Jump to content

Recommended Posts

I've been working on this all weekend trying various techniques and tools. At one point it said it was Trojan.Vundo, now it's showing up as Trojan.BHO.H. In any case, it keeps creating a registry entry and asking for permission to run a DLL as an App. I'm running WinPatrol (http://www.winpatrol.com/) which seems to be keeping it from fully activating. Every couple of minutes WinPatrol tells me

"...a new Internet Explorer Add-On has been installed on your system. Do you approve the addition of this IE Helper? ... c:\WINDOWS\system32\sijczbs.dll..."

I keep saying No, but it keeps trying.

I've run a variety of tools to combat this, including ATF-Cleaner, SDFix, SpyBot Search & Destroy, Adaware, SUPERAntispyware, HijackThis, ComboFix, and MWB. MWB is the only one to find the culprit and try to delete it. However, it can only delete on reboot, and it is either not-deleting or it keeps coming back. I have tried deleting the sijczbs.dll directly with a variety of tools in safe mode, non-safe mode, etc. No luck.

At the end of my rope here.

MWB log and Hijackthis log are below... any help is appreciated.

--------------------

Malwarebytes' Anti-Malware 1.36

Database version: 1971

Windows 5.1.2600 Service Pack 3

4/13/2009 7:10:07 PM

mbam-log-2009-04-13 (19-10-07).txt

Scan type: Full Scan (C:\|)

Objects scanned: 222229

Time elapsed: 1 hour(s), 0 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4568ac4f-2035-4210-ac90-8540d1ebd3bc} (Trojan.BHO.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{4568ac4f-2035-4210-ac90-8540d1ebd3bc} (Trojan.BHO.H) -> Delete on reboot.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\sijczbs.dll (Trojan.BHO.H) -> Delete on reboot.

--------------------------------------------

--------------------------------------------

-------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:14:28 PM, on 4/13/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\WINDOWS\stsystra.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\MXOaldr.exe

C:\Program Files\McAfee.com\VSO\mcvsshld.exe

C:\Program Files\McAfee.com\VSO\oasclnt.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe

C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\ColdFusion8\jnbridge\CF8DotNetsvc.exe

C:\ColdFusion8\jnbridge\JNBDotNetSide.exe

C:\ColdFusion8\runtime\bin\jrunsvc.exe

C:\ColdFusion8\db\slserver54\bin\swagent.exe

C:\ColdFusion8\db\slserver54\bin\swstrtr.exe

C:\ColdFusion8\runtime\bin\jrun.exe

C:\ColdFusion8\db\slserver54\bin\swsoc.exe

C:\ColdFusion8\verity\k2\_nti40\bin\k2admin.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\Electronic Arts\EADM\Core.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\MozyHome\mozystat.exe

c:\program files\mcafee.com\agent\mcdetect.exe

C:\Program Files\MozyHome\mozybackup.exe

C:\ColdFusion8\verity\k2\_nti40\bin\k2server.exe

C:\ColdFusion8\verity\k2\_nti40\bin\k2index.exe

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - AutorunsDisabled - (no file)

O2 - BHO: (no name) - {4568AC4F-2035-4210-AC90-8540D1EBD3BC} - c:\windows\system32\sijczbs.dll

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOaldr.exe

O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe

O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"

O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: MozyHome Status.lnk = C:\Program Files\MozyHome\mozystat.exe

O4 - Global Startup: VPN Client.lnk = ?

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra button: (no name) - AutorunsDisabled - (no file)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://officebeta.iponet.net/templates/ieawsdc.cab

O16 - DPF: {02FFCFC3-C28F-4ED9-954B-1BAC9FD77E12} (Intra.Net Component Manager 2.0) - http://miracosta.intra.net/media/xflux3.cab

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://phctc2.phgenit.com/plugin/awarewebp...cab/awswaxf.cab

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab

O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} (PCPitstop AntiVirus) - http://utilities.pcpitstop.com/Exterminate...opAntiVirus.dll

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://wc.miracosta.edu/activex/AxisCamControl.cab

O16 - DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} (Enlite 2.x Simulation Engine Installer) - http://myitlab.pearsoned.com/Pegasus/Modul...ces/ax/stub.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ColdFusion 8 .NET Service - Unknown owner - C:\ColdFusion8\jnbridge\CF8DotNetsvc.exe

O23 - Service: ColdFusion 8 Application Server - Macromedia Inc. - C:\ColdFusion8\runtime\bin\jrunsvc.exe

O23 - Service: ColdFusion 8 ODBC Agent - Unknown owner - C:\ColdFusion8\db\slserver54\bin\swagent.exe

O23 - Service: ColdFusion 8 ODBC Server - Unknown owner - C:\ColdFusion8\db\slserver54\bin\swstrtr.exe

O23 - Service: ColdFusion 8 Search Server - Verity, Inc. - C:\ColdFusion8\verity\k2\_nti40\bin\k2admin.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: MozyHome Backup Service (mozybackup) - Unknown owner - C:\Program Files\MozyHome\mozybackup.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--

End of file - 10592 bytes

Link to post
Share on other sites

Hi,

It's unclear here if you rebooted after the malwarebytes scan or not, so please run the scan again, remove what it found and reboot. Then post a new HijackThislog in your next reply together with the new log from mbam.

Done.... please see logs below. Thanks for your help!

MBAM

----------------------------------

Malwarebytes' Anti-Malware 1.36

Database version: 1971

Windows 5.1.2600 Service Pack 3

4/13/2009 7:10:07 PM

mbam-log-2009-04-13 (19-10-07).txt

Scan type: Full Scan (C:\|)

Objects scanned: 222229

Time elapsed: 1 hour(s), 0 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4568ac4f-2035-4210-ac90-8540d1ebd3bc} (Trojan.BHO.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{4568ac4f-2035-4210-ac90-8540d1ebd3bc} (Trojan.BHO.H) -> Delete on reboot.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\sijczbs.dll (Trojan.BHO.H) -> Delete on reboot.

--------------------------------------------

HijackThis

--------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:33:33 AM, on 4/14/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\ColdFusion8\jnbridge\CF8DotNetsvc.exe

C:\ColdFusion8\runtime\bin\jrunsvc.exe

C:\ColdFusion8\jnbridge\JNBDotNetSide.exe

C:\ColdFusion8\db\slserver54\bin\swagent.exe

C:\ColdFusion8\db\slserver54\bin\swstrtr.exe

C:\ColdFusion8\runtime\bin\jrun.exe

C:\ColdFusion8\db\slserver54\bin\swsoc.exe

C:\ColdFusion8\verity\k2\_nti40\bin\k2admin.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

c:\program files\mcafee.com\agent\mcdetect.exe

C:\Program Files\MozyHome\mozybackup.exe

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\ColdFusion8\verity\k2\_nti40\bin\k2server.exe

C:\ColdFusion8\verity\k2\_nti40\bin\k2index.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Dell\QuickSet\quickset.exe

C:\WINDOWS\stsystra.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\MXOaldr.exe

C:\Program Files\McAfee.com\VSO\mcvsshld.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe

C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Electronic Arts\EADM\Core.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\MozyHome\mozystat.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - AutorunsDisabled - (no file)

O2 - BHO: (no name) - {4568AC4F-2035-4210-AC90-8540D1EBD3BC} - c:\windows\system32\sijczbs.dll

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOaldr.exe

O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe

O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"

O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: MozyHome Status.lnk = C:\Program Files\MozyHome\mozystat.exe

O4 - Global Startup: VPN Client.lnk = ?

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra button: (no name) - AutorunsDisabled - (no file)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://officebeta.iponet.net/templates/ieawsdc.cab

O16 - DPF: {02FFCFC3-C28F-4ED9-954B-1BAC9FD77E12} (Intra.Net Component Manager 2.0) - http://miracosta.intra.net/media/xflux3.cab

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://phctc2.phgenit.com/plugin/awarewebp...cab/awswaxf.cab

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab

O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} (PCPitstop AntiVirus) - http://utilities.pcpitstop.com/Exterminate...opAntiVirus.dll

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://wc.miracosta.edu/activex/AxisCamControl.cab

O16 - DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} (Enlite 2.x Simulation Engine Installer) - http://myitlab.pearsoned.com/Pegasus/Modul...ces/ax/stub.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ColdFusion 8 .NET Service - Unknown owner - C:\ColdFusion8\jnbridge\CF8DotNetsvc.exe

O23 - Service: ColdFusion 8 Application Server - Macromedia Inc. - C:\ColdFusion8\runtime\bin\jrunsvc.exe

O23 - Service: ColdFusion 8 ODBC Agent - Unknown owner - C:\ColdFusion8\db\slserver54\bin\swagent.exe

O23 - Service: ColdFusion 8 ODBC Server - Unknown owner - C:\ColdFusion8\db\slserver54\bin\swstrtr.exe

O23 - Service: ColdFusion 8 Search Server - Verity, Inc. - C:\ColdFusion8\verity\k2\_nti40\bin\k2admin.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: MozyHome Backup Service (mozybackup) - Unknown owner - C:\Program Files\MozyHome\mozybackup.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--

End of file - 10514 bytes

Link to post
Share on other sites

  • Staff

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Done.... ComboFix log below

ComboFix

------------------------------------

ComboFix 09-04-13.A2 - Brad & Lorez 2009-04-14 7:13.4 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1264 [GMT -7:00]

Running from: c:\documents and settings\Brad & Lorez\Desktop\ComboFix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Outdated)

* Created a new restore point

.

Error: Cfolders.dat

/wow section - STAGE 32A

pevFind by Billy Robert O'Neal III

Version 0.0.1.0

So long as David Tribble's message is retained (his rule, not mine)

not limited to sale, distribution, modification, or other use of this

program. If it was my choice, it would be public domain.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM

THE SOFTWARE.

Filename regular expressions library is

"Copyright ©1997-1998 by David R. Tribble, all rights reserved."

pevFind by Billy Robert O'Neal III

Version 0.0.1.0

So long as David Tribble's message is retained (his rule, not mine)

not limited to sale, distribution, modification, or other use of this

program. If it was my choice, it would be public domain.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM

THE SOFTWARE.

Filename regular expressions library is

"Copyright ©1997-1998 by David R. Tribble, all rights reserved."

pevFind by Billy Robert O'Neal III

Version 0.0.1.0

So long as David Tribble's message is retained (his rule, not mine)

not limited to sale, distribution, modification, or other use of this

program. If it was my choice, it would be public domain.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM

THE SOFTWARE.

Filename regular expressions library is

"Copyright ©1997-1998 by David R. Tribble, all rights reserved."

pevFind by Billy Robert O'Neal III

Version 0.0.1.0

So long as David Tribble's message is retained (his rule, not mine)

not limited to sale, distribution, modification, or other use of this

program. If it was my choice, it would be public domain.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM

THE SOFTWARE.

Filename regular expressions library is

"Copyright ©1997-1998 by David R. Tribble, all rights reserved."

pevFind by Billy Robert O'Neal III

Version 0.0.1.0

So long as David Tribble's message is retained (his rule, not mine)

not limited to sale, distribution, modification, or other use of this

program. If it was my choice, it would be public domain.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM

THE SOFTWARE.

Filename regular expressions library is

"Copyright ©1997-1998 by David R. Tribble, all rights reserved."

pevFind by Billy Robert O'Neal III

Version 0.0.1.0

So long as David Tribble's message is retained (his rule, not mine)

not limited to sale, distribution, modification, or other use of this

program. If it was my choice, it would be public domain.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM

THE SOFTWARE.

Filename regular expressions library is

"Copyright ©1997-1998 by David R. Tribble, all rights reserved."

pevFind by Billy Robert O'Neal III

Version 0.0.1.0

So long as David Tribble's message is retained (his rule, not mine)

not limited to sale, distribution, modification, or other use of this

program. If it was my choice, it would be public domain.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM

THE SOFTWARE.

Filename regular expressions library is

"Copyright ©1997-1998 by David R. Tribble, all rights reserved."

pevFind by Billy Robert O'Neal III

Version 0.0.1.0

So long as David Tribble's message is retained (his rule, not mine)

not limited to sale, distribution, modification, or other use of this

program. If it was my choice, it would be public domain.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM

THE SOFTWARE.

Filename regular expressions library is

"Copyright ©1997-1998 by David R. Tribble, all rights reserved."

pevFind by Billy Robert O'Neal III

Version 0.0.1.0

So long as David Tribble's message is retained (his rule, not mine)

not limited to sale, distribution, modification, or other use of this

program. If it was my choice, it would be public domain.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM

THE SOFTWARE.

Filename regular expressions library is

"Copyright ©1997-1998 by David R. Tribble, all rights reserved."

pevFind by Billy Robert O'Neal III

Version 0.0.1.0

So long as David Tribble's message is retained (his rule, not mine)

not limited to sale, distribution, modification, or other use of this

program. If it was my choice, it would be public domain.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM

THE SOFTWARE.

Filename regular expressions library is

"Copyright ©1997-1998 by David R. Tribble, all rights reserved."

pevFind by Billy Robert O'Neal III

Version 0.0.1.0

So long as David Tribble's message is retained (his rule, not mine)

not limited to sale, distribution, modification, or other use of this

program. If it was my choice, it would be public domain.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM

THE SOFTWARE.

Filename regular expressions library is

"Copyright ©1997-1998 by David R. Tribble, all rights reserved."

pevFind by Billy Robert O'Neal III

Version 0.0.1.0

So long as David Tribble's message is retained (his rule, not mine)

not limited to sale, distribution, modification, or other use of this

program. If it was my choice, it would be public domain.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM

THE SOFTWARE.

Filename regular expressions library is

"Copyright ©1997-1998 by David R. Tribble, all rights reserved."

The process cannot access the file because it is being used by another process.

The process cannot access the file because it is being used by another process.

The process cannot access the file because it is being used by another process.

The process cannot access the file because it is being used by another process.

The process cannot access the file because it is being used by another process.

The process cannot access the file because it is being used by another process.

The process cannot access the file because it is being used by another process.

The process cannot access the file because it is being used by another process.

The process cannot access the file because it is being used by another process.

The system cannot find the file temp0700.

The process cannot access the file because it is being used by another process.

The system cannot find the file temp0700.

pevFind by Billy Robert O'Neal III

Version 0.0.1.0

So long as David Tribble's message is retained (his rule, not mine)

not limited to sale, distribution, modification, or other use of this

program. If it was my choice, it would be public domain.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM

THE SOFTWARE.

Filename regular expressions library is

"Copyright ©1997-1998 by David R. Tribble, all rights reserved."

pevFind by Billy Robert O'Neal III

Version 0.0.1.0

So long as David Tribble's message is retained (his rule, not mine)

not limited to sale, distribution, modification, or other use of this

program. If it was my choice, it would be public domain.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM

THE SOFTWARE.

Filename regular expressions library is

"Copyright ©1997-1998 by David R. Tribble, all rights reserved."

pevFind by Billy Robert O'Neal III

Version 0.0.1.0

So long as David Tribble's message is retained (his rule, not mine)

not limited to sale, distribution, modification, or other use of this

program. If it was my choice, it would be public domain.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM

THE SOFTWARE.

Filename regular expressions library is

"Copyright ©1997-1998 by David R. Tribble, all rights reserved."

pevFind by Billy Robert O'Neal III

Version 0.0.1.0

So long as David Tribble's message is retained (his rule, not mine)

not limited to sale, distribution, modification, or other use of this

program. If it was my choice, it would be public domain.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM

THE SOFTWARE.

Filename regular expressions library is

"Copyright ©1997-1998 by David R. Tribble, all rights reserved."

pevFind by Billy Robert O'Neal III

Version 0.0.1.0

So long as David Tribble's message is retained (his rule, not mine)

not limited to sale, distribution, modification, or other use of this

program. If it was my choice, it would be public domain.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM

THE SOFTWARE.

Filename regular expressions library is

"Copyright ©1997-1998 by David R. Tribble, all rights reserved."

pevFind by Billy Robert O'Neal III

Version 0.0.1.0

So long as David Tribble's message is retained (his rule, not mine)

not limited to sale, distribution, modification, or other use of this

program. If it was my choice, it would be public domain.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM

THE SOFTWARE.

Filename regular expressions library is

"Copyright ©1997-1998 by David R. Tribble, all rights reserved."

pevFind by Billy Robert O'Neal III

Version 0.0.1.0

So long as David Tribble's message is retained (his rule, not mine)

not limited to sale, distribution, modification, or other use of this

program. If it was my choice, it would be public domain.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM

THE SOFTWARE.

Filename regular expressions library is

"Copyright ©1997-1998 by David R. Tribble, all rights reserved."

pevFind by Billy Robert O'Neal III

Version 0.0.1.0

So long as David Tribble's message is retained (his rule, not mine)

not limited to sale, distribution, modification, or other use of this

program. If it was my choice, it would be public domain.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM

THE SOFTWARE.

Filename regular expressions library is

"Copyright ©1997-1998 by David R. Tribble, all rights reserved."

pevFind by Billy Robert O'Neal III

Version 0.0.1.0

So long as David Tribble's message is retained (his rule, not mine)

not limited to sale, distribution, modification, or other use of this

program. If it was my choice, it would be public domain.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM

THE SOFTWARE.

Filename regular expressions library is

"Copyright ©1997-1998 by David R. Tribble, all rights reserved."

pevFind by Billy Robert O'Neal III

Version 0.0.1.0

So long as David Tribble's message is retained (his rule, not mine)

not limited to sale, distribution, modification, or other use of this

program. If it was my choice, it would be public domain.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM

THE SOFTWARE.

Filename regular expressions library is

"Copyright ©1997-1998 by David R. Tribble, all rights reserved."

pevFind by Billy Robert O'Neal III

Version 0.0.1.0

So long as David Tribble's message is retained (his rule, not mine)

not limited to sale, distribution, modification, or other use of this

program. If it was my choice, it would be public domain.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM

THE SOFTWARE.

Filename regular expressions library is

"Copyright ©1997-1998 by David R. Tribble, all rights reserved."

pevFind by Billy Robert O'Neal III

Version 0.0.1.0

So long as David Tribble's message is retained (his rule, not mine)

not limited to sale, distribution, modification, or other use of this

program. If it was my choice, it would be public domain.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM

THE SOFTWARE.

Filename regular expressions library is

"Copyright ©1997-1998 by David R. Tribble, all rights reserved."

pevFind by Billy Robert O'Neal III

Version 0.0.1.0

So long as David Tribble's message is retained (his rule, not mine)

not limited to sale, distribution, modification, or other use of this

program. If it was my choice, it would be public domain.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM

THE SOFTWARE.

Filename regular expressions library is

"Copyright ©1997-1998 by David R. Tribble, all rights reserved."

pevFind by Billy Robert O'Neal III

Version 0.0.1.0

So long as David Tribble's message is retained (his rule, not mine)

not limited to sale, distribution, modification, or other use of this

program. If it was my choice, it would be public domain.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM

THE SOFTWARE.

Filename regular expressions library is

"Copyright ©1997-1998 by David R. Tribble, all rights reserved."

pevFind by Billy Robert O'Neal III

Version 0.0.1.0

So long as David Tribble's message is retained (his rule, not mine)

not limited to sale, distribution, modification, or other use of this

program. If it was my choice, it would be public domain.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM

THE SOFTWARE.

Filename regular expressions library is

"Copyright ©1997-1998 by David R. Tribble, all rights reserved."

pevFind by Billy Robert O'Neal III

Version 0.0.1.0

So long as David Tribble's message is retained (his rule, not mine)

not limited to sale, distribution, modification, or other use of this

program. If it was my choice, it would be public domain.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM

THE SOFTWARE.

Filename regular expressions library is

"Copyright ©1997-1998 by David R. Tribble, all rights reserved."

pevFind by Billy Robert O'Neal III

Version 0.0.1.0

So long as David Tribble's message is retained (his rule, not mine)

not limited to sale, distribution, modification, or other use of this

program. If it was my choice, it would be public domain.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM

THE SOFTWARE.

Filename regular expressions library is

"Copyright ©1997-1998 by David R. Tribble, all rights reserved."

pevFind by Billy Robert O'Neal III

Version 0.0.1.0

So long as David Tribble's message is retained (his rule, not mine)

not limited to sale, distribution, modification, or other use of this

program. If it was my choice, it would be public domain.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM

THE SOFTWARE.

Filename regular expressions library is

"Copyright ©1997-1998 by David R. Tribble, all rights reserved."

pevFind by Billy Robert O'Neal III

Version 0.0.1.0

So long as David Tribble's message is retained (his rule, not mine)

not limited to sale, distribution, modification, or other use of this

program. If it was my choice, it would be public domain.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM

THE SOFTWARE.

Filename regular expressions library is

"Copyright ©1997-1998 by David R. Tribble, all rights reserved."

The system cannot find the file temp1001.

The system cannot find the path specified.

The system cannot find the path specified.

Could Not Find c:\combofix\temp03

pevFind by Billy Robert O'Neal III

Version 0.0.1.0

So long as David Tribble's message is retained (his rule, not mine)

not limited to sale, distribution, modification, or other use of this

program. If it was my choice, it would be public domain.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM

THE SOFTWARE.

Filename regular expressions library is

"Copyright ©1997-1998 by David R. Tribble, all rights reserved."

pevFind by Billy Robert O'Neal III

Version 0.0.1.0

So long as David Tribble's message is retained (his rule, not mine)

not limited to sale, distribution, modification, or other use of this

program. If it was my choice, it would be public domain.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM

THE SOFTWARE.

Filename regular expressions library is

"Copyright ©1997-1998 by David R. Tribble, all rights reserved."

The process cannot access the file because it is being used by another process.

The process cannot access the file because it is being used by another process.

The process cannot access the file because it is being used by another process.

The process cannot access the file because it is being used by another process.

The process cannot access the file because it is being used by another process.

The process cannot access the file because it is being used by another process.

The process cannot access the file because it is being used by another process.

The system cannot find the file temp3100.

The process cannot access the file because it is being used by another process.

((((((((((((((((((((((((( Files Created from 2009-03-14 to 2009-04-14 )))))))))))))))))))))))))))))))

.

2009-04-13 18:35 . 2009-04-13 18:35 578560 -c--a-w c:\windows\system32\dllcache\user32.dll

2009-04-13 18:30 . 2009-04-13 18:30 -------- d-----w c:\windows\ERUNT

2009-04-12 18:14 . 2009-04-13 19:29 -------- d-----w C:\SDFix

2009-04-12 00:50 . 2009-04-12 00:50 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-04-12 00:49 . 2009-04-12 00:50 -------- d-----w c:\program files\SUPERAntiSpyware

2009-04-12 00:49 . 2009-04-12 00:49 -------- d-----w c:\documents and settings\Brad & Lorez\Application Data\SUPERAntiSpyware.com

2009-04-11 23:05 . 2009-04-11 23:05 -------- d-----w C:\VundoFix Backups

2009-04-11 22:10 . 2009-04-11 22:10 -------- d-----w c:\program files\Trend Micro

2009-04-11 16:33 . 2009-04-11 16:33 -------- d-----w c:\program files\CCleaner

2009-04-11 14:26 . 2009-04-11 22:34 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-04-11 14:06 . 2009-04-11 14:06 -------- d-----w c:\documents and settings\All Users\Application Data\PCPitstop

2009-04-11 14:05 . 2009-04-14 00:32 -------- d-----w c:\program files\PCPitstop

2009-04-11 01:08 . 2009-04-14 00:42 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-04-11 01:08 . 2009-04-11 01:15 -------- d-----w c:\program files\Spybot - Search & Destroy

2009-04-11 01:06 . 2009-04-11 01:05 410984 ----a-w c:\windows\system32\deploytk.dll

2009-04-10 14:37 . 2009-04-10 14:37 -------- d-----w c:\documents and settings\Brad & Lorez\Local Settings\Application Data\osmazraq

2009-04-10 14:37 . 2009-04-10 14:37 -------- d-----w c:\documents and settings\Brad & Lorez\Application Data\osmazraq

2009-04-10 12:26 . 2009-04-11 21:50 0 ----a-w c:\windows\Hjacureqij.bin

2009-04-10 12:26 . 2009-04-10 12:26 -------- d-----w c:\documents and settings\Brad & Lorez\Local Settings\Application Data\{79AB25D8-E44A-424D-951D-2676F459C7B2}

2009-04-10 12:26 . 2009-04-11 21:50 408 ----a-w c:\windows\Tcoxuyajas.dat

2009-04-05 12:44 . 2009-04-05 12:45 -------- d-----w c:\program files\iTunes

2009-04-05 12:44 . 2009-04-05 12:45 -------- d-----w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}

2009-04-05 12:41 . 2009-03-06 06:59 1900544 ----a-w c:\windows\system32\usbaaplrc.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-14 00:38 . 2006-07-02 22:42 71160 ----a-w c:\documents and settings\Brad & Lorez\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-04-14 00:29 . 2006-07-02 22:51 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help

2009-04-14 00:29 . 2008-11-30 15:54 -------- d-----w c:\program files\Microsoft Visual Studio 9.0

2009-04-14 00:23 . 2006-07-02 22:54 -------- d-----w c:\program files\Microsoft SQL Server

2009-04-14 00:13 . 2006-07-02 18:43 -------- d-----w c:\program files\Microsoft.NET

2009-04-13 23:38 . 2007-10-26 23:34 -------- d-----w c:\documents and settings\All Users\Application Data\LogiShrd

2009-04-13 23:36 . 2006-09-03 02:12 -------- d-----w c:\program files\iriverter

2009-04-13 23:35 . 2006-07-15 00:57 -------- d-----w c:\program files\Creative

2009-04-13 23:35 . 2006-07-02 18:23 -------- d--h--w c:\program files\InstallShield Installation Information

2009-04-13 20:20 . 2007-04-13 02:59 -------- d-----w c:\program files\Common Files\Real

2009-04-12 00:49 . 2006-12-01 22:45 -------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-04-11 23:38 . 2009-04-11 23:05 136 ----a-w C:\VundoFix.txt

2009-04-11 22:40 . 2004-08-04 12:00 102400 ----a-w c:\windows\system32\lraqfaq.dll

2009-04-11 22:02 . 2008-12-26 05:31 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-04-11 01:05 . 2006-07-13 01:04 -------- d-----w c:\program files\Java

2009-04-06 22:32 . 2008-12-26 05:31 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-06 22:32 . 2008-12-26 05:31 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-04-05 12:44 . 2006-07-02 20:59 -------- d-----w c:\program files\iPod

2009-04-05 12:44 . 2007-10-23 18:31 -------- d-----w c:\program files\Common Files\Apple

2009-03-19 13:41 . 2006-07-02 21:00 -------- d-----w c:\documents and settings\Brad & Lorez\Application Data\Apple Computer

2009-03-16 14:15 . 2006-07-02 21:02 -------- d-----w c:\program files\CalorieKing Nutrition and Exercise Manager for Windows

2009-03-06 06:59 . 2008-10-05 20:50 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys

2009-03-04 19:14 . 2009-03-04 19:14 -------- d-----w c:\program files\Maxis

2009-02-27 01:41 . 2007-08-25 02:18 -------- d-----w c:\program files\Microsoft Silverlight

2009-02-22 16:36 . 2009-01-01 03:58 -------- d-----w c:\program files\Replay Media Catcher

2009-02-22 16:29 . 2009-01-02 15:34 156672 ----a-w c:\windows\system32\rmc_fixasf.exe

2009-02-22 16:29 . 2009-01-02 15:34 237568 ----a-w c:\windows\system32\rmc_rtspdl.dll

2009-02-22 16:29 . 2009-01-02 14:31 323584 ----a-w c:\windows\system32\AUDIOGENIE2.DLL

2009-02-22 03:22 . 2006-07-02 22:51 -------- d-----w c:\program files\Microsoft Visual Studio 8

2009-02-21 21:59 . 2009-01-20 20:09 -------- d-----w c:\program files\NOS

2009-02-21 21:59 . 2009-01-20 20:09 -------- d-----w c:\documents and settings\All Users\Application Data\NOS

2009-02-21 16:29 . 2009-02-21 16:27 -------- d-----w c:\program files\Quicken WillMaker Plus 2009

2009-02-21 16:27 . 2009-02-21 16:27 -------- d-----w c:\documents and settings\Brad & Lorez\Application Data\Quicken WillMaker

2009-02-16 17:01 . 2008-04-26 13:28 -------- d-----w c:\program files\Handbrake

2009-02-15 15:02 . 2009-02-15 15:02 -------- d-----w c:\documents and settings\Brad & Lorez\Application Data\YouSendIt

2009-02-15 02:06 . 2009-02-15 02:06 -------- d-----w c:\program files\Common Files\AnswerWorks 5.0

2009-02-15 02:04 . 2007-04-05 02:35 -------- d-----w c:\documents and settings\All Users\Application Data\Intuit

2009-02-15 02:04 . 2007-04-05 02:35 -------- d-----w c:\program files\Common Files\Intuit

2009-02-15 02:02 . 2007-04-05 02:34 -------- d-----w c:\program files\TurboTax

2009-02-15 01:58 . 2009-02-15 01:58 -------- d-----w c:\documents and settings\All Users\Application Data\Amazon

2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys

2009-01-23 16:46 . 2008-11-30 15:51 163792 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

.

((((((((((((((((((((((((((((( SnapShot@2009-04-12_ 9.51.42.50 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-04-14 14:09 . 2009-04-14 14:09 16384 c:\windows\Temp\Perflib_Perfdata_1c4.dat

+ 2004-08-04 12:00 . 2009-04-14 02:55 76304 c:\windows\system32\perfc009.dat

- 2006-07-02 18:44 . 2009-03-12 10:38 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe

+ 2006-07-02 18:44 . 2009-04-14 02:54 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe

- 2006-07-02 18:44 . 2009-03-12 10:38 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe

+ 2006-07-02 18:44 . 2009-04-14 02:54 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe

+ 2006-07-02 18:44 . 2009-04-14 02:54 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe

- 2006-07-02 18:44 . 2009-03-12 10:38 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe

+ 2006-07-02 18:44 . 2009-04-14 02:54 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe

- 2006-07-02 18:44 . 2009-03-12 10:38 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe

+ 2006-07-02 18:44 . 2009-04-14 02:54 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe

- 2006-07-02 18:44 . 2009-03-12 10:38 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe

+ 2006-07-02 18:44 . 2009-04-14 02:54 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe

- 2006-07-02 18:44 . 2009-03-12 10:38 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe

+ 2006-07-02 18:44 . 2009-04-14 02:54 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe

- 2006-07-02 18:44 . 2009-03-12 10:38 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe

+ 2004-08-04 12:00 . 2009-04-14 02:55 468446 c:\windows\system32\perfh009.dat

+ 2006-07-02 20:15 . 2009-04-14 14:09 236808 c:\windows\system32\inetsrv\MetaBase.bin

+ 2006-07-02 10:56 . 2009-04-14 00:46 295664 c:\windows\system32\FNTCACHE.DAT

+ 2009-04-13 18:35 . 2009-04-13 18:35 578560 c:\windows\system32\dllcache\user32.dll

- 2006-07-02 18:44 . 2009-03-12 10:38 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe

+ 2006-07-02 18:44 . 2009-04-14 02:54 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe

- 2006-07-02 18:44 . 2009-03-12 10:38 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe

+ 2006-07-02 18:44 . 2009-04-14 02:54 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe

+ 2006-07-02 18:44 . 2009-04-14 02:54 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe

- 2006-07-02 18:44 . 2009-03-12 10:38 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe

- 2006-07-02 18:44 . 2009-03-12 10:38 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe

+ 2006-07-02 18:44 . 2009-04-14 02:54 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe

+ 2006-07-02 18:44 . 2009-04-14 02:54 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe

- 2006-07-02 18:44 . 2009-03-12 10:38 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe

+ 2006-07-02 18:44 . 2009-04-14 02:54 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe

- 2006-07-02 18:44 . 2009-03-12 10:38 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe

+ 2009-04-13 18:30 . 2009-04-13 18:30 335872 c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat

+ 2009-04-13 18:30 . 2008-08-07 22:27 163328 c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE

+ 2009-04-13 18:31 . 2009-04-13 18:31 335872 c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat

+ 2009-04-13 18:31 . 2008-08-07 22:27 163328 c:\windows\ERUNT\SDFIX\ERDNT.EXE

+ 2009-04-13 18:30 . 2009-04-13 18:30 9539584 c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT

+ 2009-04-13 18:31 . 2009-04-13 18:31 9539584 c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4568AC4F-2035-4210-AC90-8540D1EBD3BC}]

2009-04-11 15:40 102400 --a------ c:\windows\system32\sijczbs.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]

@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"

[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]

2008-12-04 17:38 3431224 --a------ c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]

@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"

[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]

2008-12-04 17:38 3431224 --a------ c:\program files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-02-06 3325952]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]

"MXO Auto Loader"="c:\windows\MXOaldr.exe" [2002-08-09 118784]

"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 151552]

"VirusScan Online"="c:\program files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 163840]

"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 53248]

"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]

"MCUpdateExe"="c:\progra~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 212992]

"HydraVisionDesktopManager"="c:\program files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe" [2003-09-15 270336]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-07-03 802816]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-07-02 700416]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]

"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-07-04 333120]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]

"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-13 169984]

"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-07-02 24576]

MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2008-12-04 3367736]

VPN Client.lnk - c:\windows\Installer\{A7091E1D-36A4-47F1-A739-173CC341414F}\Icon3E5562ED7.ico [2008-07-26 6144]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.3IV2"= 3ivxVfWCodec_dec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"McTskshd.exe"=2 (0x2)

"McShield"=2 (0x2)

"mcupdmgr.exe"=3 (0x3)

"McDetect.exe"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=

"c:\\WINDOWS\\system32\\javaw.exe"=

"c:\\Program Files\\Macromedia\\Contribute 3\\Contribute.exe"=

"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=

"c:\\Program Files\\Java\\jre1.5.0_10\\bin\\javaw.exe"=

"c:\\WINDOWS\\system32\\java.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\html2rss\\html2rss.exe"=

"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

"c:\\Program Files\\Lavasoft\\Ad-Aware\\aawservice.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"9000:TCP"= 9000:TCP:SlimServer 9000 tcp

"3483:UDP"= 3483:UDP:SlimServer 3483 udp

"3483:TCP"= 3483:TCP:SlimServer 3483 tcp

S0 memdqpig;memdqpig;c:\windows\system32\drivers\memdqpig.sys [2004-08-04 23424]

S1 mozyFilter;mozyFilter;c:\windows\system32\DRIVERS\mozy.sys [2008-12-04 53752]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]

S2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-11 124832]

S2 ColdFusion 8 .NET Service;ColdFusion 8 .NET Service;c:\coldfusion8\jnbridge\CF8DotNetsvc.exe [2007-05-30 77824]

S2 ColdFusion 8 Application Server;ColdFusion 8 Application Server;c:\coldfusion8\runtime\bin\jrunsvc.exe [2007-05-25 61440]

S2 ColdFusion 8 ODBC Agent;ColdFusion 8 ODBC Agent; [x]

S2 ColdFusion 8 ODBC Server;ColdFusion 8 ODBC Server; [x]

S2 ColdFusion 8 Search Server;ColdFusion 8 Search Server;c:\coldfusion8\verity\k2\_nti40\bin\k2admin.exe [2006-09-04 2743056]

S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f54484d-7f3b-11dc-a2b2-0015c5b1d98f}]

\Shell\AutoRun\command - e:\system\viewer\FlipVideoforPC.exe

\Shell\Flip Video for PC\command - e:\system\viewer\FlipVideoforPC.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{482c0c63-04cf-11de-a4e0-0015c5b1d98f}]

\Shell\AutoRun\command - E:\Autorun.exe /run

\Shell\Shell00\Command - E:\Autorun.exe /run

\Shell\Shell01\Command - E:\Autorun.exe /action

\Shell\Shell02\Command - E:\Autorun.exe /uninstall

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59aecf72-0e42-11dc-a1df-0015c5b1d98f}]

\Shell\AutoRun\command - e:\system\viewer\FlipVideoforPC.exe

\Shell\Flip Video for PC\command - e:\system\viewer\FlipVideoforPC.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{68166e88-17fa-11db-9cfc-0015c5122668}]

\Shell\AutoRun\command - e:\jdsecure\Windows\JDSecure20.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8492efc4-b8c5-11dc-a2fc-0015c5b1d98f}]

\Shell\AutoRun\command - F:\CAEdgemobile.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a19a1ef0-6426-11dd-a3e8-0015c5b1d98f}]

\Shell\AutoRun\command - E:\Autorun.exe /run

\Shell\Shell00\Command - E:\Autorun.exe /run

\Shell\Shell01\Command - E:\Autorun.exe /action

\Shell\Shell02\Command - E:\Autorun.exe /uninstall

.

Contents of the 'Scheduled Tasks' folder

2009-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-04-14 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (HINSPIRON-Brad & Lorez).job

- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2005-07-08 18:18]

2009-04-13 c:\windows\Tasks\User_Feed_Synchronization-{9B511CC1-CDFD-4B39-800F-769B6043CDEB}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 19:36]

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-LogitechQuickCamRibbon - c:\program files\Logitech\QuickCam\Quickcam.exe

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

Trusted Zone: turbotax.com

DPF: {02FFCFC3-C28F-4ED9-954B-1BAC9FD77E12} - hxxp://miracosta.intra.net/media/xflux3.cab

DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll

FF - ProfilePath - c:\documents and settings\Brad & Lorez\Application Data\Mozilla\Firefox\Profiles\sslgim2q.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/reader/view/#stream/user%2F03313634388283504904%2Flabel%2Femploy

FF - component: c:\documents and settings\Brad & Lorez\Application Data\Mozilla\Firefox\Profiles\sslgim2q.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll

FF - plugin: c:\documents and settings\Brad & Lorez\Application Data\Mozilla\Firefox\Profiles\sslgim2q.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll

FF - plugin: c:\documents and settings\Brad & Lorez\Application Data\Mozilla\Firefox\Profiles\sslgim2q.default\extensions\ustreampublisher@ustream.tv\platform\WINNT_x86-msvc\plugins\npustreampublisher.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Intra.Net 4.x Components\packages\{309453F2-8D7A-4F10-BDAC-EA09D31F9198}\npsf.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-14 07:20

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1547161642-2049760794-839522115-1003\Software\SecuROM\License information*]

"datasecu"=hex:38,1c,c7,8f,d7,8f,b7,c0,34,e2,7b,18,9d,8e,50,41,86,0e,e0,44,e8,

8c,17,5c,58,f5,7c,dd,e5,12,7a,6e,70,b6,6a,7e,f3,41,f8,8b,f5,f4,8f,8c,43,2b,\

"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,93,88,7a,bf,61,

df,9e,31,2e,e8,e1,00,eb,16,2b,de,00,a4,5d,94,ea,a2,26,eb,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,01,1f,f7,3b,1a,

2b,ab,f0,46,47,15,b0,92,4b,c7,ef,03,39,39,49,37,4b,0f,4a,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,b4,f0,99,67,6f,

83,45,e3,7a,45,05,fd,91,e8,6f,31,3a,cc,f1,25,fd,dd,f5,6d,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,8b,47,70,40,67,

20,55,82,6b,65,49,6a,7e,99,74,f7,fb,b2,89,7c,67,35,f2,b2,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,c0,a1,f6,64,9b,

a3,0e,29,e9,02,6c,fa,fb,1d,47,57,f8,69,1d,a8,a6,e2,80,3f,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,3e,3c,e2,52,88,

54,ad,cb,50,93,e5,ab,ec,6a,4e,ab,b0,47,2e,be,8f,d9,72,69,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,b6,ab,66,20,ae,

00,90,85,97,20,4e,9a,c7,f1,35,ee,2a,8f,87,f4,f4,68,bd,d3,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1d68fe701cdea33e477eb204b76f993d"=hex:aa,52,c6,00,84,3c,26,64,c9,6a,80,5d,39,

20,bf,97,aa,52,c6,00,84,3c,26,64,54,c8,2d,b9,59,b7,fb,9a,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,a2,cb,d7,d0,f8,

59,4b,18,b2,46,9a,e2,1b,fe,1b,94,ce,11,4c,f4,15,3d,fa,49,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,d2,14,73,4e,23,

39,4b,e2,37,a4,aa,c3,a6,15,56,0a,f0,22,38,29,b9,6d,e6,e6,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:f8,31,0f,a9,5f,a0,ec,fb,55,2d,49,fd,9b,

84,6a,bc,f8,31,0f,a9,5f,a0,ec,fb,86,b2,d9,0b,e4,49,9a,14,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,f8,20,d3,3b,ca,

6c,ca,44,05,73,21,dd,54,d8,4a,c5,86,d6,8d,1c,a9,c1,cb,b1,6c,43,2d,1e,aa,22,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(948)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2304)

c:\program files\ATI Technologies\ATI HYDRAVISION\HydraDMH.dll

c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL

c:\program files\MozyHome\mozyshell.dll

c:\progra~1\mcafee.com\vso\McVSSkt.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2009-04-14 7:22

ComboFix-quarantined-files.txt 2009-04-14 14:21

ComboFix2.txt 2009-04-13 18:22

ComboFix3.txt 2009-04-12 16:53

ComboFix4.txt 2009-04-11 22:55

Pre-Run: 15,582,429,184 bytes free

Post-Run: 15,571,079,168 bytes free

782 --- E O F --- 2009-04-12 16:03

Link to post
Share on other sites

  • Staff

Hi,

It looks like something interfered with Combofix during its run.

Can you also disable Winpatrol?

Then, * Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

File::

c:\windows\system32\drivers\memdqpig.sys

c:\windows\system32\sijczbs.dll

c:\windows\Hjacureqij.bin

c:\windows\Tcoxuyajas.dat

Dirlook::

c:\documents and settings\Brad & Lorez\Application Data\osmazraq

Driver::

memdqpig

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4568AC4F-2035-4210-AC90-8540D1EBD3BC}]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Also, I see your McAfee is outdated and you disabled some related components. Not sure why, because how are you supposed to prevent malware if you disable and never update your Antivirus. Please let me know in your next reply as well.

Link to post
Share on other sites

Hi,

It looks like something interfered with Combofix during its run.

Can you also disable Winpatrol?

Then, * Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Also, I see your McAfee is outdated and you disabled some related components. Not sure why, because how are you supposed to prevent malware if you disable and never update your Antivirus. Please let me know in your next reply as well.

Done. McAfee virus was disabled while running these tools for this issue - the other stuff has been off for awhile. I hear you...

Combofix.txt below:

Combofix

-----------------------------------

ComboFix 09-04-13.A2 - Brad & Lorez 2009-04-14 8:00.5 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1239 [GMT -7:00]

Running from: c:\documents and settings\Brad & Lorez\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Brad & Lorez\Desktop\CFScript.txt

AV: McAfee VirusScan *On-access scanning disabled* (Outdated)

* Created a new restore point

FILE ::

c:\windows\Hjacureqij.bin

c:\windows\system32\drivers\memdqpig.sys

c:\windows\system32\sijczbs.dll

c:\windows\Tcoxuyajas.dat

.

Error: Cfolders.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\abuxekuvayad.dll

c:\windows\Hjacureqij.bin

c:\windows\system32\drivers\memdqpig.sys

c:\windows\system32\sijczbs.dll

c:\windows\Tcoxuyajas.dat

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_MEMDQPIG

-------\Service_memdqpig

((((((((((((((((((((((((( Files Created from 2009-03-14 to 2009-04-14 )))))))))))))))))))))))))))))))

.

2009-04-13 18:35 . 2009-04-13 18:35 578560 -c--a-w c:\windows\system32\dllcache\user32.dll

2009-04-13 18:30 . 2009-04-13 18:30 -------- d-----w c:\windows\ERUNT

2009-04-12 18:14 . 2009-04-13 19:29 -------- d-----w C:\SDFix

2009-04-12 00:50 . 2009-04-12 00:50 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-04-12 00:49 . 2009-04-12 00:50 -------- d-----w c:\program files\SUPERAntiSpyware

2009-04-12 00:49 . 2009-04-12 00:49 -------- d-----w c:\documents and settings\Brad & Lorez\Application Data\SUPERAntiSpyware.com

2009-04-11 23:05 . 2009-04-11 23:05 -------- d-----w C:\VundoFix Backups

2009-04-11 22:10 . 2009-04-11 22:10 -------- d-----w c:\program files\Trend Micro

2009-04-11 16:33 . 2009-04-11 16:33 -------- d-----w c:\program files\CCleaner

2009-04-11 14:26 . 2009-04-11 22:34 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-04-11 14:06 . 2009-04-11 14:06 -------- d-----w c:\documents and settings\All Users\Application Data\PCPitstop

2009-04-11 14:05 . 2009-04-14 00:32 -------- d-----w c:\program files\PCPitstop

2009-04-11 01:08 . 2009-04-14 00:42 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-04-11 01:08 . 2009-04-11 01:15 -------- d-----w c:\program files\Spybot - Search & Destroy

2009-04-11 01:06 . 2009-04-11 01:05 410984 ----a-w c:\windows\system32\deploytk.dll

2009-04-10 14:37 . 2009-04-10 14:37 -------- d-----w c:\documents and settings\Brad & Lorez\Local Settings\Application Data\osmazraq

2009-04-10 14:37 . 2009-04-10 14:37 -------- d-----w c:\documents and settings\Brad & Lorez\Application Data\osmazraq

2009-04-10 12:26 . 2009-04-10 12:26 -------- d-----w c:\documents and settings\Brad & Lorez\Local Settings\Application Data\{79AB25D8-E44A-424D-951D-2676F459C7B2}

2009-04-05 12:44 . 2009-04-05 12:45 -------- d-----w c:\program files\iTunes

2009-04-05 12:44 . 2009-04-05 12:45 -------- d-----w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}

2009-04-05 12:41 . 2009-03-06 06:59 1900544 ----a-w c:\windows\system32\usbaaplrc.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-14 15:00 . 2004-08-04 12:00 23424 ----a-w c:\windows\system32\drivers\trgbpajq.sys

2009-04-14 00:38 . 2006-07-02 22:42 71160 ----a-w c:\documents and settings\Brad & Lorez\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-04-14 00:29 . 2006-07-02 22:51 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help

2009-04-14 00:29 . 2008-11-30 15:54 -------- d-----w c:\program files\Microsoft Visual Studio 9.0

2009-04-14 00:23 . 2006-07-02 22:54 -------- d-----w c:\program files\Microsoft SQL Server

2009-04-14 00:13 . 2006-07-02 18:43 -------- d-----w c:\program files\Microsoft.NET

2009-04-13 23:38 . 2007-10-26 23:34 -------- d-----w c:\documents and settings\All Users\Application Data\LogiShrd

2009-04-13 23:36 . 2006-09-03 02:12 -------- d-----w c:\program files\iriverter

2009-04-13 23:35 . 2006-07-15 00:57 -------- d-----w c:\program files\Creative

2009-04-13 23:35 . 2006-07-02 18:23 -------- d--h--w c:\program files\InstallShield Installation Information

2009-04-13 20:20 . 2007-04-13 02:59 -------- d-----w c:\program files\Common Files\Real

2009-04-12 00:49 . 2006-12-01 22:45 -------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-04-11 23:38 . 2009-04-11 23:05 136 ----a-w C:\VundoFix.txt

2009-04-11 22:40 . 2004-08-04 12:00 102400 ----a-w c:\windows\system32\lraqfaq.dll

2009-04-11 22:02 . 2008-12-26 05:31 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-04-11 01:05 . 2006-07-13 01:04 -------- d-----w c:\program files\Java

2009-04-06 22:32 . 2008-12-26 05:31 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-06 22:32 . 2008-12-26 05:31 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-04-05 12:44 . 2006-07-02 20:59 -------- d-----w c:\program files\iPod

2009-04-05 12:44 . 2007-10-23 18:31 -------- d-----w c:\program files\Common Files\Apple

2009-03-19 13:41 . 2006-07-02 21:00 -------- d-----w c:\documents and settings\Brad & Lorez\Application Data\Apple Computer

2009-03-16 14:15 . 2006-07-02 21:02 -------- d-----w c:\program files\CalorieKing Nutrition and Exercise Manager for Windows

2009-03-06 06:59 . 2008-10-05 20:50 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys

2009-03-04 19:14 . 2009-03-04 19:14 -------- d-----w c:\program files\Maxis

2009-02-27 01:41 . 2007-08-25 02:18 -------- d-----w c:\program files\Microsoft Silverlight

2009-02-22 16:36 . 2009-01-01 03:58 -------- d-----w c:\program files\Replay Media Catcher

2009-02-22 16:29 . 2009-01-02 15:34 156672 ----a-w c:\windows\system32\rmc_fixasf.exe

2009-02-22 16:29 . 2009-01-02 15:34 237568 ----a-w c:\windows\system32\rmc_rtspdl.dll

2009-02-22 16:29 . 2009-01-02 14:31 323584 ----a-w c:\windows\system32\AUDIOGENIE2.DLL

2009-02-22 03:22 . 2006-07-02 22:51 -------- d-----w c:\program files\Microsoft Visual Studio 8

2009-02-21 21:59 . 2009-01-20 20:09 -------- d-----w c:\program files\NOS

2009-02-21 21:59 . 2009-01-20 20:09 -------- d-----w c:\documents and settings\All Users\Application Data\NOS

2009-02-21 16:29 . 2009-02-21 16:27 -------- d-----w c:\program files\Quicken WillMaker Plus 2009

2009-02-21 16:27 . 2009-02-21 16:27 -------- d-----w c:\documents and settings\Brad & Lorez\Application Data\Quicken WillMaker

2009-02-16 17:01 . 2008-04-26 13:28 -------- d-----w c:\program files\Handbrake

2009-02-15 15:02 . 2009-02-15 15:02 -------- d-----w c:\documents and settings\Brad & Lorez\Application Data\YouSendIt

2009-02-15 02:06 . 2009-02-15 02:06 -------- d-----w c:\program files\Common Files\AnswerWorks 5.0

2009-02-15 02:04 . 2007-04-05 02:35 -------- d-----w c:\documents and settings\All Users\Application Data\Intuit

2009-02-15 02:04 . 2007-04-05 02:35 -------- d-----w c:\program files\Common Files\Intuit

2009-02-15 02:02 . 2007-04-05 02:34 -------- d-----w c:\program files\TurboTax

2009-02-15 01:58 . 2009-02-15 01:58 -------- d-----w c:\documents and settings\All Users\Application Data\Amazon

2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys

2009-01-23 16:46 . 2008-11-30 15:51 163792 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Directory of c:\documents and settings\Brad & Lorez\Application Data\osmazraq ----

2009-04-10 08:09 65536 --a------ c:\documents and settings\Brad & Lorez\Application Data\osmazraq\Profiles\yrf2id5a.default\cert8.db

2009-04-10 08:09 2048 --a------ c:\documents and settings\Brad & Lorez\Application Data\osmazraq\Profiles\yrf2id5a.default\cookies.sqlite

2009-04-10 07:40 131072 --a------ c:\documents and settings\Brad & Lorez\Application Data\osmazraq\Profiles\yrf2id5a.default\places.sqlite

2009-04-10 07:40 0 --a------ c:\documents and settings\Brad & Lorez\Application Data\osmazraq\Profiles\yrf2id5a.default\places.sqlite-journal

2009-04-10 07:39 570 --a------ c:\documents and settings\Brad & Lorez\Application Data\osmazraq\Profiles\yrf2id5a.default\localstore.rdf

2009-04-10 07:39 4096 --a------ c:\documents and settings\Brad & Lorez\Application Data\osmazraq\Profiles\yrf2id5a.default\formhistory.sqlite

2009-04-10 07:39 2048 --a------ c:\documents and settings\Brad & Lorez\Application Data\osmazraq\Profiles\yrf2id5a.default\webappsstore.sqlite

2009-04-10 07:39 10736 --a------ c:\documents and settings\Brad & Lorez\Application Data\osmazraq\Profiles\yrf2id5a.default\pluginreg.dat

2009-04-10 07:37 96173 --a------ c:\documents and settings\Brad & Lorez\Application Data\osmazraq\Profiles\yrf2id5a.default\xpti.dat

2009-04-10 07:37 367 --a------ c:\documents and settings\Brad & Lorez\Application Data\osmazraq\Profiles\yrf2id5a.default\prefs.js

2009-04-10 07:37 207 --a------ c:\documents and settings\Brad & Lorez\Application Data\osmazraq\Profiles\yrf2id5a.default\compatibility.ini

2009-04-10 07:37 2048 --a------ c:\documents and settings\Brad & Lorez\Application Data\osmazraq\Profiles\yrf2id5a.default\permissions.sqlite

2009-04-10 07:37 16384 --a------ c:\documents and settings\Brad & Lorez\Application Data\osmazraq\Profiles\yrf2id5a.default\secmod.db

2009-04-10 07:37 16384 --a------ c:\documents and settings\Brad & Lorez\Application Data\osmazraq\Profiles\yrf2id5a.default\key3.db

2009-04-10 07:37 127820 --a------ c:\documents and settings\Brad & Lorez\Application Data\osmazraq\Profiles\yrf2id5a.default\compreg.dat

2009-04-10 07:37 111 --a------ c:\documents and settings\Brad & Lorez\Application Data\osmazraq\profiles.ini

((((((((((((((((((((((((((((( SnapShot_2009-04-14_ 7.20.32.75 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-04-14 15:03 . 2009-04-14 15:03 16384 c:\windows\Temp\Perflib_Perfdata_bbc.dat

+ 2004-08-04 12:00 . 2009-04-14 15:00 23424 c:\windows\system32\drivers\trgbpajq.sys

- 2004-08-04 12:00 . 2004-08-04 12:00 23424 c:\windows\system32\drivers\trgbpajq.sys

+ 2006-07-02 20:15 . 2009-04-14 15:04 236806 c:\windows\system32\inetsrv\MetaBase.bin

+ 2009-04-14 15:01 . 2005-10-21 03:02 163328 c:\windows\ERDNT\subs\ERDNT.EXE

- 2009-04-11 22:43 . 2005-10-21 03:02 163328 c:\windows\ERDNT\subs\ERDNT.EXE

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]

@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"

[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]

2008-12-04 17:38 3431224 --a------ c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]

@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"

[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]

2008-12-04 17:38 3431224 --a------ c:\program files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-02-06 3325952]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]

"MXO Auto Loader"="c:\windows\MXOaldr.exe" [2002-08-09 118784]

"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 151552]

"VirusScan Online"="c:\program files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 163840]

"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 53248]

"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]

"MCUpdateExe"="c:\progra~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 212992]

"HydraVisionDesktopManager"="c:\program files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe" [2003-09-15 270336]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-07-03 802816]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-07-02 700416]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]

"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-07-04 333120]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]

"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-13 169984]

"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-07-02 24576]

MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2008-12-04 3367736]

VPN Client.lnk - c:\windows\Installer\{A7091E1D-36A4-47F1-A739-173CC341414F}\Icon3E5562ED7.ico [2008-07-26 6144]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.3IV2"= 3ivxVfWCodec_dec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"McTskshd.exe"=2 (0x2)

"McShield"=2 (0x2)

"mcupdmgr.exe"=3 (0x3)

"McDetect.exe"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=

"c:\\WINDOWS\\system32\\javaw.exe"=

"c:\\Program Files\\Macromedia\\Contribute 3\\Contribute.exe"=

"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=

"c:\\Program Files\\Java\\jre1.5.0_10\\bin\\javaw.exe"=

"c:\\WINDOWS\\system32\\java.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\html2rss\\html2rss.exe"=

"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

"c:\\Program Files\\Lavasoft\\Ad-Aware\\aawservice.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"9000:TCP"= 9000:TCP:SlimServer 9000 tcp

"3483:UDP"= 3483:UDP:SlimServer 3483 udp

"3483:TCP"= 3483:TCP:SlimServer 3483 tcp

S2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-11 124832]

S2 ColdFusion 8 .NET Service;ColdFusion 8 .NET Service;c:\coldfusion8\jnbridge\CF8DotNetsvc.exe [2007-05-30 77824]

S2 ColdFusion 8 Application Server;ColdFusion 8 Application Server;c:\coldfusion8\runtime\bin\jrunsvc.exe [2007-05-25 61440]

S2 ColdFusion 8 ODBC Agent;ColdFusion 8 ODBC Agent; [x]

S2 ColdFusion 8 ODBC Server;ColdFusion 8 ODBC Server; [x]

S2 ColdFusion 8 Search Server;ColdFusion 8 Search Server;c:\coldfusion8\verity\k2\_nti40\bin\k2admin.exe [2006-09-04 2743056]

S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MEMDQPIG

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f54484d-7f3b-11dc-a2b2-0015c5b1d98f}]

\Shell\AutoRun\command - e:\system\viewer\FlipVideoforPC.exe

\Shell\Flip Video for PC\command - e:\system\viewer\FlipVideoforPC.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{482c0c63-04cf-11de-a4e0-0015c5b1d98f}]

\Shell\AutoRun\command - E:\Autorun.exe /run

\Shell\Shell00\Command - E:\Autorun.exe /run

\Shell\Shell01\Command - E:\Autorun.exe /action

\Shell\Shell02\Command - E:\Autorun.exe /uninstall

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59aecf72-0e42-11dc-a1df-0015c5b1d98f}]

\Shell\AutoRun\command - e:\system\viewer\FlipVideoforPC.exe

\Shell\Flip Video for PC\command - e:\system\viewer\FlipVideoforPC.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{68166e88-17fa-11db-9cfc-0015c5122668}]

\Shell\AutoRun\command - e:\jdsecure\Windows\JDSecure20.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8492efc4-b8c5-11dc-a2fc-0015c5b1d98f}]

\Shell\AutoRun\command - F:\CAEdgemobile.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a19a1ef0-6426-11dd-a3e8-0015c5b1d98f}]

\Shell\AutoRun\command - E:\Autorun.exe /run

\Shell\Shell00\Command - E:\Autorun.exe /run

\Shell\Shell01\Command - E:\Autorun.exe /action

\Shell\Shell02\Command - E:\Autorun.exe /uninstall

.

Contents of the 'Scheduled Tasks' folder

2009-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-04-14 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (HINSPIRON-Brad & Lorez).job

- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2005-07-08 18:18]

2009-04-13 c:\windows\Tasks\User_Feed_Synchronization-{9B511CC1-CDFD-4B39-800F-769B6043CDEB}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 19:36]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

Trusted Zone: turbotax.com

DPF: {02FFCFC3-C28F-4ED9-954B-1BAC9FD77E12} - hxxp://miracosta.intra.net/media/xflux3.cab

DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll

FF - ProfilePath - c:\documents and settings\Brad & Lorez\Application Data\Mozilla\Firefox\Profiles\sslgim2q.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/reader/view/#stream/user%2F03313634388283504904%2Flabel%2Femploy

FF - component: c:\documents and settings\Brad & Lorez\Application Data\Mozilla\Firefox\Profiles\sslgim2q.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll

FF - plugin: c:\documents and settings\Brad & Lorez\Application Data\Mozilla\Firefox\Profiles\sslgim2q.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll

FF - plugin: c:\documents and settings\Brad & Lorez\Application Data\Mozilla\Firefox\Profiles\sslgim2q.default\extensions\ustreampublisher@ustream.tv\platform\WINNT_x86-msvc\plugins\npustreampublisher.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Intra.Net 4.x Components\packages\{309453F2-8D7A-4F10-BDAC-EA09D31F9198}\npsf.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-14 08:04

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1547161642-2049760794-839522115-1003\Software\SecuROM\License information*]

"datasecu"=hex:38,1c,c7,8f,d7,8f,b7,c0,34,e2,7b,18,9d,8e,50,41,86,0e,e0,44,e8,

8c,17,5c,58,f5,7c,dd,e5,12,7a,6e,70,b6,6a,7e,f3,41,f8,8b,f5,f4,8f,8c,43,2b,\

"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,93,88,7a,bf,61,

df,9e,31,2e,e8,e1,00,eb,16,2b,de,00,a4,5d,94,ea,a2,26,eb,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,01,1f,f7,3b,1a,

2b,ab,f0,46,47,15,b0,92,4b,c7,ef,03,39,39,49,37,4b,0f,4a,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,b4,f0,99,67,6f,

83,45,e3,7a,45,05,fd,91,e8,6f,31,3a,cc,f1,25,fd,dd,f5,6d,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,8b,47,70,40,67,

20,55,82,6b,65,49,6a,7e,99,74,f7,fb,b2,89,7c,67,35,f2,b2,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,c0,a1,f6,64,9b,

a3,0e,29,e9,02,6c,fa,fb,1d,47,57,f8,69,1d,a8,a6,e2,80,3f,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,3e,3c,e2,52,88,

54,ad,cb,50,93,e5,ab,ec,6a,4e,ab,b0,47,2e,be,8f,d9,72,69,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,b6,ab,66,20,ae,

00,90,85,97,20,4e,9a,c7,f1,35,ee,2a,8f,87,f4,f4,68,bd,d3,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1d68fe701cdea33e477eb204b76f993d"=hex:aa,52,c6,00,84,3c,26,64,c9,6a,80,5d,39,

20,bf,97,aa,52,c6,00,84,3c,26,64,54,c8,2d,b9,59,b7,fb,9a,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,a2,cb,d7,d0,f8,

59,4b,18,b2,46,9a,e2,1b,fe,1b,94,ce,11,4c,f4,15,3d,fa,49,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,d2,14,73,4e,23,

39,4b,e2,37,a4,aa,c3,a6,15,56,0a,f0,22,38,29,b9,6d,e6,e6,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:f8,31,0f,a9,5f,a0,ec,fb,55,2d,49,fd,9b,

84,6a,bc,f8,31,0f,a9,5f,a0,ec,fb,86,b2,d9,0b,e4,49,9a,14,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,f8,20,d3,3b,ca,

6c,ca,44,05,73,21,dd,54,d8,4a,c5,86,d6,8d,1c,a9,c1,cb,b1,6c,43,2d,1e,aa,22,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(948)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1456)

c:\program files\ATI Technologies\ATI HYDRAVISION\HydraDMH.dll

c:\program files\MozyHome\mozyshell.dll

c:\progra~1\mcafee.com\vso\McVSSkt.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Intel\Wireless\Bin\WLKEEPER.exe

c:\program files\Lavasoft\Ad-Aware\aawservice.exe

c:\windows\system32\ati2evxx.exe

c:\progra~1\McAfee.com\VSO\McVSEscn.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\coldfusion8\jnbridge\JNBDotNetSide.exe

c:\coldfusion8\db\slserver54\bin\swagent.exe

c:\coldfusion8\runtime\bin\jrun.exe

c:\coldfusion8\db\slserver54\bin\swstrtr.exe

c:\coldfusion8\db\slserver54\bin\swsoc.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\windows\system32\inetsrv\inetinfo.exe

c:\program files\MozyHome\mozybackup.exe

c:\program files\Dell\QuickSet\NicConfigSvc.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\coldfusion8\verity\k2\_nti40\bin\k2server.exe

c:\coldfusion8\verity\k2\_nti40\bin\k2index.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-04-14 8:08 - machine was rebooted

ComboFix-quarantined-files.txt 2009-04-14 15:08

ComboFix2.txt 2009-04-14 14:22

ComboFix3.txt 2009-04-13 18:22

ComboFix4.txt 2009-04-12 16:53

ComboFix5.txt 2009-04-14 15:00

Pre-Run: 15,549,349,888 bytes free

Post-Run: 15,536,754,688 bytes free

383 --- E O F --- 2009-04-12 16:03

Link to post
Share on other sites

  • Staff

Hi,

This looks OK again..

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Not sure if you're going to keep mcafee or not, because it's totally useless if it's outdated. In case you're not going to update it, I suggest you uninstall it and replace it with another Antivirus.

Let me know in your next reply how things are now.

Link to post
Share on other sites

Hi,

This looks OK again..

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Not sure if you're going to keep mcafee or not, because it's totally useless if it's outdated. In case you're not going to update it, I suggest you uninstall it and replace it with another Antivirus.

Let me know in your next reply how things are now.

You rock! All is better now - no signs of malware. I will probably dump Mcafee and opt for one of the recommended tools in this forum.

Thanks for your help.

Link to post
Share on other sites

  • Staff

Glad I could help. :D

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

  • Staff

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.