.exe
C:\Program Files\Winamp\winamp.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.forceunleashed.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - M:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "M:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = M:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: Append to existing PDF - res://M:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://M:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://M:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://M:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://M:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://M:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://M:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://M:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MBAMService (mbamservice) - Malwarebytes - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe

--
End of file - 10645 bytes
  • 0

#15
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello, Tell me what do you mean by Data Execution thing from Microsoft. Please describe it..


Please do the following..

Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.




NEXT


Installing Recovery Console:

It appears your computer has no Recovery Console installed. We need to install Recovery Console first before proceed to our next fix. Please do the following..

Please go to Microsoft's website => HERE
Select the download that's appropriate for your Operating System: Windows XP Professional Service Pack 2 (SP2)


Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Posted Image


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

After successfully install Recovery Console, a pop-on will appear asking to run ComboFix, please select NO.




NEXT


1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\SET30C.tmp

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP