Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 92408 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Browser re-direct, Hijackthis non-functional, malware


  • This topic is locked This topic is locked
24 replies to this topic

#1 jcommerce

jcommerce

    New Member

  • Authentic Member
  • Pip
  • 14 posts

Posted 01 August 2009 - 03:34 PM

Hello, After years of clean, virus free computer use, I appear to have caught the latest version of a browser re-direct virus. I have run an updated McAfee virus scan and an Ad-aware scan and removed what they came up with, but I'm still in bad shape. I have been reading all day on how to get rid of this and have ended up here looking for help from you, the experts. System restore is non-functional and I have installed Hijackthis an Malwarebytes, both of which are non-functional and most websites for malware removal are blocked (spybot, etc.) This computer was running perfectly until this virus hit yesterday and now I'm only able to re-start 1 out of every 5 times or so (stalls on loading of personal settings or network settings). I have debated formatting my hard drive but I don't have my OS disk (it is a Dell that didn't come with the disk and the warranty is now expired and Microsoft will charge me $150 for an update). This computer also has software for my home security system that was professionally installed and it would be a nightmare and expensive to have those guys come out and re-do it all again. I am on my hands and knees begging for help and I'm looking to you, the experts. I am happy to donate to this site or the individual who can successfully walk me through the recovery process and can get on the phone, chatroom (on separate laptop), etc if necessary. Thanks in advance. Jake

Edited by jcommerce, 01 August 2009 - 03:35 PM.

    Advertisements

Register to Remove


#2 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 01 August 2009 - 04:15 PM

Hi,

Our help is free.

You may have to run these scans in safe mode to get them to work.

If you have difficulty downloading these programs, then download them to another computer and transfer them to the infected computer via USB

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account

NEXT

Please do the following:

STEP #1

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.pif to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


STEP #2

NOTE: You may have to rename GMER to REMG.exe to get it to run.


Posted Image
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#3 jcommerce

jcommerce

    New Member

  • Authentic Member
  • Pip
  • 14 posts

Posted 01 August 2009 - 07:52 PM

Thank you. Step #1 completed, Step #2 in process. Will post reply as soon as #2 scan is completed.

#4 jcommerce

jcommerce

    New Member

  • Authentic Member
  • Pip
  • 14 posts

Posted 01 August 2009 - 08:34 PM

Catbyte, here are the 3 results. The McAfee Antivirus was active, but it appeared to run alright. Let me know if the McAfee may have tainted the results. Thanks


DDS (Ver_09-07-30.01) - NTFSx86 NETWORK
Run by JFairclough at 17:13:38.82 on Sat 08/01/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1723 [GMT -6:00]

AV: AVG 7.5.516 *On-access scanning enabled* (Updated) {41564737-3200-1071-989B-0000E87B4FB1}
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\rundll32.exe
E:\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant =
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: AvayaIEHlprObj Class: {e6df0b46-7d6f-407a-a6a2-62d17a021a9a} - c:\program files\avaya\avaya ip softphone\AvayaWebDial.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - No File
TB: {855F3B16-6D32-4FE6-8A56-BBB695989046} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EFI Job Monitor] c:\windows\system32\rundll32.exe c:\windows\system32\spool\drivers\w32x86\3\efjm.dll,run
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [tixwf8p6.exe] c:\windows\system32\tixwf8p6.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\jfairc~1\startm~1\programs\startup\seagat~1.lnk - c:\documents and settings\jfairclough\application data\leadertech\powerregister\Seagate 2GEY20ZG Product Registration.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe
mPolicies-system: MaxGPOScriptWait = 1000 (0x3e8)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: musicmatch.com\online
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.6.4/GarminAxControl.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1246727255546
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1246727232625
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} - hxxp://qmedia.xlontech.net/100170/sdk/latest/qsp2ie06041001.cab
TCP: NameServer = 85.255.112.145,85.255.112.194
TCP: {BCCE1368-DDCE-4099-8A7A-E786C7D9C275} = 85.255.112.145,85.255.112.194
TCP: {BDF4D105-D556-455C-A28A-8578710BDC29} = 85.255.112.145,85.255.112.194
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-8-1 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
S1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-7-21 201320]
S1 NHostNT1;NetOp Driver 1 ver. 8.00 (2006047);c:\windows\system32\drivers\NHOSTNT1.SYS [2006-5-18 90896]
S2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-4-17 464264]
S2 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2009-4-17 234888]
S2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2007-10-9 38144]
S2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-5-1 181544]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-7-26 133104]
S2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-7-21 359248]
S2 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\Mcshield.exe [2008-7-21 144704]
S2 NetOp Host for NT Service;NetOp Helper ver. 8.00 (2006047);c:\program files\danware data\netop remote control\host\NHOSTSVC.EXE [2006-5-18 1196304]
S2 Retrospect Client;Retrospect Client;c:\program files\dantz\client\RemotSvc.exe [2006-5-18 57344]
S3 ECCL100;ECCL100 NDIS Protocol Driver;\??\c:\windows\system32\eccl100.sys --> c:\windows\system32\ECCL100.SYS [?]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-7-21 695624]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-7-21 79304]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-7-21 35240]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-7-21 33832]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-7-21 40488]
S3 NHOSTNT3;NetOp Driver 3 ver. 8.00 (2006047) (NHOSTNT3);c:\windows\system32\drivers\NHOSTNT3.SYS [2006-5-18 3216]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-12-28 287232]

=============== Created Last 30 ================

2009-08-01 14:53 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-01 14:52 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-01 14:52 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-01 14:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-01 14:38 <DIR> --d----- c:\program files\Video Server E
2009-08-01 13:28 <DIR> --d----- c:\program files\Trend Micro
2009-08-01 11:47 15,688 a------- c:\windows\system32\lsdelete.exe
2009-08-01 09:41 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-08-01 09:38 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-01 09:38 <DIR> --d----- c:\program files\Lavasoft
2009-07-31 20:50 6,549 a------- c:\windows\46b5threzt14809.ocx
2009-07-29 20:10 <DIR> --d----- c:\program files\Seagate
2009-07-29 20:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Seagate
2009-07-27 11:36 11,109 a------- c:\windows\system32\5zc19ir2716.bin
2009-07-26 18:36 <DIR> --d----- C:\Garmin
2009-07-26 18:09 11,054 a------- c:\windows\5196zworm393.cpl
2009-07-26 06:17 12,667 a------- c:\windows\system32\92z38wor5326.ocx
2009-07-26 00:10 6,256 a------- c:\windows\4125bazkdo9r559.bin
2009-07-25 13:23 <DIR> --d----- c:\docume~1\jfairc~1\applic~1\GARMIN
2009-07-25 04:06 7,080 a------- c:\windows\1z539virusf.dll
2009-07-23 16:50 10,480 a------- c:\windows\system32\2azaadd9are335.ocx
2009-07-23 09:26 10,420 a------- c:\windows\system32\9523wo9z305.ocx
2009-07-19 21:21 <DIR> --d----- c:\docume~1\jfairc~1\applic~1\Cakewalk
2009-07-19 21:20 368,640 a------- c:\windows\system32\ReWire.dll
2009-07-19 21:20 <DIR> --d----- c:\program files\Cakewalk
2009-07-19 01:24 16,100 a------- c:\windows\system32\5645dowz9oader2868.ocx
2009-07-18 08:13 3,983 a------- c:\windows\455ath5ea919658z.cpl
2009-07-18 02:08 4,053 a------- c:\windows\10795vi5uz389.exe
2009-07-17 01:50 13,159 a------- c:\windows\system32\18719s5az9otcb.cpl
2009-07-16 22:09 4,305 a------- c:\windows\1f5zdownloade93516.ocx
2009-07-12 11:48 16,508 a------- c:\windows\8151n9t5a-vzrus2cf.dll
2009-07-11 17:42 5,275 a------- c:\windows\system32\c659yzare2990.dll
2009-07-11 01:01 15,117 a------- c:\windows\system32\5160zir5s296.cpl
2009-07-10 08:53 11,689 a------- c:\windows\system32\57925a9kzoor690.exe
2009-07-09 22:16 15,664 a------- c:\windows\9f2z5parse1730.cpl
2009-07-08 23:08 18,431 a------- c:\windows\system32\2ef459dware5z9.ocx
2009-07-07 23:09 <DIR> --dsh--- c:\documents and settings\jfairclough\IECompatCache
2009-07-07 22:09 13,406 a------- c:\windows\system32\2e9asp5rze990.cpl
2009-07-07 03:49 7,050 a------- c:\windows\system32\9z25sp5mbo9a0.cpl
2009-07-06 15:48 12,627 a------- c:\windows\9049zackt5ol442.dll
2009-07-05 13:35 <DIR> --d----- c:\docume~1\jfairc~1\applic~1\LimeWire
2009-07-05 13:33 <DIR> --d----- c:\program files\LimeWire
2009-07-05 02:42 6,351 a------- c:\windows\system32\9513hz95tool3c.exe
2009-07-05 01:18 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-07-05 00:09 <DIR> --d----- C:\OEMSettings
2009-07-04 22:04 3,769 a------- c:\windows\system32\32155ha9ktooz1e2.ocx
2009-07-04 19:39 <DIR> --dsh--- c:\documents and settings\jfairclough\PrivacIE
2009-07-04 19:33 3,251 a------- c:\windows\system32\wbem\Outlook_01c9fd109e480496.mof
2009-07-04 19:29 <DIR> --dsh--- c:\documents and settings\jfairclough\IETldCache
2009-07-04 18:52 <DIR> --d----- c:\windows\system32\XPSViewer
2009-07-04 18:51 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-07-04 18:51 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-07-04 18:51 117,760 -------- c:\windows\system32\prntvpt.dll
2009-07-04 18:51 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-07-04 18:51 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-07-04 18:51 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-07-04 18:51 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-07-04 18:50 <DIR> --d----- c:\windows\SxsCaPendDel
2009-07-04 16:21 <DIR> --d----- c:\windows\system32\KB905474
2009-07-04 15:54 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-07-04 15:54 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-07-04 15:54 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-07-04 15:52 333,952 -c------ c:\windows\system32\dllcache\srv.sys
2009-07-04 15:50 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-07-04 15:49 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2009-07-04 15:49 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-07-04 15:48 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-07-04 15:47 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-07-04 15:45 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-07-04 15:45 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2009-07-04 12:23 <DIR> --d----- c:\windows\system32\scripting
2009-07-04 12:23 <DIR> --d----- c:\windows\l2schemas
2009-07-04 12:23 <DIR> --d----- c:\windows\system32\en
2009-07-04 12:23 <DIR> --d----- c:\windows\system32\bits
2009-07-04 12:15 <DIR> --d----- c:\windows\network diagnostic
2009-07-04 11:58 136,192 -------- c:\windows\system32\aaclient.dll
2009-07-04 11:08 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-07-03 06:14 15,541 a------- c:\windows\system32\8900virzs754.dll

==================== Find3M ====================

2009-07-04 12:27 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-07-02 06:48 15,382 a------- c:\windows\319daddware18z95.bin
2009-06-28 17:20 7,145 a------- c:\windows\system32\5cz9ad9ware1365.bin
2009-06-28 00:10 12,774 a------- c:\windows\system32\41c5threat2z109.exe
2009-06-26 21:01 13,338 a------- c:\windows\system32\2999a59zare248.exe
2009-06-26 10:06 11,275 a------- c:\windows\92b5d9zare277.exe
2009-06-25 19:22 18,069 a------- c:\windows\3750threat5z595.exe
2009-06-22 22:25 12,256 a------- c:\windows\44c6threa5629z.bin
2009-06-22 01:49 13,099 a------- c:\windows\system32\45b4t9zef6565.dll
2009-06-17 23:35 2,949 a------- c:\windows\system32\zf09threat10513.exe
2009-06-13 14:44 17,853 a------- c:\windows\system32\15392not-a-viru549z.bin
2009-06-13 13:24 15,562 a------- c:\windows\zeb9thief539.exe
2009-06-12 13:21 5,235 a------- c:\windows\system32\1957hackt9ol5az.bin
2009-06-11 18:34 17,262 a------- c:\windows\92536spyz57.exe
2009-06-07 04:54 16,156 a------- c:\windows\5f96vzr1991.bin
2009-06-05 14:19 18,212 a------- c:\windows\system32\373bsteaz5689.exe
2009-06-04 09:35 2,635 a------- c:\windows\system32\24espazse859.bin
2009-05-28 06:54 12,857 a------- c:\windows\system32\3b25backdoor55z9.bin
2009-05-28 03:38 8,257 a------- c:\windows\system32\573a95arze797.exe
2009-05-25 21:38 12,412 a------- c:\windows\system32\31982not-a-5irusz7d.exe
2009-05-24 09:30 10,624 a------- c:\windows\system32\3669t5oj6z.bin
2009-05-24 06:00 5,769 a------- c:\windows\system32\5aeddow9loaderz252.dll
2009-05-22 06:13 6,322 a------- c:\windows\system32\97a6thi5f15z9.bin
2009-05-14 21:01 8,216 a------- c:\windows\system32\4325steal19z2.bin
2009-05-14 00:26 7,109 a------- c:\windows\6250stealz968.dll
2009-05-11 01:43 14,437 a------- c:\windows\system32\6e07backdo59158z.exe
2009-05-11 01:28 3,329 a------- c:\windows\9885stzal1565.exe
2009-05-09 06:41 15,089 a------- c:\windows\system32\14091spy3z5.dll
2009-05-07 13:51 3,020 a------- c:\windows\1875znot-a-9irus67e.dll
2009-05-07 09:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-06 17:22 16,258 a------- c:\windows\system32\z15fdownloade92848.dll
2009-05-06 03:24 8,641 a------- c:\windows\system32\20895w9rz659.dll
2009-05-05 14:59 6,896 a------- c:\windows\7c255zeal1967.bin
2008-04-03 09:22 256 a------- c:\documents and settings\jfairclough\pool.bin
2007-12-28 15:02 287,232 a------- c:\windows\inf\wg111v3\wg111v3.sys
2007-12-28 14:59 342,528 a------- c:\windows\inf\wg111v3\vista64\wg111v3.sys
2007-11-27 17:53 63,488 a------- c:\windows\inf\wg111v3\SetDrv64.exe
2007-11-27 17:52 32,768 a------- c:\windows\inf\wg111v3\SetDrv.exe
2006-12-15 11:30 315,392 a------- c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 11:30 212,992 a------- c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 11:30 98,304 a------- c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 11:30 20,480 a------- c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 11:30 19,968 a------- c:\windows\inf\wg111v3\RTWREFU.EXE

============= FINISH: 17:14:35.82 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 5/17/2006 5:37:51 PM
System Uptime: 8/1/2009 4:59:33 PM (1 hours ago)

Motherboard: Dell Inc. | | 0J3492
Processor: Intel® Pentium® 4 CPU 3.00GHz | Microprocessor | 2992/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 149 GiB total, 19.973 GiB free.
D: is CDROM (CDFS)
E: is Removable
F: is FIXED (NTFS) - 1397 GiB total, 1393.531 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1029: 5/2/2009 10:31:50 PM - System Checkpoint
RP1030: 5/3/2009 10:54:50 PM - System Checkpoint
RP1031: 5/5/2009 6:55:13 AM - System Checkpoint
RP1032: 5/6/2009 7:42:20 AM - System Checkpoint
RP1033: 5/7/2009 8:18:21 AM - System Checkpoint
RP1034: 5/8/2009 9:19:26 AM - System Checkpoint
RP1035: 5/8/2009 11:35:04 PM - Installed QuickTime
RP1036: 5/10/2009 6:12:50 AM - System Checkpoint
RP1037: 5/11/2009 6:26:55 AM - System Checkpoint
RP1038: 5/12/2009 7:30:19 AM - System Checkpoint
RP1039: 5/13/2009 8:18:20 AM - System Checkpoint
RP1040: 5/14/2009 9:18:19 AM - System Checkpoint
RP1041: 5/15/2009 10:06:20 AM - System Checkpoint
RP1042: 5/17/2009 1:05:19 PM - System Checkpoint
RP1043: 5/18/2009 2:36:35 PM - System Checkpoint
RP1044: 5/19/2009 3:13:43 PM - System Checkpoint
RP1045: 5/20/2009 4:30:54 PM - System Checkpoint
RP1046: 5/21/2009 5:02:21 PM - System Checkpoint
RP1047: 5/22/2009 6:02:22 PM - System Checkpoint
RP1048: 5/23/2009 6:14:21 PM - System Checkpoint
RP1049: 5/24/2009 7:26:21 PM - System Checkpoint
RP1050: 5/25/2009 8:38:22 PM - System Checkpoint
RP1051: 5/27/2009 7:03:52 AM - System Checkpoint
RP1052: 6/4/2009 6:29:49 AM - System Checkpoint
RP1053: 6/5/2009 6:47:34 AM - System Checkpoint
RP1054: 6/6/2009 7:50:22 AM - System Checkpoint
RP1055: 6/7/2009 8:42:38 AM - System Checkpoint
RP1056: 6/8/2009 9:02:21 AM - System Checkpoint
RP1057: 6/9/2009 9:14:21 AM - System Checkpoint
RP1058: 6/10/2009 10:02:21 AM - System Checkpoint
RP1059: 6/11/2009 10:44:22 AM - System Checkpoint
RP1060: 6/12/2009 11:02:53 AM - System Checkpoint
RP1061: 6/13/2009 12:14:22 PM - System Checkpoint
RP1062: 6/14/2009 12:26:22 PM - System Checkpoint
RP1063: 6/15/2009 1:26:22 PM - System Checkpoint
RP1064: 6/16/2009 2:50:22 PM - System Checkpoint
RP1065: 6/17/2009 3:02:21 PM - System Checkpoint
RP1066: 6/18/2009 3:50:21 PM - System Checkpoint
RP1067: 6/19/2009 4:02:22 PM - System Checkpoint
RP1068: 6/20/2009 5:46:19 PM - System Checkpoint
RP1069: 6/21/2009 6:26:21 PM - System Checkpoint
RP1070: 6/22/2009 6:38:21 PM - System Checkpoint
RP1071: 6/23/2009 7:02:22 PM - System Checkpoint
RP1072: 6/24/2009 8:02:21 PM - System Checkpoint
RP1073: 6/25/2009 8:14:22 PM - System Checkpoint
RP1074: 6/27/2009 8:24:24 PM - Removed WeatherBug
RP1075: 6/29/2009 10:01:57 PM - System Checkpoint
RP1076: 7/2/2009 2:54:20 PM - Configured NETGEAR WG111v3 wireless USB 2.0 adapter
RP1077: 7/2/2009 2:54:56 PM - Configured NETGEAR WG111v3 wireless USB 2.0 adapter
RP1078: 7/2/2009 2:56:27 PM - Installed NETGEAR WG111v3 wireless USB 2.0 adapter
RP1079: 7/4/2009 11:38:12 AM - Software Distribution Service 3.0
RP1080: 7/4/2009 12:00:59 PM - Software Distribution Service 3.0
RP1081: 7/4/2009 4:12:06 PM - Software Distribution Service 3.0
RP1082: 7/4/2009 7:08:11 PM - Printer Driver Microsoft XPS Document Writer Installed
RP1083: 7/4/2009 7:58:07 PM - Configured NETGEAR WG111v3 wireless USB 2.0 adapter
RP1084: 7/5/2009 12:08:42 AM - Installed NETGEAR WG111v3 wireless USB 2.0 adapter
RP1085: 7/5/2009 1:17:11 AM - Restore Operation
RP1086: 7/5/2009 1:26:51 AM - Installed NETGEAR WG111v3 wireless USB 2.0 adapter
RP1087: 7/6/2009 7:38:05 AM - System Checkpoint
RP1088: 7/7/2009 7:44:02 AM - System Checkpoint
RP1089: 7/8/2009 8:45:07 AM - System Checkpoint
RP1090: 7/9/2009 9:44:02 AM - System Checkpoint
RP1091: 7/10/2009 10:44:02 AM - System Checkpoint
RP1092: 7/11/2009 12:17:32 PM - System Checkpoint
RP1093: 7/12/2009 12:44:02 PM - System Checkpoint
RP1094: 7/13/2009 1:43:15 PM - System Checkpoint
RP1095: 7/14/2009 1:44:02 PM - System Checkpoint
RP1096: 7/15/2009 2:44:04 PM - System Checkpoint
RP1097: 7/16/2009 3:44:02 PM - System Checkpoint
RP1098: 7/17/2009 4:44:02 PM - System Checkpoint
RP1099: 7/18/2009 5:44:02 PM - System Checkpoint
RP1100: 7/19/2009 7:05:02 PM - Installed Envara Configuration Utility
RP1101: 7/19/2009 9:20:40 PM - Installed Microsoft Visual C++ 2005 Redistributable
RP1102: 7/21/2009 12:06:20 AM - System Checkpoint
RP1103: 7/22/2009 1:02:25 AM - System Checkpoint
RP1104: 7/23/2009 2:01:24 AM - System Checkpoint
RP1105: 7/24/2009 3:01:20 AM - System Checkpoint
RP1106: 7/25/2009 4:01:24 AM - System Checkpoint
RP1107: 7/26/2009 4:41:06 AM - System Checkpoint
RP1108: 7/26/2009 6:36:36 PM - Installed Garmin City Navigator North America NT 2009 Update
RP1109: 7/27/2009 6:41:04 PM - System Checkpoint
RP1110: 7/28/2009 7:41:02 PM - System Checkpoint
RP1111: 7/29/2009 8:09:44 PM - Installed Seagate Manager Installer
RP1112: 7/29/2009 8:12:55 PM - Configured Seagate Manager Installer
RP1113: 7/30/2009 8:30:24 PM - System Checkpoint

==== Installed Programs ======================

µTorrent
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.5 Language Support
Adobe Reader 7.1.0
Adobe® Photoshop® Album Starter Edition 3.0
Apple Mobile Device Support
Apple Software Update
ATI Catalyst Control Center
Audio Creator LE
AutoUpdate
Bonjour
Compatibility Pack for the 2007 Office system
CopyTrans Suite Remove Only
Critical Update for Windows Media Player 11 (KB959772)
DivX Codec
DivX Version Checker
DVD Decrypter (Remove Only)
DVDtoGO
Garmin City Navigator North America NT 2009 Update
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
InFlac 1.1.1
iTunes
Java™ 6 Update 13
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
LimeWire 5.1.4
Magical Jelly Bean SHN Shortener (remove only)
Malwarebytes' Anti-Malware
McAfee SecurityCenter
MediaCoder 0.6.1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Small Business Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Move Networks Media Player for Internet Explorer
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
Nero 7 Ultra Edition
neroxml
NETGEAR WG111v3 wireless USB 2.0 adapter
OpenOffice.org Installer 1.0
QuickTime
Seagate Manager Installer
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
SoulSeek 157 NS 13e
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VC80CRTRedist - 8.0.50727.762
Video Server E
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Visual C++ 8.0 ATL (x86) WinSXS MSM
Visual C++ 8.0 CRT (x86) WinSXS MSM
Vuze
Vuze Toolbar
Winamp
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

8/1/2009 4:57:27 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec mfehidk MPFP MRxSmb NetBIOS NetBT NHostNT1 OMCI RasAcd Rdbss Tcpip
8/1/2009 4:57:27 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
8/1/2009 4:57:27 PM, error: Service Control Manager [7001] - The Retrospect Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/1/2009 4:57:27 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/1/2009 4:57:27 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/1/2009 4:57:27 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
8/1/2009 4:57:27 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/1/2009 4:57:27 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/1/2009 2:20:43 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume3'. It has stopped monitoring the volume.
8/1/2009 12:43:39 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/1/2009 12:43:11 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
8/1/2009 12:05:55 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNASvc with arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}
8/1/2009 12:04:00 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm mfehidk NHostNT1 OMCI
8/1/2009 1:38:25 PM, error: NETLOGON [5719] - No Domain Controller is available for domain COMMERCECRG due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.

==== End Of File ===========================



GMER 1.0.15.15011 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-08-01 20:36:53
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF764787E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7647BFE]

Code 8A71B780 ZwEnumerateKey
Code 8A693120 ZwFlushInstructionCache
Code 8A77E62E IofCallDriver
Code 8A5A0B36 IofCompleteRequest
Code 8A6E0E55 ZwSaveKey
Code 8A740565 ZwSaveKeyEx

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\ESQULedcvyalihvkvsafethptlsohvjnapaoe.sys (*** hidden *** ) [SYSTEM] ESQULserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\ESQULserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\ESQULserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\ESQULserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\ESQULserv.sys@imagepath \systemroot\system32\drivers\ESQULedcvyalihvkvsafethptlsohvjnapaoe.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\ESQULserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\ESQULserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\ESQULserv.sys\modules@ESQULserv \\?\globalroot\systemroot\system32\drivers\ESQULedcvyalihvkvsafethptlsohvjnapaoe.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\ESQULserv.sys\modules@ESQULl \\?\globalroot\systemroot\system32\ESQULglqvayfsdwmuorhdiksjmefdmlyiqkto.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\ESQULserv.sys\modules@ESQULclk \\?\globalroot\systemroot\system32\ESQULrdqigndibuiqcgyedfdsciwbtwayitul.dll
Reg HKLM\SYSTEM\ControlSet002\Services\ESQULserv.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\ESQULserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\ESQULserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\ESQULserv.sys@imagepath \systemroot\system32\drivers\ESQULedcvyalihvkvsafethptlsohvjnapaoe.sys
Reg HKLM\SYSTEM\ControlSet002\Services\ESQULserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\ESQULserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\ESQULserv.sys\modules@ESQULserv \\?\globalroot\systemroot\system32\drivers\ESQULedcvyalihvkvsafethptlsohvjnapaoe.sys
Reg HKLM\SYSTEM\ControlSet002\Services\ESQULserv.sys\modules@ESQULl \\?\globalroot\systemroot\system32\ESQULglqvayfsdwmuorhdiksjmefdmlyiqkto.dll
Reg HKLM\SYSTEM\ControlSet002\Services\ESQULserv.sys\modules@ESQULclk \\?\globalroot\systemroot\system32\ESQULrdqigndibuiqcgyedfdsciwbtwayitul.dll

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\ESQULrdqigndibuiqcgyedfdsciwbtwayitul.dll 43008 bytes
File C:\WINDOWS\system32\ESQULzcounter 4 bytes
File C:\WINDOWS\system32\drivers\ESQULedcvyalihvkvsafethptlsohvjnapaoe.sys 72192 bytes <-- ROOTKIT !!!
File C:\WINDOWS\system32\ESQULglqvayfsdwmuorhdiksjmefdmlyiqkto.dll 12288 bytes

---- EOF - GMER 1.0.15 ----

Edited by jcommerce, 01 August 2009 - 08:36 PM.


#5 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 01 August 2009 - 09:03 PM

Hi,

Please do the following:

NOTE: McAfee MUST be disabled for the following scan:

How to disable McAfee:

  • Please open McAfee Security Centre
  • Under Common Tasks click on Home
  • Click Computer Files
  • Click Configure
  • Make sure the following are disabled by ticking the "Off" button.

    Virus protection
    Spyware protection
    System Guards Protection
    Script Scanning Protection (you may have to scroll down to see it)

  • Next, select never for "When to re-enable real time scanning"
  • and click OK.
Further info on disabling and re-enabling McAfee: http://help.aol.com/...ternalID=222820

NEXT


Download Combofix from either of the links below. You must rename it before saving it.
Save it to your desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  • If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".


Link 1
Link 2



During the download, rename Combofix to Combo-Fix as follows:

Posted Image


Posted Image
--------------------------------------------------------------------
  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.


-----------------------------------------------------------

  • Double click on Combo-Fix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" for further review.
    **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


    -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#6 jcommerce

jcommerce

    New Member

  • Authentic Member
  • Pip
  • 14 posts

Posted 01 August 2009 - 10:04 PM

ComboFix log:

ComboFix 09-08-01.06 - JFairclough 08/01/2009 21:35.1.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1686 [GMT -6:00]
Running from: c:\documents and settings\jfairclough\Desktop\Combo-Fix.exe
AV: AVG 7.5.516 *On-access scanning enabled* (Updated) {41564737-3200-1071-989B-0000E87B4FB1}
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft\Network\Downloader\qmgr0.dat
c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\10293hackt59lzc0.exe
c:\windows\1051t9iez1253.cpl
c:\windows\10532hacktooz6579.ocx
c:\windows\10548ha9ktool58bz.dll
c:\windows\10795vi5uz389.exe
c:\windows\11800w9rm591z.cpl
c:\windows\1199zpa95e1394.cpl
c:\windows\11d45pa9ze3046.ocx
c:\windows\12826not-a-v5r9s31bz.dll
c:\windows\13100spy3z95.exe
c:\windows\13525hac9zool5cb.dll
c:\windows\136129acztool555.dll
c:\windows\14156t9oz789.ocx
c:\windows\14300not-z9virus585.exe
c:\windows\14635tzoj692.exe
c:\windows\14729w9rm5fz.exe
c:\windows\1472tzo5159.dll
c:\windows\14903hac9tool275z.cpl
c:\windows\1540bazkd9or2177.exe
c:\windows\15519virus1cfz.cpl
c:\windows\15526s5a9zot778.exe
c:\windows\1556vir2697z.dll
c:\windows\15c9ddwaze1238.cpl
c:\windows\15ccdownz9ader532.bin
c:\windows\164385pzmbot690.bin
c:\windows\16z55vi9us5665.exe
c:\windows\170395ot-a-vi9zs8c.exe
c:\windows\17107s9amboz579.ocx
c:\windows\177z4wor529c.bin
c:\windows\18631hacktoolz259.dll
c:\windows\1868d5wnloaze92263.cpl
c:\windows\18710spazb95409.ocx
c:\windows\1875znot-a-9irus67e.dll
c:\windows\1889zo9m6d5.cpl
c:\windows\18945spambzt570.cpl
c:\windows\18c5bacz5o9r30.bin
c:\windows\18f5thiez549.exe
c:\windows\19013vi5usz99.exe
c:\windows\19180hz9k5ool24f.cpl
c:\windows\19255notza-vi5us433.cpl
c:\windows\1925zv9rus6fe.cpl
c:\windows\1931downloa5er55z.cpl
c:\windows\195dz9r709.cpl
c:\windows\195z6spyd49.ocx
c:\windows\199bspazse2573.bin
c:\windows\19e2doz5load9r3003.exe
c:\windows\1bc0tzreat89445.dll
c:\windows\1de4dowz9oade53068.exe
c:\windows\1f50st9zl10.cpl
c:\windows\1f5zdownloade93516.ocx
c:\windows\1z13threat88509.exe
c:\windows\2019zspamb5t7d3.ocx
c:\windows\202c95ckzoor844.dll
c:\windows\204509zt-a-virus4ce.cpl
c:\windows\2049zt5oja7.bin
c:\windows\20792z5ambot2c4.cpl
c:\windows\208fs9zal15875.bin
c:\windows\216925zrus747.exe
c:\windows\222545rzj96b.cpl
c:\windows\22829hzckto9l565.cpl
c:\windows\22939hi5f3z4.dll
c:\windows\233935ackzool799.cpl
c:\windows\23900hac9tz5l336.dll
c:\windows\23908hzckt5olc8.exe
c:\windows\2396downloazer2598.exe
c:\windows\2493spambot55cz.cpl
c:\windows\24955vizus5d2.ocx
c:\windows\25005zpambot5f49.ocx
c:\windows\250z4spamb9t7c7.ocx
c:\windows\25366s9ambot7z.bin
c:\windows\25466s5zmbot5bb9.cpl
c:\windows\25528tr9z55a.dll
c:\windows\2557zo9m3f5.exe
c:\windows\25698spa9zot754.bin
c:\windows\257009zr5s739.bin
c:\windows\25780n5t9a-viruz7a8.dll
c:\windows\25z59hie5151.ocx
c:\windows\26676z5oj64d9.dll
c:\windows\2785z9irus27b.exe
c:\windows\281fba5kdoor309z.ocx
c:\windows\289575orm2z9.exe
c:\windows\29244hackt9zl5e1.bin
c:\windows\295fsparsz381.cpl
c:\windows\29966n9t-5-virus69z.exe
c:\windows\29z80worm5a79.bin
c:\windows\2b5bba5kdoor20z49.bin
c:\windows\2b6ct5reat249z3.ocx
c:\windows\2c0avz9954.ocx
c:\windows\2c59vir593z.exe
c:\windows\2c9fdowzlo5de92336.cpl
c:\windows\2czbackdo9r1954.dll
c:\windows\2ff3s9y5are2747z.cpl
c:\windows\2z186spam9o5f1.ocx
c:\windows\2z5409roj7ae.cpl
c:\windows\30654sp979cz.exe
c:\windows\306925irusz4.cpl
c:\windows\306z5not-a-virus5f9.dll
c:\windows\31588vi9us5az.exe
c:\windows\3194doznl5ader388.cpl
c:\windows\319daddware18z95.bin
c:\windows\31c5doznloader399.dll
c:\windows\31d9stea5z449.exe
c:\windows\31z98hac9too5280.dll
c:\windows\32259zot-a-virus6e9.bin
c:\windows\32556sp9mbzt7cf.ocx
c:\windows\32572spz5bot5f9.ocx
c:\windows\32576n9t-a-vir5s1z0.dll
c:\windows\325aa5d9arz3014.bin
c:\windows\32607spazbo52a9.ocx
c:\windows\3317spyw5re2z92.bin
c:\windows\3473sz5wa9e895.bin
c:\windows\3510zirus957.ocx
c:\windows\358z951280.dll
c:\windows\3592stealz526.exe
c:\windows\35c5addwa9e5z.ocx
c:\windows\3614zh95at23911.dll
c:\windows\3750threat5z595.exe
c:\windows\37ce5a9kzoor1127.dll
c:\windows\38129ownzoad5r1202.cpl
c:\windows\3955thrzat16997.dll
c:\windows\39628troz2d5.cpl
c:\windows\3c59sparsz1454.dll
c:\windows\system32\drivers\ESQULedcvyalihvkvsafethptlsohvjnapaoe.sys
c:\windows\system32\ESQULglqvayfsdwmuorhdiksjmefdmlyiqkto.dll
c:\windows\system32\ESQULrdqigndibuiqcgyedfdsciwbtwayitul.dll
c:\windows\system32\ESQULzcounter
F:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://zeus:8530
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ESQULserv.sys
-------\Service_ESQULserv.sys


((((((((((((((((((((((((( Files Created from 2009-07-02 to 2009-08-02 )))))))))))))))))))))))))))))))
.

2009-12-27 14:17 . 2009-12-27 14:17 6568 ----a-w- c:\windows\4b1adown5ozder395.dll
2009-12-24 01:57 . 2009-12-24 01:57 17262 ----a-w- c:\windows\system32\28561n9t-a-5zrus3a0.dll
2009-12-22 13:25 . 2009-12-22 13:25 5611 ----a-w- c:\windows\system32\az9teal2655.bin
2009-12-18 11:04 . 2009-12-18 11:04 12631 ----a-w- c:\windows\system32\zc605teal993.dll
2009-12-15 22:44 . 2009-12-15 22:44 13210 ----a-w- c:\windows\system32\26398not-a-vi9u5z06.bin
2009-12-15 10:00 . 2009-12-15 10:00 2779 ----a-w- c:\windows\system32\3z99spa5se9752.exe
2009-12-14 05:19 . 2009-12-14 05:19 14554 ----a-w- c:\windows\55davz92102.dll
2009-12-13 10:47 . 2009-12-13 10:47 17501 ----a-w- c:\windows\z598s9yfe.dll
2009-12-13 05:11 . 2009-12-13 05:11 14699 ----a-w- c:\windows\6179szyware951.dll
2009-12-12 15:16 . 2009-12-12 15:16 8319 ----a-w- c:\windows\system32\757espa9ze2618.exe
2009-12-12 11:59 . 2009-12-12 11:59 18130 ----a-w- c:\windows\system32\1245zwo9m6b5.exe
2009-12-11 14:10 . 2009-12-11 14:10 12949 ----a-w- c:\windows\system32\z35999pambot718.dll
2009-12-11 06:07 . 2009-12-11 06:07 3853 ----a-w- c:\windows\system32\23545noz-a-vir5s9b8.dll
2009-12-11 01:18 . 2009-12-11 01:18 3220 ----a-w- c:\windows\system32\222285irus49z.dll
2009-12-10 12:33 . 2009-12-10 12:33 7707 ----a-w- c:\windows\84zs5arse979.bin
2009-12-08 01:32 . 2009-12-08 01:32 2890 ----a-w- c:\windows\system32\51e9bzckdoor1891.exe
2009-11-26 15:37 . 2009-11-26 15:37 7696 ----a-w- c:\windows\58129py21z.bin
2009-11-25 00:27 . 2009-11-25 00:27 3429 ----a-w- c:\windows\56245s9amboz75.exe
2009-11-17 07:28 . 2009-11-17 07:28 15931 ----a-w- c:\windows\899sz56fc.bin
2009-11-16 17:08 . 2009-11-16 17:08 15898 ----a-w- c:\windows\7456szarse9559.dll
2009-11-13 19:36 . 2009-11-13 19:36 14320 ----a-w- c:\windows\system32\7998t9zeat19655.bin
2009-11-11 06:00 . 2009-11-11 06:00 5231 ----a-w- c:\windows\system32\28295tro56z1.dll
2009-11-11 04:00 . 2009-11-11 04:00 18256 ----a-w- c:\windows\55f5t9zef2544.dll
2009-11-10 22:37 . 2009-11-10 22:37 14837 ----a-w- c:\windows\a91thiez175.bin
2009-11-10 12:58 . 2009-11-10 12:58 4661 ----a-w- c:\windows\system32\27cdownloa9er253z.bin
2009-11-03 20:59 . 2009-11-03 20:59 12323 ----a-w- c:\windows\75z8a5dware26279.exe
2009-11-02 21:52 . 2009-11-02 21:52 3704 ----a-w- c:\windows\9326tr9jz2a5.dll
2009-11-01 00:38 . 2009-11-01 00:38 6156 ----a-w- c:\windows\96c5threat39z0.bin
2009-10-25 22:20 . 2009-10-25 22:20 11010 ----a-w- c:\windows\system32\107079ot-a-viruz253.exe
2009-10-25 12:51 . 2009-10-25 12:51 9192 ----a-w- c:\windows\system32\1195zwormc0.bin
2009-10-24 08:58 . 2009-10-24 08:58 14458 ----a-w- c:\windows\system32\1365spzmbo9652.exe
2009-10-21 21:03 . 2009-10-21 21:03 7306 ----a-w- c:\windows\82649otz5-virus379.exe
2009-10-21 10:41 . 2009-10-21 10:41 8691 ----a-w- c:\windows\system32\5a679iz555.bin
2009-10-17 02:04 . 2009-10-17 02:04 7387 ----a-w- c:\windows\3d0asparse159z.exe
2009-10-16 03:34 . 2009-10-16 03:34 3249 ----a-w- c:\windows\555tr9jzf8.exe
2009-10-15 22:21 . 2009-10-15 22:21 3880 ----a-w- c:\windows\system32\9922worm21z5.bin
2009-10-15 08:09 . 2009-10-15 08:09 13196 ----a-w- c:\windows\84bthief39z5.bin
2009-10-14 08:08 . 2009-10-14 08:08 16203 ----a-w- c:\windows\system32\z0132troj25a9.exe
2009-10-08 03:06 . 2009-10-08 03:06 13684 ----a-w- c:\windows\54359teal384z.bin
2009-10-07 16:15 . 2009-10-07 16:15 11112 ----a-w- c:\windows\system32\67ba59dooz1582.bin
2009-09-27 09:04 . 2009-09-27 09:04 10715 ----a-w- c:\windows\system32\2386vir9z25.exe
2009-09-22 06:15 . 2009-09-22 06:15 16817 ----a-w- c:\windows\z4228w59m2f4.exe
2009-09-19 20:17 . 2009-09-19 20:17 11198 ----a-w- c:\windows\7fe59zr696.exe
2009-09-17 12:03 . 2009-09-17 12:03 18401 ----a-w- c:\windows\system32\17f3ad59are23z7.bin
2009-09-17 04:09 . 2009-09-17 04:09 3265 ----a-w- c:\windows\system32\299329roz755.exe
2009-09-15 02:05 . 2009-09-15 02:05 7186 ----a-w- c:\windows\system32\4fcev5z3519.bin
2009-09-12 06:52 . 2009-09-12 06:52 3704 ----a-w- c:\windows\system32\3d51zd5war91763.exe
2009-09-10 07:53 . 2009-09-10 07:53 11439 ----a-w- c:\windows\z0973not-a-9irus356.bin
2009-09-09 18:44 . 2009-09-09 18:44 11823 ----a-w- c:\windows\system32\zc5edo9nloader152.exe
2009-08-25 13:23 . 2009-08-25 13:23 3797 ----a-w- c:\windows\system32\6z9fthreat15219.dll
2009-08-25 00:51 . 2009-08-25 00:51 16569 ----a-w- c:\windows\5dd9baczdoo5718.bin
2009-08-25 00:21 . 2009-08-25 00:21 10342 ----a-w- c:\windows\system32\29abszeal31625.dll
2009-08-17 09:05 . 2009-08-17 09:05 17899 ----a-w- c:\windows\system32\22d1bzckdoor35359.dll
2009-08-16 22:37 . 2009-08-16 22:37 4472 ----a-w- c:\windows\8399hackzool75b.exe
2009-08-16 00:10 . 2009-08-16 00:10 15398 ----a-w- c:\windows\system32\743addwa951389z.bin
2009-08-15 16:07 . 2009-08-15 16:07 13944 ----a-w- c:\windows\system32\245255ackto9l2z3.bin
2009-08-13 05:59 . 2009-08-13 05:59 2811 ----a-w- c:\windows\system32\4710ha9kt5ol5zb.dll
2009-08-08 08:38 . 2009-08-08 08:38 17072 ----a-w- c:\windows\5191spy9are186z.bin
2009-08-04 17:59 . 2009-08-04 17:59 10487 ----a-w- c:\windows\c4dba5k9oor972z.bin
2009-08-04 13:01 . 2009-08-04 13:01 3679 ----a-w- c:\windows\system32\1z799wor5912.exe
2009-08-02 23:22 . 2009-08-02 23:22 15973 ----a-w- c:\windows\3de69h5ez1970.exe
2009-08-02 22:31 . 2009-08-02 22:31 17997 ----a-w- c:\windows\system32\7954thi9f2z21.dll
2009-08-02 11:24 . 2009-08-02 11:24 4855 ----a-w- c:\windows\system32\z09859py456.dll
2009-08-01 20:53 . 2009-07-13 19:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-01 20:52 . 2009-08-01 20:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-01 20:52 . 2009-08-01 20:52 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-08-01 20:52 . 2009-07-13 19:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-01 20:38 . 2009-08-01 20:38 -------- d-----w- c:\program files\Video Server E
2009-08-01 19:28 . 2009-08-01 19:28 -------- d-----w- c:\program files\Trend Micro
2009-08-01 17:47 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-08-01 15:41 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-08-01 15:38 . 2009-08-01 15:38 -------- dc-h--w- c:\docume~1\ALLUSE~1\APPLIC~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-01 15:38 . 2009-08-01 15:41 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Lavasoft
2009-08-01 15:38 . 2009-08-01 15:38 -------- d-----w- c:\program files\Lavasoft
2009-07-30 02:10 . 2009-07-30 02:10 -------- d-----w- c:\program files\Seagate
2009-07-30 02:10 . 2009-07-30 02:10 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Seagate
2009-07-30 02:09 . 2009-07-30 02:09 -------- d-----w- c:\documents and settings\jfairclough\Local Settings\Application Data\Downloaded Installations
2009-07-30 02:09 . 2009-01-16 08:19 1731736 ----a-w- c:\documents and settings\jfairclough\Application Data\Leadertech\PowerRegister\Seagate 2GEY20ZG Product Registration.exe
2009-07-30 02:06 . 2009-07-30 02:06 -------- d-----w- c:\documents and settings\jfairclough\Application Data\Leadertech
2009-07-27 17:36 . 2009-07-27 17:36 11109 ----a-w- c:\windows\system32\5zc19ir2716.bin
2009-07-27 00:36 . 2009-07-27 00:36 -------- d-----w- C:\Garmin
2009-07-26 21:08 . 2009-08-01 15:39 -------- d-----w- c:\documents and settings\jfairclough\Local Settings\Application Data\Temp
2009-07-26 06:10 . 2009-07-26 06:10 6256 ----a-w- c:\windows\4125bazkdo9r559.bin
2009-07-25 19:23 . 2009-07-25 19:23 -------- d-----w- c:\documents and settings\jfairclough\Application Data\GARMIN
2009-07-25 10:06 . 2009-07-25 10:06 7080 ----a-w- c:\windows\1z539virusf.dll
2009-07-20 03:21 . 2009-07-20 03:21 -------- d-----w- c:\documents and settings\jfairclough\Application Data\Cakewalk
2009-07-20 03:20 . 2006-11-30 21:49 368640 ----a-w- c:\windows\system32\ReWire.dll
2009-07-20 03:20 . 2009-07-20 03:20 -------- d-----w- c:\program files\Cakewalk
2009-07-12 17:48 . 2009-07-12 17:48 16508 ----a-w- c:\windows\8151n9t5a-vzrus2cf.dll
2009-07-11 23:42 . 2009-07-11 23:42 5275 ----a-w- c:\windows\system32\c659yzare2990.dll
2009-07-10 14:53 . 2009-07-10 14:53 11689 ----a-w- c:\windows\system32\57925a9kzoor690.exe
2009-07-08 05:09 . 2009-07-08 05:09 -------- d-sh--w- c:\documents and settings\jfairclough\IECompatCache
2009-07-06 21:48 . 2009-07-06 21:48 12627 ----a-w- c:\windows\9049zackt5ol442.dll
2009-07-05 19:35 . 2009-07-05 20:27 -------- d-----w- c:\documents and settings\jfairclough\Application Data\LimeWire
2009-07-05 19:33 . 2009-07-05 19:33 -------- d-----w- c:\program files\LimeWire
2009-07-05 08:42 . 2009-07-05 08:42 6351 ----a-w- c:\windows\system32\9513hz95tool3c.exe
2009-07-05 07:18 . 2009-07-05 07:18 -------- d-----w- c:\windows\system32\wbem\Repository
2009-07-05 06:13 . 2009-07-05 06:13 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-05 06:09 . 2009-07-05 07:28 -------- d-----w- C:\OEMSettings
2009-07-05 01:39 . 2009-07-05 01:39 -------- d-sh--w- c:\documents and settings\jfairclough\PrivacIE
2009-07-05 01:38 . 2009-07-05 01:38 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-07-05 01:29 . 2009-07-05 01:29 -------- d-sh--w- c:\documents and settings\jfairclough\IETldCache
2009-07-05 00:52 . 2009-07-05 00:52 -------- d-----w- c:\windows\system32\XPSViewer
2009-07-05 00:52 . 2009-07-05 00:52 -------- d-----w- c:\program files\MSBuild
2009-07-05 00:52 . 2009-07-05 00:52 -------- d-----w- c:\program files\Reference Assemblies
2009-07-05 00:51 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-07-05 00:51 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-07-05 00:51 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-07-05 00:51 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-07-05 00:51 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-07-05 00:51 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-07-05 00:51 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-07-05 00:50 . 2009-07-05 01:06 -------- d-----w- c:\windows\SxsCaPendDel
2009-07-04 22:21 . 2009-07-04 22:21 -------- d-----w- c:\windows\system32\KB905474
2009-07-04 22:21 . 2009-03-11 04:26 1403264 ----a-w- c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-07-04 22:21 . 2009-03-11 04:18 453512 ----a-w- c:\windows\system32\KB905474\wgasetup.exe
2009-07-04 21:55 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-07-04 21:55 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-07-04 21:55 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-07-04 21:55 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-07-04 21:55 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-07-04 21:55 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-07-04 21:55 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-07-04 21:55 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-07-04 21:55 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-02 04:04 . 2009-06-26 04:17 -------- d-----w- c:\documents and settings\jfairclough\Application Data\uTorrent
2009-08-01 15:39 . 2006-05-18 14:30 -------- d-----w- c:\program files\Google
2009-08-01 05:35 . 2006-07-21 16:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-01 05:35 . 2006-07-21 16:15 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2009-08-01 03:38 . 2008-07-22 04:40 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Soulseek
2009-07-31 10:05 . 2008-04-10 22:42 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Google Updater
2009-07-30 02:10 . 2006-05-18 14:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-29 03:26 . 2008-09-02 03:37 -------- d-----w- c:\program files\DivX
2009-07-27 01:20 . 2009-04-17 22:02 -------- d-----w- c:\documents and settings\jfairclough\Application Data\Azureus
2009-07-05 06:38 . 2008-09-01 19:52 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-07-05 01:33 . 2006-05-18 14:51 70136 ----a-w- c:\documents and settings\jfairclough\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-04 18:27 . 2006-05-17 23:33 87263 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-07-02 22:16 . 2009-07-02 22:14 -------- d-----w- c:\documents and settings\jfairclough\Application Data\WindSolutions
2009-07-02 22:14 . 2009-07-02 22:14 -------- d-----w- c:\program files\WindSolutions
2009-07-02 22:14 . 2009-07-02 22:14 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\WindSolutions
2009-07-02 20:53 . 2008-07-22 03:33 -------- d-----w- c:\program files\NETGEAR
2009-07-01 04:24 . 2009-06-28 02:16 -------- d-----w- c:\program files\MediaCoder
2009-07-01 03:49 . 2009-07-01 03:40 -------- d-----w- c:\program files\Magical Jelly Bean SHN Shortener
2009-06-28 23:20 . 2009-06-28 23:20 7145 ----a-w- c:\windows\system32\5cz9ad9ware1365.bin
2009-06-28 06:10 . 2009-06-28 06:10 12774 ----a-w- c:\windows\system32\41c5threat2z109.exe
2009-06-28 02:23 . 2009-06-28 02:15 -------- d-----w- c:\program files\Xobni
2009-06-28 02:22 . 2006-06-07 17:31 -------- d-----w- c:\program files\Yahoo!
2009-06-28 02:15 . 2009-06-28 02:15 -------- d-----w- c:\documents and settings\jfairclough\Application Data\WeatherBug
2009-06-28 02:14 . 2009-06-28 02:14 -------- d-----w- c:\documents and settings\jfairclough\Application Data\blinkx
2009-06-28 02:14 . 2009-06-28 02:14 -------- d-----w- c:\documents and settings\jfairclough\Application Data\PriceGong
2009-06-27 03:01 . 2009-06-27 03:01 13338 ----a-w- c:\windows\system32\2999a59zare248.exe
2009-06-26 16:06 . 2009-06-26 16:06 11275 ----a-w- c:\windows\92b5d9zare277.exe
2009-06-26 14:49 . 2009-06-26 14:35 -------- d-----w- c:\program files\Winamp
2009-06-26 14:44 . 2009-06-26 14:35 -------- d-----w- c:\documents and settings\jfairclough\Application Data\Winamp
2009-06-26 04:17 . 2009-06-26 04:17 -------- d-----w- c:\program files\uTorrent
2009-06-23 04:25 . 2009-06-23 04:25 12256 ----a-w- c:\windows\44c6threa5629z.bin
2009-06-22 07:49 . 2009-06-22 07:49 13099 ----a-w- c:\windows\system32\45b4t9zef6565.dll
2009-06-18 05:35 . 2009-06-18 05:35 2949 ----a-w- c:\windows\system32\zf09threat10513.exe
2009-06-13 20:44 . 2009-06-13 20:44 17853 ----a-w- c:\windows\system32\15392not-a-viru549z.bin
2009-06-13 19:24 . 2009-06-13 19:24 15562 ----a-w- c:\windows\zeb9thief539.exe
2009-06-12 19:21 . 2009-06-12 19:21 5235 ----a-w- c:\windows\system32\1957hackt9ol5az.bin
2009-06-12 00:34 . 2009-06-12 00:34 17262 ----a-w- c:\windows\92536spyz57.exe
2009-06-07 10:54 . 2009-06-07 10:54 16156 ----a-w- c:\windows\5f96vzr1991.bin
2009-06-05 20:19 . 2009-06-05 20:19 18212 ----a-w- c:\windows\system32\373bsteaz5689.exe
2009-06-04 15:35 . 2009-06-04 15:35 2635 ----a-w- c:\windows\system32\24espazse859.bin
2009-05-28 12:54 . 2009-05-28 12:54 12857 ----a-w- c:\windows\system32\3b25backdoor55z9.bin
2009-05-28 09:38 . 2009-05-28 09:38 8257 ----a-w- c:\windows\system32\573a95arze797.exe
2009-05-26 03:38 . 2009-05-26 03:38 12412 ----a-w- c:\windows\system32\31982not-a-5irusz7d.exe
2009-05-24 15:30 . 2009-05-24 15:30 10624 ----a-w- c:\windows\system32\3669t5oj6z.bin
2009-05-24 12:00 . 2009-05-24 12:00 5769 ----a-w- c:\windows\system32\5aeddow9loaderz252.dll
2009-05-22 12:13 . 2009-05-22 12:13 6322 ----a-w- c:\windows\system32\97a6thi5f15z9.bin
2009-05-15 03:01 . 2009-05-15 03:01 8216 ----a-w- c:\windows\system32\4325steal19z2.bin
2009-05-14 06:26 . 2009-05-14 06:26 7109 ----a-w- c:\windows\6250stealz968.dll
2009-05-11 07:43 . 2009-05-11 07:43 14437 ----a-w- c:\windows\system32\6e07backdo59158z.exe
2009-05-11 07:28 . 2009-05-11 07:28 3329 ----a-w- c:\windows\9885stzal1565.exe
2009-05-09 12:41 . 2009-05-09 12:41 15089 ----a-w- c:\windows\system32\14091spy3z5.dll
2009-05-07 15:32 . 2003-07-16 16:26 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-06 23:22 . 2009-05-06 23:22 16258 ----a-w- c:\windows\system32\z15fdownloade92848.dll
2009-05-06 09:24 . 2009-05-06 09:24 8641 ----a-w- c:\windows\system32\20895w9rz659.dll
2009-05-05 20:59 . 2009-05-05 20:59 6896 ----a-w- c:\windows\7c255zeal1967.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-12-10 00:40 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-12-10 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"EFI Job Monitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\efjm.dll" [2004-08-10 2510848]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-18 68856]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-07-07 288048]
"tixwf8p6.exe"="c:\windows\system32\tixwf8p6.exe" [2009-08-01 859136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-17 148888]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-23 116040]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-05-26 180269]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-05-28 570664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-05-01 185640]

c:\documents and settings\jfairclough\Start Menu\Programs\Startup\
Seagate 2GEY20ZG Product Registration.lnk - c:\documents and settings\jfairclough\Application Data\Leadertech\PowerRegister\Seagate 2GEY20ZG Product Registration.exe [2009-7-29 1731736]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2008-12-11 2322432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"MaxGPOScriptWait"= 1000 (0x3e8)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SideACT!.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SideACT!.lnk
backup=c:\windows\pss\SideACT!.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^jfairclough^Start Menu^Programs^Startup^Avaya IP Softphone.lnk]
path=c:\documents and settings\jfairclough\Start Menu\Programs\Startup\Avaya IP Softphone.lnk
backup=c:\windows\pss\Avaya IP Softphone.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Danware Data\\NetOp Remote Control\\Host\\NHSTW32.EXE"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/1/2009 9:41 AM 64160]
R1 NHostNT1;NetOp Driver 1 ver. 8.00 (2006047);c:\windows\system32\drivers\NHOSTNT1.SYS [5/18/2006 12:12 PM 90896]
R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [4/17/2009 4:02 PM 464264]
R2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [4/17/2009 4:02 PM 234888]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/9/2007 1:13 PM 38144]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [5/1/2009 2:35 PM 181544]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 8:49 AM 1029456]
R2 NetOp Host for NT Service;NetOp Helper ver. 8.00 (2006047);c:\program files\Danware Data\NetOp Remote Control\Host\NHOSTSVC.EXE [5/18/2006 12:12 PM 1196304]
R2 Retrospect Client;Retrospect Client;c:\program files\Dantz\Client\RemotSvc.exe [5/18/2006 10:21 AM 57344]
R3 NHOSTNT3;NetOp Driver 3 ver. 8.00 (2006047) (NHOSTNT3);c:\windows\system32\drivers\NHOSTNT3.SYS [5/18/2006 12:12 PM 3216]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [12/28/2007 3:02 PM 287232]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/26/2009 3:08 PM 133104]
S3 ECCL100;ECCL100 NDIS Protocol Driver;\??\c:\windows\system32\ECCL100.SYS --> c:\windows\system32\ECCL100.SYS [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-Weather - c:\program files\AWS\WeatherBug\Weather.exe
HKU-Default-Run-AVG7_Run - c:\progra~1\Grisoft\AVG7\avgw.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.6.4/GarminAxControl.CAB
DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} - hxxp://qmedia.xlontech.net/100170/sdk/latest/qsp2ie06041001.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-01 22:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(912)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3944)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Nero\Nero 7\Nero BackItUp\NBShell.dll
c:\program files\Nero\Nero 7\Nero BackItUp\MSVCR71.dll
c:\program files\Malwarebytes' Anti-Malware\mbamext.dll
c:\program files\Lavasoft\Ad-Aware\ShellExt.dll
c:\program files\McAfee\VirusScan\scriptsn.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\program files\Common Files\Ahead\Lib\NeroDigitalExt.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
c:\program files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll
c:\program files\ATI Technologies\ATI.ACE\atiacmxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\qosservm.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\program files\McAfee\VirusScan\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\IoctlSvc.exe
c:\program files\Dantz\Client\retroclient.exe
c:\program files\Analog Devices\SoundMAX\spkrmon.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Danware Data\NetOp Remote Control\Host\NLDRW32.EXE
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\windows\system32\ati2evxx.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\Real\RealPlayer\realplay.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Danware Data\NetOp Remote Control\Host\NHSTW32.EXE
.
**************************************************************************
.
Completion time: 2009-08-02 22:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-02 04:17

Pre-Run: 21,352,153,088 bytes free
Post-Run: 21,673,705,472 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

496 --- E O F --- 2008-04-20 10:06

Edited by jcommerce, 01 August 2009 - 10:13 PM.


#7 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 01 August 2009 - 10:12 PM

how long has it been going?

It shouldn't take more than 20 minutes.

Open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of swsc.cfexe, CF*****.exe, nircmd.exe or a catchme.cfexe

Then look for the log at C:\Combofix.txt

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#8 jcommerce

jcommerce

    New Member

  • Authentic Member
  • Pip
  • 14 posts

Posted 01 August 2009 - 10:16 PM

ComboFix finished right after I posted above, so I edited post above with the log report.

Edited by jcommerce, 01 August 2009 - 10:27 PM.


#9 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 01 August 2009 - 10:41 PM

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://forums.whatthetech.com/Browser_re_direct_Hijackthis_non_functional_malware_bytes_non_functi_t105735.htm
l&view=findpost&p=583929#entry583929

Collect::
c:\windows\4b1adown5ozder395.dll
c:\windows\system32\28561n9t-a-5zrus3a0.dll
c:\windows\system32\az9teal2655.bin
c:\windows\system32\zc605teal993.dll
c:\windows\system32\26398not-a-vi9u5z06.bin
c:\windows\system32\3z99spa5se9752.exe
c:\windows\55davz92102.dll
c:\windows\z598s9yfe.dll
c:\windows\6179szyware951.dll
c:\windows\system32\757espa9ze2618.exe
c:\windows\system32\1245zwo9m6b5.exe
c:\windows\system32\z35999pambot718.dll
c:\windows\system32\23545noz-a-vir5s9b8.dll
c:\windows\system32\222285irus49z.dll
c:\windows\84zs5arse979.bin
c:\windows\system32\51e9bzckdoor1891.exe
c:\windows\58129py21z.bin
c:\windows\56245s9amboz75.exe
c:\windows\899sz56fc.bin
c:\windows\7456szarse9559.dll
c:\windows\system32\7998t9zeat19655.bin
c:\windows\system32\28295tro56z1.dll
c:\windows\55f5t9zef2544.dll
c:\windows\a91thiez175.bin
c:\windows\system32\27cdownloa9er253z.bin
c:\windows\75z8a5dware26279.exe
c:\windows\9326tr9jz2a5.dll
c:\windows\96c5threat39z0.bin
c:\windows\system32\107079ot-a-viruz253.exe
c:\windows\system32\1195zwormc0.bin
c:\windows\system32\1365spzmbo9652.exe
c:\windows\82649otz5-virus379.exe
c:\windows\system32\5a679iz555.bin
c:\windows\3d0asparse159z.exe
c:\windows\555tr9jzf8.exe
c:\windows\system32\9922worm21z5.bin
c:\windows\84bthief39z5.bin
c:\windows\system32\z0132troj25a9.exe
c:\windows\54359teal384z.bin
c:\windows\system32\67ba59dooz1582.bin
c:\windows\system32\2386vir9z25.exe
c:\windows\z4228w59m2f4.exe
c:\windows\7fe59zr696.exe
c:\windows\system32\17f3ad59are23z7.bin
c:\windows\system32\299329roz755.exe
c:\windows\system32\4fcev5z3519.bin
c:\windows\system32\3d51zd5war91763.exe
c:\windows\z0973not-a-9irus356.bin
c:\windows\system32\zc5edo9nloader152.exe
c:\windows\system32\6z9fthreat15219.dll
c:\windows\5dd9baczdoo5718.bin
c:\windows\system32\29abszeal31625.dll
c:\windows\system32\22d1bzckdoor35359.dll
c:\windows\8399hackzool75b.exe
c:\windows\system32\743addwa951389z.bin
c:\windows\system32\245255ackto9l2z3.bin
c:\windows\system32\4710ha9kt5ol5zb.dll
c:\windows\5191spy9are186z.bin
c:\windows\c4dba5k9oor972z.bin
c:\windows\system32\1z799wor5912.exe
c:\windows\3de69h5ez1970.exe
c:\windows\system32\7954thi9f2z21.dll
c:\windows\system32\z09859py456.dll
c:\windows\system32\5zc19ir2716.bin
c:\windows\4125bazkdo9r559.bin
c:\windows\1z539virusf.dll
c:\windows\8151n9t5a-vzrus2cf.dll
c:\windows\system32\c659yzare2990.dll
c:\windows\system32\57925a9kzoor690.exe
c:\windows\9049zackt5ol442.dll
c:\windows\system32\9513hz95tool3c.exe
c:\windows\system32\5cz9ad9ware1365.bin
c:\windows\system32\41c5threat2z109.exe
c:\windows\system32\2999a59zare248.exe
c:\windows\92b5d9zare277.exe
c:\windows\system32\45b4t9zef6565.dll
c:\windows\system32\zf09threat10513.exe
c:\windows\system32\15392not-a-viru549z.bin
c:\windows\zeb9thief539.exe
c:\windows\system32\1957hackt9ol5az.bin
c:\windows\92536spyz57.exe
c:\windows\5f96vzr1991.bin
c:\windows\system32\373bsteaz5689.exe
c:\windows\system32\24espazse859.bin
c:\windows\system32\3b25backdoor55z9.bin
c:\windows\system32\573a95arze797.exe
c:\windows\system32\31982not-a-5irusz7d.exe
c:\windows\system32\3669t5oj6z.bin
c:\windows\system32\5aeddow9loaderz252.dll
c:\windows\system32\97a6thi5f15z9.bin
c:\windows\system32\4325steal19z2.bin
c:\windows\6250stealz968.dll
c:\windows\system32\6e07backdo59158z.exe
c:\windows\9885stzal1565.exe
c:\windows\system32\14091spy3z5.dll
c:\windows\system32\z15fdownloade92848.dll
c:\windows\system32\20895w9rz659.dll
c:\windows\7c255zeal1967.bin
c:\windows\system32\tixwf8p6.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tixwf8p6.exe"=-

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#10 jcommerce

jcommerce

    New Member

  • Authentic Member
  • Pip
  • 14 posts

Posted 01 August 2009 - 11:15 PM

ComboFix 09-08-01.06 - JFairclough 08/01/2009 23:04.2.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1737 [GMT -6:00]
Running from: c:\documents and settings\jfairclough\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\jfairclough\Desktop\CFScript.txt
AV: AVG 7.5.516 *On-access scanning enabled* (Updated) {41564737-3200-1071-989B-0000E87B4FB1}
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

file zipped: c:\windows\1z539virusf.dll
file zipped: c:\windows\3d0asparse159z.exe
file zipped: c:\windows\3de69h5ez1970.exe
file zipped: c:\windows\4125bazkdo9r559.bin
file zipped: c:\windows\4b1adown5ozder395.dll
file zipped: c:\windows\5191spy9are186z.bin
file zipped: c:\windows\54359teal384z.bin
file zipped: c:\windows\555tr9jzf8.exe
file zipped: c:\windows\55davz92102.dll
file zipped: c:\windows\55f5t9zef2544.dll
file zipped: c:\windows\56245s9amboz75.exe
file zipped: c:\windows\58129py21z.bin
file zipped: c:\windows\5dd9baczdoo5718.bin
file zipped: c:\windows\5f96vzr1991.bin
file zipped: c:\windows\6179szyware951.dll
file zipped: c:\windows\6250stealz968.dll
file zipped: c:\windows\7456szarse9559.dll
file zipped: c:\windows\75z8a5dware26279.exe
file zipped: c:\windows\7c255zeal1967.bin
file zipped: c:\windows\7fe59zr696.exe
file zipped: c:\windows\8151n9t5a-vzrus2cf.dll
file zipped: c:\windows\82649otz5-virus379.exe
file zipped: c:\windows\8399hackzool75b.exe
file zipped: c:\windows\84bthief39z5.bin
file zipped: c:\windows\84zs5arse979.bin
file zipped: c:\windows\899sz56fc.bin
file zipped: c:\windows\9049zackt5ol442.dll
file zipped: c:\windows\92536spyz57.exe
file zipped: c:\windows\92b5d9zare277.exe
file zipped: c:\windows\9326tr9jz2a5.dll
file zipped: c:\windows\96c5threat39z0.bin
file zipped: c:\windows\9885stzal1565.exe
file zipped: c:\windows\a91thiez175.bin
file zipped: c:\windows\c4dba5k9oor972z.bin
file zipped: c:\windows\system32\107079ot-a-viruz253.exe
file zipped: c:\windows\system32\1195zwormc0.bin
file zipped: c:\windows\system32\1245zwo9m6b5.exe
file zipped: c:\windows\system32\1365spzmbo9652.exe
file zipped: c:\windows\system32\14091spy3z5.dll
file zipped: c:\windows\system32\15392not-a-viru549z.bin
file zipped: c:\windows\system32\17f3ad59are23z7.bin
file zipped: c:\windows\system32\1957hackt9ol5az.bin
file zipped: c:\windows\system32\1z799wor5912.exe
file zipped: c:\windows\system32\20895w9rz659.dll
file zipped: c:\windows\system32\222285irus49z.dll
file zipped: c:\windows\system32\22d1bzckdoor35359.dll
file zipped: c:\windows\system32\23545noz-a-vir5s9b8.dll
file zipped: c:\windows\system32\2386vir9z25.exe
file zipped: c:\windows\system32\245255ackto9l2z3.bin
file zipped: c:\windows\system32\24espazse859.bin
file zipped: c:\windows\system32\26398not-a-vi9u5z06.bin
file zipped: c:\windows\system32\27cdownloa9er253z.bin
file zipped: c:\windows\system32\28295tro56z1.dll
file zipped: c:\windows\system32\28561n9t-a-5zrus3a0.dll
file zipped: c:\windows\system32\299329roz755.exe
file zipped: c:\windows\system32\2999a59zare248.exe
file zipped: c:\windows\system32\29abszeal31625.dll
file zipped: c:\windows\system32\31982not-a-5irusz7d.exe
file zipped: c:\windows\system32\3669t5oj6z.bin
file zipped: c:\windows\system32\373bsteaz5689.exe
file zipped: c:\windows\system32\3b25backdoor55z9.bin
file zipped: c:\windows\system32\3d51zd5war91763.exe
file zipped: c:\windows\system32\3z99spa5se9752.exe
file zipped: c:\windows\system32\41c5threat2z109.exe
file zipped: c:\windows\system32\4325steal19z2.bin
file zipped: c:\windows\system32\45b4t9zef6565.dll
file zipped: c:\windows\system32\4710ha9kt5ol5zb.dll
file zipped: c:\windows\system32\4fcev5z3519.bin
file zipped: c:\windows\system32\51e9bzckdoor1891.exe
file zipped: c:\windows\system32\573a95arze797.exe
file zipped: c:\windows\system32\57925a9kzoor690.exe
file zipped: c:\windows\system32\5a679iz555.bin
file zipped: c:\windows\system32\5aeddow9loaderz252.dll
file zipped: c:\windows\system32\5cz9ad9ware1365.bin
file zipped: c:\windows\system32\5zc19ir2716.bin
file zipped: c:\windows\system32\67ba59dooz1582.bin
file zipped: c:\windows\system32\6e07backdo59158z.exe
file zipped: c:\windows\system32\6z9fthreat15219.dll
file zipped: c:\windows\system32\743addwa951389z.bin
file zipped: c:\windows\system32\757espa9ze2618.exe
file zipped: c:\windows\system32\7954thi9f2z21.dll
file zipped: c:\windows\system32\7998t9zeat19655.bin
file zipped: c:\windows\system32\9513hz95tool3c.exe
file zipped: c:\windows\system32\97a6thi5f15z9.bin
file zipped: c:\windows\system32\9922worm21z5.bin
file zipped: c:\windows\system32\az9teal2655.bin
file zipped: c:\windows\system32\c659yzare2990.dll
file zipped: c:\windows\system32\tixwf8p6.exe
file zipped: c:\windows\system32\z0132troj25a9.exe
file zipped: c:\windows\system32\z09859py456.dll
file zipped: c:\windows\system32\z15fdownloade92848.dll
file zipped: c:\windows\system32\z35999pambot718.dll
file zipped: c:\windows\system32\zc5edo9nloader152.exe
file zipped: c:\windows\system32\zc605teal993.dll
file zipped: c:\windows\system32\zf09threat10513.exe
file zipped: c:\windows\z0973not-a-9irus356.bin
file zipped: c:\windows\z4228w59m2f4.exe
file zipped: c:\windows\z598s9yfe.dll
file zipped: c:\windows\zeb9thief539.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\1z539virusf.dll
c:\windows\3c9b5hze9t23535.cpl
c:\windows\3d0asparse159z.exe
c:\windows\3d8dzwnl9ader1556.cpl
c:\windows\3de69h5ez1970.exe
c:\windows\3f9a59eal1z9.cpl
c:\windows\3fz5download5r14759.cpl
c:\windows\3z375not-a5vi9us316.cpl
c:\windows\4021spy59re1491z.cpl
c:\windows\4125bazkdo9r559.bin
c:\windows\4165hzcktool920.dll
c:\windows\4165ziru9593.exe
c:\windows\4212azdwa5e3960.ocx
c:\windows\4219ownloa5erz61.dll
c:\windows\422z5reat16694.ocx
c:\windows\4291down9oadzr13785.ocx
c:\windows\42z6dow5lo9der143.exe
c:\windows\43bfzo5nloader2589.exe
c:\windows\4428zackdo952537.dll
c:\windows\44c6threa5629z.bin
c:\windows\455ath5ea919658z.cpl
c:\windows\456aszeal2429.dll
c:\windows\45829zr799.dll
c:\windows\46b5threzt14809.ocx
c:\windows\47z8not-a-v95us70c.dll
c:\windows\493edown5oader2z16.bin
c:\windows\4959tz5l2716.ocx
c:\windows\495fsp5r9e5z4.cpl
c:\windows\4985wor9z05.exe
c:\windows\4abzt5ie92855.ocx
c:\windows\4b1adown5ozder395.dll
c:\windows\4b56tzre9t27889.bin
c:\windows\4d9ddowzloader9205.dll
c:\windows\4da5addwa9e888z.dll
c:\windows\4dz9thief159.dll
c:\windows\50cdsteal329z.exe
c:\windows\50e15t9az3192.bin
c:\windows\5109dowz5oad9r3054.bin
c:\windows\5147spambo918z.ocx
c:\windows\5191spy9are186z.bin
c:\windows\5196zworm393.cpl
c:\windows\51z3spyware1595.cpl
c:\windows\52516wo9m4bz.bin
c:\windows\5362szarse197.bin
c:\windows\536z8troj479.cpl
c:\windows\539bzownloa5er2824.ocx
c:\windows\54359teal384z.bin
c:\windows\543cdownload9r2213z.exe
c:\windows\5456st9alz22.cpl
c:\windows\545daddwar9318z.dll
c:\windows\5469spywaze2918.bin
c:\windows\555tr9jzf8.exe
c:\windows\5572virz559.cpl
c:\windows\5594thi5f2935z.bin
c:\windows\5595stzal2943.ocx
c:\windows\5595virus7z9.exe
c:\windows\55999ddware358z.bin
c:\windows\55c2zir9922.bin
c:\windows\55davz92102.dll
c:\windows\55f5t9zef2544.dll
c:\windows\56245s9amboz75.exe
c:\windows\563z6virus689.bin
c:\windows\56z7worm993.bin
c:\windows\5729addw5re1936z.dll
c:\windows\5768sparsz1119.ocx
c:\windows\57794virus7z29.exe
c:\windows\5795spy92z.cpl
c:\windows\58129py21z.bin
c:\windows\58672spamb9z7d9.dll
c:\windows\589ca5dzare3082.exe
c:\windows\590fspyware19z8.bin
c:\windows\5921down5ozder841.bin
c:\windows\59286hazktoo9521.dll
c:\windows\5947vir1z965.exe
c:\windows\5987z9r5at11031.exe
c:\windows\599359pz46.exe
c:\windows\5995down5ozder1056.bin
c:\windows\59a5tzief3250.ocx
c:\windows\59z9vir395.ocx
c:\windows\5a37backdozr9603.bin
c:\windows\5abdownlozder996.cpl
c:\windows\5b6downlo5de91z20.ocx
c:\windows\5d9zspyware411.exe
c:\windows\5dd9baczdoo5718.bin
c:\windows\5e95addware9z1.ocx
c:\windows\5eb2vir510z9.cpl
c:\windows\5f52zp9rse578.exe
c:\windows\5f96vzr1991.bin
c:\windows\5f9caddwa9e16z0.bin
c:\windows\5fa1downzo9der1637.ocx
c:\windows\5z59spy655.ocx
c:\windows\5z829spy3b8.ocx
c:\windows\5z91tro5600.ocx
c:\windows\5zd0backdoor22879.ocx
c:\windows\5zedv5r692.ocx
c:\windows\6059backd9orz800.bin
c:\windows\60z1spars95230.ocx
c:\windows\6153z9r3138.ocx
c:\windows\6179szyware951.dll
c:\windows\61905d9wzre2411.exe
c:\windows\6204z9rm29c5.cpl
c:\windows\6250stealz968.dll
c:\windows\62a0th9eatz2045.exe
c:\windows\6409zpy5are2371.cpl
c:\windows\6503bac5do9r17z.bin
c:\windows\650espyware9z69.dll
c:\windows\65309ir5sz15.bin
c:\windows\6557st5zl1919.ocx
c:\windows\675sp9zbot3e25.ocx
c:\windows\67679zt-a-vi5use4.bin
c:\windows\6799worm553z.ocx
c:\windows\679zt5oj297.ocx
c:\windows\6c5zthreat92487.exe
c:\windows\6e8zsparse93765.cpl
c:\windows\6f5at5ief205z9.exe
c:\windows\6z499ro5235.ocx
c:\windows\7364sp5mb9t1z5.bin
c:\windows\7456szarse9559.dll
c:\windows\749pzrse2985.ocx
c:\windows\7506tzief798.dll
c:\windows\756zbac9door3131.bin
c:\windows\75b79parsez764.cpl
c:\windows\75ff9pyware32z2.bin
c:\windows\75z8a5dware26279.exe
c:\windows\7639downl5adez1204.ocx
c:\windows\7656szywa9e9105.cpl
c:\windows\77229o5-a-vizus751.dll
c:\windows\7756thi9z734.cpl
c:\windows\7916zackdoor5093.exe
c:\windows\7957noz-a-vi5us4e4.dll
c:\windows\7bf79hreat10z955.dll
c:\windows\7c255zeal1967.bin
c:\windows\7ca95ackzoor3934.exe
c:\windows\7f019py5are25z1.exe
c:\windows\7fe59zr696.exe
c:\windows\7ffzaddware5509.exe
c:\windows\8008z9oj485.exe
c:\windows\8151n9t5a-vzrus2cf.dll
c:\windows\82649otz5-virus379.exe
c:\windows\8399hackzool75b.exe
c:\windows\8451troj59z.cpl
c:\windows\8458hacktozl5109.bin
c:\windows\84bthief39z5.bin
c:\windows\84zs5arse979.bin
c:\windows\8567v9rus11z.ocx
c:\windows\899sz56fc.bin
c:\windows\8a4a5dware12z9.cpl
c:\windows\8acbackdoo9591z.ocx
c:\windows\8f2tzief23759.bin
c:\windows\901755zt-a-virus3c3.cpl
c:\windows\9041spambot15z.bin
c:\windows\9049zackt5ol442.dll
c:\windows\905fzparse315.cpl
c:\windows\91285zoj199.dll
c:\windows\92536spyz57.exe
c:\windows\92b5d9zare277.exe
c:\windows\92ccbzckdoo51229.ocx
c:\windows\9326tr9jz2a5.dll
c:\windows\93709spy53z.dll
c:\windows\94206worm5b1z.bin
c:\windows\9507steal317z.ocx
c:\windows\95c5zarse2364.dll
c:\windows\95f2addzare420.exe
c:\windows\96c5threat39z0.bin
c:\windows\9720thiez2245.ocx
c:\windows\975ebackdozr2149.bin
c:\windows\9791zroj9b5.bin
c:\windows\9885stzal1565.exe
c:\windows\9995wozm625.cpl
c:\windows\99espa5se2013z.exe
c:\windows\9dz8spyware511.bin
c:\windows\9f2z5parse1730.cpl
c:\windows\9z9455irus48c.cpl
c:\windows\a19thzef1529.bin
c:\windows\a91thiez175.bin
c:\windows\a92vir2255z.ocx
c:\windows\b229hrea523z49.dll
c:\windows\c4dba5k9oor972z.bin
c:\windows\c99thiz52901.dll
c:\windows\ce5do9nloaz5r3158.exe
c:\windows\ceethrez59911.bin
c:\windows\d3b9pzr5e895.dll
c:\windows\ed6baczd5o9581.exe
c:\windows\f95downloadez9005.cpl
c:\windows\ffsze9l5872.bin
c:\windows\system32\107079ot-a-viruz253.exe
c:\windows\system32\1092z5dware766.exe
c:\windows\system32\1094zspy75f.ocx
c:\windows\system32\11925zo9m28c.dll
c:\windows\system32\1195zwormc0.bin
c:\windows\system32\1245zwo9m6b5.exe
c:\windows\system32\1254backdo9z2661.exe
c:\windows\system32\127795irus32bz.cpl
c:\windows\system32\1295st5az2515.bin
c:\windows\system32\129z2wo59d5.bin
c:\windows\system32\136509iru54zc.ocx
c:\windows\system32\1365spzmbo9652.exe
c:\windows\system32\14043s5azb9t783.bin
c:\windows\system32\14091spy3z5.dll
c:\windows\system32\14459zr9j5ea5.bin
c:\windows\system32\1495zvi5u973a.dll
c:\windows\system32\15048zpy5965.dll
c:\windows\system32\15367tzoj52e9.ocx
c:\windows\system32\15392not-a-viru549z.bin
c:\windows\system32\153995py4z8.cpl
c:\windows\system32\154529py553z.cpl
c:\windows\system32\15611hack9ozlf7.bin
c:\windows\system32\15629troj2d9z.dll
c:\windows\system32\15722noz-a-virus195.dll
c:\windows\system32\1579zwo9m196.bin
c:\windows\system32\1583spa9sez255.cpl
c:\windows\system32\15926not-a-v5rzs6c.bin
c:\windows\system32\1599vzr939.ocx
c:\windows\system32\15z4995oj19d.bin
c:\windows\system32\16553v9zus2f7.exe
c:\windows\system32\1659s9ywarz1195.exe
c:\windows\system32\165fthreat207z19.cpl
c:\windows\system32\16z55spy5a59.ocx
c:\windows\system32\1711zvirus595.exe
c:\windows\system32\174195orm1ez.cpl
c:\windows\system32\17536viru95ze.cpl
c:\windows\system32\17598zpy349.ocx
c:\windows\system32\17764trzj3935.ocx
c:\windows\system32\17856worm65z9.ocx
c:\windows\system32\1785threzt93296.bin
c:\windows\system32\17922zi5us296.ocx
c:\windows\system32\1798sparse28z15.cpl
c:\windows\system32\179z6hack5ool293.cpl
c:\windows\system32\17f3ad59are23z7.bin
c:\windows\system32\17z01v5rus98e.bin
c:\windows\system32\18299v5rzs516.cpl
c:\windows\system32\18645szamb9t27a.dll
c:\windows\system32\18719s5az9otcb.cpl
c:\windows\system32\19575virus24z.bin
c:\windows\system32\1957hackt9ol5az.bin
c:\windows\system32\1989sz5rs91492.dll
c:\windows\system32\198es5yware19z3.cpl
c:\windows\system32\1990wo9z5f6.cpl
c:\windows\system32\19939a5ktoolz62.exe
c:\windows\system32\1ac6sza59e234.exe
c:\windows\system32\1c1cadd59re58z.exe
c:\windows\system32\1d58vir3z09.cpl
c:\windows\system32\1d94bzckd5or1972.cpl
c:\windows\system32\1f28addwaze2957.dll
c:\windows\system32\1z39addware1515.dll
c:\windows\system32\1z628no9-a-virus355.ocx
c:\windows\system32\1z799wor5912.exe
c:\windows\system32\1z85spyware9537.dll
c:\windows\system32\1z97steal2593.ocx
c:\windows\system32\1z9989r5j5a3.cpl
c:\windows\system32\200z695y191.dll
c:\windows\system32\2019spars51z77.cpl
c:\windows\system32\206935roj611z.cpl
c:\windows\system32\20895w9rz659.dll
c:\windows\system32\21107zot9a-vir5s320.dll
c:\windows\system32\2128z9acktool2f75.ocx
c:\windows\system32\215z8worm6519.dll
c:\windows\system32\222285irus49z.dll
c:\windows\system32\22393sz94a5.dll
c:\windows\system32\225989py190z.bin
c:\windows\system32\2295s5arse1208z.bin
c:\windows\system32\22d1bzckdoor35359.dll
c:\windows\system32\23545noz-a-vir5s9b8.dll
c:\windows\system32\2375zvir9s6f5.dll
c:\windows\system32\2386vir9z25.exe
c:\windows\system32\23c3add9aze625.bin
c:\windows\system32\23f4s9yw5rz1731.ocx
c:\windows\system32\24059hack59ol2ze.ocx
c:\windows\system32\2430ztr5931d.exe
c:\windows\system32\245255ackto9l2z3.bin
c:\windows\system32\245aba9kdooz48.exe
c:\windows\system32\24be5dzware24009.ocx
c:\windows\system32\24espazse859.bin
c:\windows\system32\25199troj2zc.cpl
c:\windows\system32\25432n9t-a-virus7fz.cpl
c:\windows\system32\25769worz169.bin
c:\windows\system32\25878w5rmz92.ocx
c:\windows\system32\25ae5ir329z.bin
c:\windows\system32\25z02t9oj6fd5.bin
c:\windows\system32\25z8thief839.dll
c:\windows\system32\260739ot-azvirus533.bin
c:\windows\system32\26398not-a-vi9u5z06.bin
c:\windows\system32\26e2sp9rsz1615.cpl
c:\windows\system32\26fzs5e9l2539.cpl
c:\windows\system32\27cdownloa9er253z.bin
c:\windows\system32\28134zroj595.bin
c:\windows\system32\28157s9yza2.dll
c:\windows\system32\28295tro56z1.dll
c:\windows\system32\28561n9t-a-5zrus3a0.dll
c:\windows\system32\28587hzc95ool1b4.bin
c:\windows\system32\28865z9a5bot43a.ocx
c:\windows\system32\28943hacztool453.bin
c:\windows\system32\293645py1z.bin
c:\windows\system32\293downlo5der284z.ocx
c:\windows\system32\29487zackto5l3d9.bin
c:\windows\system32\29551wormbfz.bin
c:\windows\system32\299329roz755.exe
c:\windows\system32\29944spam5ot5z4.bin
c:\windows\system32\2999a59zare248.exe
c:\windows\system32\299ea5dwar92464z.exe
c:\windows\system32\299t5izf2296.cpl
c:\windows\system32\299z2wo5m6f.exe
c:\windows\system32\29abszeal31625.dll
c:\windows\system32\2a889dd5are190z.dll
c:\windows\system32\2a9bspy5aze76.cpl
c:\windows\system32\2azaadd9are335.ocx
c:\windows\system32\2c1abac9d5zr799.exe
c:\windows\system32\2c28spywa9z13345.bin
c:\windows\system32\2cf2a9zware2570.dll
c:\windows\system32\2e9asp5rze990.cpl
c:\windows\system32\2ef459dware5z9.ocx
c:\windows\system32\2f95thrzat23465.bin
c:\windows\system32\2z037sp59.exe
c:\windows\system32\2z985w9rm362.bin
c:\windows\system32\2ze9st5al302.exe
c:\windows\system32\3111s9y5are300z.ocx
c:\windows\system32\31982not-a-5irusz7d.exe
c:\windows\system32\32155ha9ktooz1e2.ocx
c:\windows\system32\32560spyz9f.bin
c:\windows\system32\32599zroj90.cpl
c:\windows\system32\3264dzwn5oader2299.dll
c:\windows\system32\326not-59virus5d6z.cpl
c:\windows\system32\33aastealz599.dll
c:\windows\system32\340259y1z4.cpl
c:\windows\system32\343czh5ef2691.exe
c:\windows\system32\34d5backd9or7z5.ocx
c:\windows\system32\3596vir2z82.ocx
c:\windows\system32\35f2steaz3249.dll
c:\windows\system32\3669t5oj6z.bin
c:\windows\system32\3699v9z559.exe
c:\windows\system32\369zvir1195.ocx
c:\windows\system32\373bsteaz5689.exe
c:\windows\system32\3799not-a-z5rus7db.exe
c:\windows\system32\38499o5m3acz.ocx
c:\windows\system32\38de9pazs51581.cpl
c:\windows\system32\3b25backdoor55z9.bin
c:\windows\system32\3b2zs5ywa9e1029.cpl
c:\windows\system32\3b9zadd5are1097.cpl
c:\windows\system32\3bbbt5reaz9314.ocx
c:\windows\system32\3bd8downzoa95r513.ocx
c:\windows\system32\3c1threat1594z9.ocx
c:\windows\system32\3d50spyza9e369.exe
c:\windows\system32\3d51zd5war91763.exe
c:\windows\system32\3db7threa9z2504.ocx
c:\windows\system32\3e65bac9door1884z.ocx
c:\windows\system32\3fz2sparse90225.exe
c:\windows\system32\3z509hief1099.bin
c:\windows\system32\3z99spa5se9752.exe
c:\windows\system32\4093not-a-virz5589.exe
c:\windows\system32\40dabaczdoor25249.cpl
c:\windows\system32\4175vi59z28a.exe
c:\windows\system32\41c5threat2z109.exe
c:\windows\system32\41ccs5e9l2565z.cpl
c:\windows\system32\42z6no9-a-virus4545.ocx
c:\windows\system32\4325steal19z2.bin
c:\windows\system32\4512wor5ze09.dll
c:\windows\system32\4557s5ealz945.cpl
c:\windows\system32\4569szyware51.cpl
c:\windows\system32\4589th5zat15912.exe
c:\windows\system32\4595steal2z68.exe
c:\windows\system32\45b4t9zef6565.dll
c:\windows\system32\45c79pywarez526.ocx
c:\windows\system32\4654zir957.ocx
c:\windows\system32\4705tro9z45.dll
c:\windows\system32\4710ha9kt5ol5zb.dll
c:\windows\system32\47615irus259z.exe
c:\windows\system32\4796hacktool4z65.cpl
c:\windows\system32\4853viz3192.bin
c:\windows\system32\48565hreaz5339.cpl
c:\windows\system32\487dowzlo5der1809.bin
c:\windows\system32\48f95teal2089z.ocx
c:\windows\system32\4906hac9tozl457.exe
c:\windows\system32\4919sparsz3557.bin
c:\windows\system32\4948tzreat28354.ocx
c:\windows\system32\495virzs7d25.ocx
c:\windows\system32\4982viz2155.ocx
c:\windows\system32\49b4b5ck9oor1214z.bin
c:\windows\system32\4a79ba5kdooz1485.ocx
c:\windows\system32\4b1at5rea9159z0.bin
c:\windows\system32\4bbavi95z07.exe
c:\windows\system32\4c57z9ckdoo52046.dll
c:\windows\system32\4fcev5z3519.bin
c:\windows\system32\50d59hiefz381.cpl
c:\windows\system32\5160zir5s296.cpl
c:\windows\system32\51959spam9oz601.bin
c:\windows\system32\51e0thrzat155099.ocx
c:\windows\system32\51e9bzckdoor1891.exe
c:\windows\system32\527z9spy334.exe
c:\windows\system32\52d6zteal495.ocx
c:\windows\system32\5396spywa5e2072z.exe
c:\windows\system32\54335hacktz9l3af.ocx
c:\windows\system32\5475tr9z57d.ocx
c:\windows\system32\54952not-azvirus1ea.dll
c:\windows\system32\55059acktooz5b1.ocx
c:\windows\system32\55257worm94z.exe
c:\windows\system32\5528th9eat1z826.ocx
c:\windows\system32\5549spyz599.exe
c:\windows\system32\5559virus31z.cpl
c:\windows\system32\55zthie9100.exe
c:\windows\system32\562downloa5z950.ocx
c:\windows\system32\5645dowz9oader2868.ocx
c:\windows\system32\5651spzmbot60f9.cpl
c:\windows\system32\573a95arze797.exe
c:\windows\system32\5750b9ckzoo52736.cpl
c:\windows\system32\57925a9kzoor690.exe
c:\windows\system32\5825b9ckdoor3z16.exe
c:\windows\system32\58z39ownloader827.bin
c:\windows\system32\58z7v9r2155.bin
c:\windows\system32\5909spzmbot53a.ocx
c:\windows\system32\59243virus608z.ocx
c:\windows\system32\5926zpa5bot97f.cpl
c:\windows\system32\59316troj3z.dll
c:\windows\system32\59329wzrm6ef.exe
c:\windows\system32\5935zddware96.bin
c:\windows\system32\5945thief152z.cpl
c:\windows\system32\59473worm56z.bin
c:\windows\system32\59491notza-virus5e39.dll
c:\windows\system32\5977viz2656.ocx
c:\windows\system32\598zpambot26b.ocx
c:\windows\system32\5994v9r105z.exe
c:\windows\system32\59cfbackdooz11815.cpl
c:\windows\system32\59f6sparse5169z.dll
c:\windows\system32\5a3dth9ez2493.bin
c:\windows\system32\5a679iz555.bin
c:\windows\system32\5a9zspywar91649.bin
c:\windows\system32\5aeddow9loaderz252.dll
c:\windows\system32\5b94ba9kdo5r1z15.bin
c:\windows\system32\5cz9ad9ware1365.bin
c:\windows\system32\5d96sz9ware5135.cpl
c:\windows\system32\5d9downlzad9r973.cpl
c:\windows\system32\5ddfste95z845.cpl
c:\windows\system32\5dz9s5arse348.ocx
c:\windows\system32\5e92z9ief858.ocx
c:\windows\system32\5z469spambot639.ocx
c:\windows\system32\5z736s9y46a.ocx
c:\windows\system32\5zc19ir2716.bin
c:\windows\system32\5zc8vir2932.bin
c:\windows\system32\5zecv5r2986.cpl
c:\windows\system32\603a9hze5t12857.dll
c:\windows\system32\6129spyza5e3169.cpl
c:\windows\system32\622zvi9u5754.dll
c:\windows\system32\64f0s9eaz5045.exe
c:\windows\system32\6512zor9209.cpl
c:\windows\system32\6557zorm5f9.exe
c:\windows\system32\6597stezl4695.ocx
c:\windows\system32\65z5spa9se429.dll
c:\windows\system32\65z9addwa5e1640.ocx
c:\windows\system32\65zavir5964.dll
c:\windows\system32\66e19hreatz9576.bin
c:\windows\system32\67ba59dooz1582.bin
c:\windows\system32\6854spazbo9150.dll
c:\windows\system32\6929sz5rse1542.ocx
c:\windows\system32\6933zhie52922.exe
c:\windows\system32\6955stezl753.dll
c:\windows\system32\6978thizf541.bin
c:\windows\system32\6azasp59are1527.ocx
c:\windows\system32\6d5a5zr2090.dll
c:\windows\system32\6ddzvir6395.bin
c:\windows\system32\6e07backdo59158z.exe
c:\windows\system32\6f659zief1754.exe
c:\windows\system32\6f93th5ez30209.dll
c:\windows\system32\6z16d9wnl5ader1834.cpl
c:\windows\system32\6z9fthreat15219.dll
c:\windows\system32\6zabback9oor258.bin
c:\windows\system32\71025iruszf19.ocx
c:\windows\system32\719z5r9j704.dll
c:\windows\system32\72d4thzeat159589.dll
c:\windows\system32\73z5steal7439.ocx
c:\windows\system32\743addwa951389z.bin
c:\windows\system32\749zpa9bot1c5.dll
c:\windows\system32\757a9zief19.exe
c:\windows\system32\757espa9ze2618.exe
c:\windows\system32\759zthief2656.exe
c:\windows\system32\75c9thrzat246639.ocx
c:\windows\system32\7769zhi5f1753.exe
c:\windows\system32\7890not-z-virus325.ocx
c:\windows\system32\78cbzteal5799.ocx
c:\windows\system32\7904addw5rez07.cpl
c:\windows\system32\7954thi9f2z21.dll
c:\windows\system32\7979spyz4f5.ocx
c:\windows\system32\7998t9zeat19655.bin
c:\windows\system32\79b4spyware1895z.cpl
c:\windows\system32\7bd6sp5rse29z6.exe
c:\windows\system32\7c5z9parse2945.cpl
c:\windows\system32\7d07th9eat60z15.cpl
c:\windows\system32\7d65sp5zse1109.exe
c:\windows\system32\7e34ba9k5oor81z.bin
c:\windows\system32\7e9dbackd9or1z05.bin
c:\windows\system32\7f0bdow5zoa9er1138.bin
c:\windows\system32\7z12t5o9a9.bin
c:\windows\system32\7z86viru9576.ocx
c:\windows\system32\7zcdthreat51949.exe
c:\windows\system32\81fbaz5door3079.ocx
c:\windows\system32\83cspywz9e1554.dll
c:\windows\system32\8780n9t-a-ziru5587.bin
c:\windows\system32\8900virzs754.dll
c:\windows\system32\909z5py14d.exe
c:\windows\system32\91577tr5j5cz.bin
c:\windows\system32\92486hackt5ol1za.exe
c:\windows\system32\9294tzief2256.bin
c:\windows\system32\92z38wor5326.ocx
c:\windows\system32\93532sp5mbot16z.ocx
c:\windows\system32\93575ir320z.bin
c:\windows\system32\9363t5ief240z.ocx
c:\windows\system32\94z55py2a4.dll
c:\windows\system32\9513hz95tool3c.exe
c:\windows\system32\9523wo9z305.ocx
c:\windows\system32\952baddware196z.dll
c:\windows\system32\95775not-a-virusz53.exe
c:\windows\system32\95812vizus41f.ocx
c:\windows\system32\9585worm6za.bin
c:\windows\system32\95e2szarse1631.bin
c:\windows\system32\964evir21z5.dll
c:\windows\system32\9691sp5mbot9z4.dll
c:\windows\system32\97a6thi5f15z9.bin
c:\windows\system32\9922worm21z5.bin
c:\windows\system32\996ztro5259.bin
c:\windows\system32\99985t5zj462.dll
c:\windows\system32\99d5backzoor1372.bin
c:\windows\system32\9a8athreatz6205.bin
c:\windows\system32\9z09spambo579a.ocx
c:\windows\system32\9z25sp5mbo9a0.cpl
c:\windows\system32\9z850virus33b.dll
c:\windows\system32\a89s9zrse1315.cpl
c:\windows\system32\az9teal2655.bin
c:\windows\system32\c1stza5239.bin
c:\windows\system32\c659yzare2990.dll
c:\windows\system32\cbz5pars91996.cpl
c:\windows\system32\d89spyzare53.ocx
c:\windows\system32\f5zv9r516.cpl
c:\windows\system32\tixwf8p6.exe
c:\windows\system32\z0132troj25a9.exe
c:\windows\system32\z0537spy953.dll
c:\windows\system32\z09859py456.dll
c:\windows\system32\z15fdownloade92848.dll
c:\windows\system32\z265th9e574.exe
c:\windows\system32\z284spambo9654.exe
c:\windows\system32\z35999pambot718.dll
c:\windows\system32\z416s5ambot1119.cpl
c:\windows\system32\z529vir1251.ocx
c:\windows\system32\z55299py3b4.cpl
c:\windows\system32\z5654vir9s7a.cpl
c:\windows\system32\z5859sp94c4.dll
c:\windows\system32\z5956t9oj375.bin
c:\windows\system32\z5d99pyware9675.cpl
c:\windows\system32\z5e9spy9are5284.ocx
c:\windows\system32\z65bst9al1761.cpl
c:\windows\system32\z7649s5ambot33b.exe
c:\windows\system32\z792worm55a.cpl
c:\windows\system32\z8eds5eal2198.dll
c:\windows\system32\z95avir22145.dll
c:\windows\system32\z9e5back9oor1252.cpl
c:\windows\system32\zc2spywar5794.cpl
c:\windows\system32\zc5edo9nloader152.exe
c:\windows\system32\zc605teal993.dll
c:\windows\system32\zf09threat10513.exe
c:\windows\system32\zfdcsparse1592.cpl
c:\windows\z089t5oj12.bin
c:\windows\z0973not-a-9irus356.bin
c:\windows\z111sp5mbot592.bin
c:\windows\z1491v5r9sce.bin
c:\windows\z15599roj60c5.dll
c:\windows\z1721sp5mbot249.ocx
c:\windows\z26bsparse2955.exe
c:\windows\z4054virus5985.dll
c:\windows\z4228w59m2f4.exe
c:\windows\z459sparse9316.bin
c:\windows\z4811wor55a9.ocx
c:\windows\z4cspyware3795.exe
c:\windows\z57e5hi9f2904.bin
c:\windows\z598s9yfe.dll
c:\windows\z665th59at8601.dll
c:\windows\z79addware755.dll
c:\windows\z8ebbackdo9r1605.bin
c:\windows\z991spy95e.exe
c:\windows\z9acbackdo5r2953.ocx
c:\windows\z9bbt5ief1542.dll
c:\windows\zd3adownlo5d9r1802.exe
c:\windows\zeb9thief539.exe
c:\windows\zf059ownloader266.bin
F:\autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-07-02 to 2009-08-02 )))))))))))))))))))))))))))))))
.

2009-08-01 20:53 . 2009-07-13 19:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-01 20:52 . 2009-08-01 20:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-01 20:52 . 2009-08-01 20:52 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-08-01 20:52 . 2009-07-13 19:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-01 20:38 . 2009-08-01 20:38 -------- d-----w- c:\program files\Video Server E
2009-08-01 19:28 . 2009-08-01 19:28 -------- d-----w- c:\program files\Trend Micro
2009-08-01 17:47 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-08-01 15:41 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-08-01 15:38 . 2009-08-01 15:38 -------- dc-h--w- c:\docume~1\ALLUSE~1\APPLIC~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-01 15:38 . 2009-08-01 15:41 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Lavasoft
2009-08-01 15:38 . 2009-08-01 15:38 -------- d-----w- c:\program files\Lavasoft
2009-07-30 02:10 . 2009-07-30 02:10 -------- d-----w- c:\program files\Seagate
2009-07-30 02:10 . 2009-07-30 02:10 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Seagate
2009-07-30 02:09 . 2009-07-30 02:09 -------- d-----w- c:\documents and settings\jfairclough\Local Settings\Application Data\Downloaded Installations
2009-07-30 02:09 . 2009-01-16 08:19 1731736 ----a-w- c:\documents and settings\jfairclough\Application Data\Leadertech\PowerRegister\Seagate 2GEY20ZG Product Registration.exe
2009-07-30 02:06 . 2009-07-30 02:06 -------- d-----w- c:\documents and settings\jfairclough\Application Data\Leadertech
2009-07-27 00:36 . 2009-07-27 00:36 -------- d-----w- C:\Garmin
2009-07-26 21:08 . 2009-08-01 15:39 -------- d-----w- c:\documents and settings\jfairclough\Local Settings\Application Data\Temp
2009-07-25 19:23 . 2009-07-25 19:23 -------- d-----w- c:\documents and settings\jfairclough\Application Data\GARMIN
2009-07-20 03:21 . 2009-07-20 03:21 -------- d-----w- c:\documents and settings\jfairclough\Application Data\Cakewalk
2009-07-20 03:20 . 2006-11-30 21:49 368640 ----a-w- c:\windows\system32\ReWire.dll
2009-07-20 03:20 . 2009-07-20 03:20 -------- d-----w- c:\program files\Cakewalk
2009-07-08 05:09 . 2009-07-08 05:09 -------- d-sh--w- c:\documents and settings\jfairclough\IECompatCache
2009-07-05 19:35 . 2009-07-05 20:27 -------- d-----w- c:\documents and settings\jfairclough\Application Data\LimeWire
2009-07-05 19:33 . 2009-07-05 19:33 -------- d-----w- c:\program files\LimeWire
2009-07-05 07:18 . 2009-07-05 07:18 -------- d-----w- c:\windows\system32\wbem\Repository
2009-07-05 06:13 . 2009-07-05 06:13 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-05 06:09 . 2009-07-05 07:28 -------- d-----w- C:\OEMSettings
2009-07-05 01:39 . 2009-07-05 01:39 -------- d-sh--w- c:\documents and settings\jfairclough\PrivacIE
2009-07-05 01:38 . 2009-07-05 01:38 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-07-05 01:29 . 2009-07-05 01:29 -------- d-sh--w- c:\documents and settings\jfairclough\IETldCache
2009-07-05 00:52 . 2009-07-05 00:52 -------- d-----w- c:\windows\system32\XPSViewer
2009-07-05 00:52 . 2009-07-05 00:52 -------- d-----w- c:\program files\MSBuild
2009-07-05 00:52 . 2009-07-05 00:52 -------- d-----w- c:\program files\Reference Assemblies
2009-07-05 00:51 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-07-05 00:51 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-07-05 00:51 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-07-05 00:51 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-07-05 00:51 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-07-05 00:51 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-07-05 00:51 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-07-05 00:50 . 2009-07-05 01:06 -------- d-----w- c:\windows\SxsCaPendDel
2009-07-04 22:21 . 2009-07-04 22:21 -------- d-----w- c:\windows\system32\KB905474
2009-07-04 22:21 . 2009-03-11 04:26 1403264 ----a-w- c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-07-04 22:21 . 2009-03-11 04:18 453512 ----a-w- c:\windows\system32\KB905474\wgasetup.exe
2009-07-04 21:55 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-07-04 21:55 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-07-04 21:55 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-07-04 21:55 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-07-04 21:55 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-07-04 21:55 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-07-04 21:55 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-07-04 21:55 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-07-04 21:55 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-07-04 21:55 . 2009-02-06 11:08 2189056 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-07-04 21:55 . 2009-02-06 11:06 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-07-04 21:55 . 2009-02-06 10:32 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-07-04 21:54 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-07-04 21:54 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-07-04 21:52 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-07-04 21:50 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-07-04 21:49 . 2008-09-04 17:15 1106944 -c----w- c:\windows\system32\dllcache\msxml3.dll
2009-07-04 21:49 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-07-04 21:48 . 2008-05-01 14:33 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2009-07-04 21:47 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-07-04 21:45 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-07-04 21:45 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-07-04 18:23 . 2009-07-04 18:23 -------- d-----w- c:\windows\system32\scripting
2009-07-04 18:23 . 2009-07-04 18:23 -------- d-----w- c:\windows\l2schemas
2009-07-04 18:23 . 2009-07-04 18:23 -------- d-----w- c:\windows\system32\en
2009-07-04 18:23 . 2009-07-04 18:23 -------- d-----w- c:\windows\system32\bits
2009-07-04 17:58 . 2008-04-14 00:11 136192 ------w- c:\windows\system32\aaclient.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-02 04:04 . 2009-06-26 04:17 -------- d-----w- c:\documents and settings\jfairclough\Application Data\uTorrent
2009-08-01 15:39 . 2006-05-18 14:30 -------- d-----w- c:\program files\Google
2009-08-01 05:35 . 2006-07-21 16:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-01 05:35 . 2006-07-21 16:15 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2009-08-01 03:38 . 2008-07-22 04:40 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Soulseek
2009-07-31 10:05 . 2008-04-10 22:42 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Google Updater
2009-07-30 02:10 . 2006-05-18 14:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-29 03:26 . 2008-09-02 03:37 -------- d-----w- c:\program files\DivX
2009-07-27 01:20 . 2009-04-17 22:02 -------- d-----w- c:\documents and settings\jfairclough\Application Data\Azureus
2009-07-05 06:38 . 2008-09-01 19:52 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-07-05 01:33 . 2006-05-18 14:51 70136 ----a-w- c:\documents and settings\jfairclough\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-04 18:27 . 2006-05-17 23:33 87263 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-07-02 22:16 . 2009-07-02 22:14 -------- d-----w- c:\documents and settings\jfairclough\Application Data\WindSolutions
2009-07-02 22:14 . 2009-07-02 22:14 -------- d-----w- c:\program files\WindSolutions
2009-07-02 22:14 . 2009-07-02 22:14 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\WindSolutions
2009-07-02 20:53 . 2008-07-22 03:33 -------- d-----w- c:\program files\NETGEAR
2009-07-01 04:24 . 2009-06-28 02:16 -------- d-----w- c:\program files\MediaCoder
2009-07-01 03:49 . 2009-07-01 03:40 -------- d-----w- c:\program files\Magical Jelly Bean SHN Shortener
2009-06-28 02:23 . 2009-06-28 02:15 -------- d-----w- c:\program files\Xobni
2009-06-28 02:22 . 2006-06-07 17:31 -------- d-----w- c:\program files\Yahoo!
2009-06-28 02:15 . 2009-06-28 02:15 -------- d-----w- c:\documents and settings\jfairclough\Application Data\WeatherBug
2009-06-28 02:14 . 2009-06-28 02:14 -------- d-----w- c:\documents and settings\jfairclough\Application Data\blinkx
2009-06-28 02:14 . 2009-06-28 02:14 -------- d-----w- c:\documents and settings\jfairclough\Application Data\PriceGong
2009-06-26 14:49 . 2009-06-26 14:35 -------- d-----w- c:\program files\Winamp
2009-06-26 14:44 . 2009-06-26 14:35 -------- d-----w- c:\documents and settings\jfairclough\Application Data\Winamp
2009-06-26 04:17 . 2009-06-26 04:17 -------- d-----w- c:\program files\uTorrent
2009-05-07 15:32 . 2003-07-16 16:26 345600 ----a-w- c:\windows\system32\localspl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-12-10 00:40 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-12-10 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"EFI Job Monitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\efjm.dll" [2004-08-10 2510848]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-18 68856]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-07-07 288048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-17 148888]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-23 116040]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-05-26 180269]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-05-28 570664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-05-01 185640]

c:\documents and settings\jfairclough\Start Menu\Programs\Startup\
Seagate 2GEY20ZG Product Registration.lnk - c:\documents and settings\jfairclough\Application Data\Leadertech\PowerRegister\Seagate 2GEY20ZG Product Registration.exe [2009-7-29 1731736]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2008-12-11 2322432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"MaxGPOScriptWait"= 1000 (0x3e8)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SideACT!.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SideACT!.lnk
backup=c:\windows\pss\SideACT!.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^jfairclough^Start Menu^Programs^Startup^Avaya IP Softphone.lnk]
path=c:\documents and settings\jfairclough\Start Menu\Programs\Startup\Avaya IP Softphone.lnk
backup=c:\windows\pss\Avaya IP Softphone.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Danware Data\\NetOp Remote Control\\Host\\NHSTW32.EXE"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/1/2009 9:41 AM 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 8:49 AM 1029456]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [12/28/2007 3:02 PM 287232]
S1 NHostNT1;NetOp Driver 1 ver. 8.00 (2006047);c:\windows\system32\drivers\NHOSTNT1.SYS [5/18/2006 12:12 PM 90896]
S2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [4/17/2009 4:02 PM 464264]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [4/17/2009 4:02 PM 234888]
S2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/9/2007 1:13 PM 38144]
S2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [5/1/2009 2:35 PM 181544]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/26/2009 3:08 PM 133104]
S2 NetOp Host for NT Service;NetOp Helper ver. 8.00 (2006047);c:\program files\Danware Data\NetOp Remote Control\Host\NHOSTSVC.EXE [5/18/2006 12:12 PM 1196304]
S2 Retrospect Client;Retrospect Client;c:\program files\Dantz\Client\RemotSvc.exe [5/18/2006 10:21 AM 57344]
S3 ECCL100;ECCL100 NDIS Protocol Driver;\??\c:\windows\system32\ECCL100.SYS --> c:\windows\system32\ECCL100.SYS [?]
S3 NHOSTNT3;NetOp Driver 3 ver. 8.00 (2006047) (NHOSTNT3);c:\windows\system32\drivers\NHOSTNT3.SYS [5/18/2006 12:12 PM 3216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.6.4/GarminAxControl.CAB
DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} - hxxp://qmedia.xlontech.net/100170/sdk/latest/qsp2ie06041001.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-01 23:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(808)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-08-02 23:18
ComboFix-quarantined-files.txt 2009-08-02 05:18
ComboFix2.txt 2009-08-02 04:17

Pre-Run: 21,705,953,280 bytes free
Post-Run: 21,650,018,304 bytes free

908 --- E O F --- 2008-04-20 10:06
Upload was successful

    Advertisements

Register to Remove


#11 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 01 August 2009 - 11:20 PM

Hi,

Please do the following:

Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT

Run an on-line scan with Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.

    Posted Image
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply


In your next reply please include
  • MBAM Log
  • Kaspersky report

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#12 jcommerce

jcommerce

    New Member

  • Authentic Member
  • Pip
  • 14 posts

Posted 02 August 2009 - 12:28 AM

By the way, I'm going to uninstall Vuze and Limewire from my computer. I rarely use either but I know they can be sources of malware. Kaspersky scan running now....

Edited by jcommerce, 02 August 2009 - 12:40 AM.


#13 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 02 August 2009 - 07:48 AM

By the way, I'm going to uninstall Vuze and Limewire from my computer. I rarely use either but I know they can be sources of malware.



Beat me to it - :thumbup:

Here's some interesting reading for you:

Perils of P2P File Sharing.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#14 jcommerce

jcommerce

    New Member

  • Authentic Member
  • Pip
  • 14 posts

Posted 02 August 2009 - 10:36 AM

Malwarebytes' Anti-Malware 1.39 Database version: 2544 Windows 5.1.2600 Service Pack 3 8/1/2009 11:44:01 PM mbam-log-2009-08-01 (23-44-01).txt Scan type: Quick Scan Objects scanned: 87533 Time elapsed: 3 minute(s), 3 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully. -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0 REPORT Sunday, August 2, 2009 Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Program database last update: Sunday, August 02, 2009 08:08:25 Records in database: 2572489 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ F:\ Scan statistics: Files scanned: 110396 Threat name: 2 Infected objects: 4 Suspicious objects: 0 Duration of the scan: 02:21:08 File name / Threat name / Threats count C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ESQULedcvyalihvkvsafethptlsohvjnapaoe.sys.vir Infected: Trojan.Win32.Tdss.alqh 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\ESQULrdqigndibuiqcgyedfdsciwbtwayitul.dll.vir Infected: Trojan.Win32.TDSS.alpo 1 C:\System Volume Information\_restore{5B52E1FB-B819-4B39-9127-C1CFDD24553E}\RP1113\A0195972.sys Infected: Trojan.Win32.Tdss.alqh 1 C:\System Volume Information\_restore{5B52E1FB-B819-4B39-9127-C1CFDD24553E}\RP1113\A0195973.dll Infected: Trojan.Win32.TDSS.alpo 1 The selected area was scanned.

#15 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 02 August 2009 - 10:41 AM

The items found by Kaspersky are in quarantine or old system restore points which we will clean up shortly. Please post a fresh DDS log and advise how your computer is running now and if there are any outstanding issues.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users