Computer Hope
Software => Computer viruses and spyware => Virus and spyware removal => Topic started by: paulwilko10 on March 21, 2011, 03:23:50 AM
-
Hiya
Thought I had the Conficker Virus, but not so sure now !
Symptoms are:
Multiple Firefox Sesssions
Excel and Word Files Trying to be opened
Can Not access microsoft or any Anti Virus Websites
Attached is my Malware Bytes and Hijack This Log and hope that you can help me get this sorted
Many Thanks
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6110
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
20/03/2011 21:50:23
mbam-log-2011-03-20 (21-50-23).txt
Scan type: Full scan (C:\|)
Objects scanned: 397099
Time elapsed: 3 hour(s), 8 minute(s), 56 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\documents and settings\paul and jane\Desktop\userinit.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
Hijack this Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:55:53, on 20/03/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\astsrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\NDAS\System\ndassvc.exe
E:\Nero 8\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
e:\ProShowProducer\ScsiAccess.exe
e:\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
E:\TVersity Media Server\Media Server\MediaServer.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\DynDNS Updater\DynUpSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Active Sync\wcescomm.exe
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\Program Files\wadwupun\fgujfsee.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UnlockerAssistant] "E:\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [IObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "E:\Active Sync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2052111302-1614895754-839522115-1005\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-2052111302-1614895754-839522115-1005\..\RunOnce: [NeroHomeFirstStart] "C:\Program Files\Common Files\Nero\Lib\NMFirstStart.exe" (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - E:\ACTIVE~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\ACTIVE~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\ACTIVE~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Microgaming\Poker\ladbrokesMPP\MPPoker.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} (PhotoboxPhotowaysUploader5 Control) - http://assets.photobox.com/assets/aurigma/ImageUploader5.cab?20100902142450
O16 - DPF: {195538FD-1C39-44B1-A7C3-5D7137A8A8F1} (OPSWAT AntiViruses Class) - https://access.easyjetairline.com/vdesk/terminal/f5opswati.cab#Version=7000,2010,517,1206
O16 - DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} (F5 Networks CacheCleaner) - https://access.easyjetairline.com/vdesk/cachecleaner.cab#version=6031,2010,0617,2001
O16 - DPF: {30CF9713-6614-4556-B5F5-66F8C7F9DEF1} (OPSWAT FireWalls Class) - https://access.easyjetairline.com/vdesk/terminal/f5opswati.cab#Version=7000,2010,517,1206
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://access.easyjetairline.com/vdesk/terminal/InstallerControl.cab#version=6031,2010,0617,2017
O16 - DPF: {49EC7987-E331-44E3-B170-748B58A268B9} (OPSWAT ProcessesScanner Class) - https://access.easyjetairline.com/vdesk/terminal/f5opswati.cab#Version=7000,2010,517,1206
O16 - DPF: {4A026B12-94F3-4D2F-A468-96AA55DE20A5} (NetCamPlayerWeb11g Control) - http://192.168.1.104/img/NetCamPlayerWeb11g.ocx
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://access.easyjetairline.com/vdesk/terminal/f5InspectionHost.cab#version=6031,2009,1204,1603
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6886.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1292425996265
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1292425990234
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games – Hearts) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab67031.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {EBDC91CB-F23F-477D-B152-3F7243760D04} (F5 Networks OPSWAT Helper Control) - https://access.easyjetairline.com/vdesk/terminal/f5opswati.cab#Version=7000,2010,517,1206
O16 - DPF: {FD0EBBED-0C42-4D0F-82DA-44399B5C420A} (VM_1.VM_Control) - http://downloads.virginmedia.com/CST/ver1/xp_mail.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{31C9E71F-BD77-4217-A073-2B0D7E5EFF10}: NameServer = 208.67.222.222 208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{C380CE11-9A83-4782-86FB-28CE0B0787E6}: NameServer = 194.168.4.100,194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{31C9E71F-BD77-4217-A073-2B0D7E5EFF10}: NameServer = 208.67.222.222 208.67.220.220
O20 - Winlogon Notify: !SASWinLogon - E:\Super AntiSpyware\SASWINLO.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Acronis Nonstop Backup service (afcdpsrv) - Acronis - C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\SYSTEM32\astsrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: DynDNS Updater - Dynamic Network Services, Inc. - C:\Program Files\DynDNS Updater\DynUpSvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9aded739d4b74) (gupdate1c9aded739d4b74) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Program Files\NDAS\System\ndassvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - E:\Nero 8\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - Unknown owner - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: ScsiAccess - Unknown owner - e:\ProShowProducer\ScsiAccess.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - e:\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TVersityMediaServer - Unknown owner - E:\TVersity Media Server\Media Server\MediaServer.exe
O23 - Service: wampapache - Apache Software Foundation - e:\wampserver\bin\apache\apache2.2.8\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - e:\wampserver\bin\mysql\mysql5.0.51b\bin\mysqld-nt.exe
--
End of file - 16876 bytes
I have tried many different programs
SuperAntiSpyware, this has not got the latest definition as the pc wont allow it
Malwarebytes
Mcafee Virus Scan 8.5
IOBit Security
All of the above fnd things but never sort my issue out
Thanks for your help
Paul
-
Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.
1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.
If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
**************************************************
Do you know what this is? C:\Program Files\wadwupun. If not, please uninstall it.
* Go to Start > Run and type mrt.exe then press Enter on the keyboard).
* (Vista and Windows 7 users go to Start and type mrt.exe in the search box then press Enter on the keyboard.
* Click Next.
* Choose Full Scan and click Next.
* Once the scan is finished click View detailed results of the scan.
Look through the list and let me know if anything was found infected.
********************************************************
Please download ComboFix (http://img7.imageshack.us/img7/4930/combofix.gif) from BleepingComputer.com (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Alternate link: GeeksToGo.com (http://subs.geekstogo.com/ComboFix.exe)
and save it to your Desktop.
If you are using Firefox, make sure that your download settings are as follows:
* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here (http://www.bleepingcomputer.com/forums/topic114351.html)
Double click ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
(http://img.photobucket.com/albums/v666/sUBs/Query_RC.gif)
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
(http://img.photobucket.com/albums/v666/sUBs/RC_successful.gif)
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
If you have problems with ComboFix usage, see How to use ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
-
Hiya Dave, many thanks for taking the time to help me out.
A little more info for you.
Before I asked for your help, I tried a little self help.
I used the online tool on here and did the Hijack This and it asked me to delete the wadwupun folder but when I try, it won't let me saying the folder is not empty. However, when I open the folder there is nothing there. i have tried the different viewing options i.e Hidden files etc etc but no luck.
I do suspect this folder / file is at the bottom of my issues. It will let me move and rename, but on reboot it reappears
Ok, onto what you have asked me to do.
MRT returned no issues
Combofix solves my immediate issues but on reboot they start again.
This is the log
ComboFix 11-03-21.02 - Paul and Jane 22/03/2011 8:01.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1460 [GMT 0:00]
Running from: c:\documents and settings\Paul and Jane\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
.
((((((((((((((((((((((((( Files Created from 2011-02-22 to 2011-03-22 )))))))))))))))))))))))))))))))
.
.
2011-03-21 17:22 . 2011-03-21 21:42 -------- d-----w- C:\QUARANTINE
2011-03-21 17:12 . 2011-03-21 17:12 -------- d-----w- c:\program files\ophcrack
2011-03-21 17:02 . 2011-03-21 22:56 -------- d-----w- c:\program files\wadwupun
2011-03-20 12:16 . 2011-03-20 12:16 -------- d-----w- c:\documents and settings\Paul and Jane\Application Data\IObit
2011-03-20 12:16 . 2011-03-20 12:16 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2011-03-20 12:16 . 2011-03-20 12:16 -------- d-----w- c:\program files\IObit
2011-03-20 11:32 . 2011-03-20 11:32 -------- d-----w- c:\program files\Bing Bar Installer
2011-03-20 11:32 . 2011-03-20 11:39 -------- d-----w- c:\program files\Unlocker
2011-03-20 09:29 . 2011-03-20 09:29 -------- d-----w- c:\program files\Trend Micro
2011-03-19 10:49 . 2011-03-19 10:49 -------- d-----w- c:\documents and settings\Paul and Jane\Application Data\SUPERAntiSpyware.com
2011-03-19 10:49 . 2011-03-19 10:49 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-03-18 14:18 . 2011-03-18 15:49 53248 ----a-w- c:\windows\system32\drivers\rk_remover.sys
2011-03-18 10:06 . 2011-03-18 10:08 -------- d-----w- c:\program files\Windows Live Safety Center
2011-03-17 21:54 . 2011-03-21 21:42 233977 ----a-r- c:\documents and settings\Paul and Jane\Application Data\Microsoft\Installer\{2c557f98-ef74-4a1e-a856-9df2f633b41f}\gui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2011-03-17 21:54 . 2011-03-21 21:42 233894 ----a-r- c:\documents and settings\Paul and Jane\Application Data\Microsoft\Installer\{2c557f98-ef74-4a1e-a856-9df2f633b41f}\ARPPRODUCTICON.exe
2011-03-17 21:54 . 2011-03-21 21:42 233854 ----a-r- c:\documents and settings\Paul and Jane\Application Data\Microsoft\Installer\{2c557f98-ef74-4a1e-a856-9df2f633b41f}\gui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2011-03-17 21:54 . 2011-03-17 21:54 -------- d-----w- c:\program files\Sophos
2011-03-17 19:54 . 2011-03-17 19:54 -------- d-----w- c:\documents and settings\Pauls Iphone\Application Data\Malwarebytes
2011-03-17 19:50 . 2011-03-17 19:50 -------- d-----w- c:\documents and settings\Pauls Iphone\Local Settings\Application Data\Adobe
2011-03-17 19:02 . 2011-03-17 19:02 -------- d-----w- c:\documents and settings\Pauls Iphone\Local Settings\Application Data\TomTom
2011-03-17 19:02 . 2011-03-17 19:02 -------- d-----w- c:\documents and settings\Pauls Iphone\Application Data\TomTom
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-21 21:42 . 2007-12-13 18:48 209384 ----a-r- c:\documents and settings\Paul and Jane\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\WinDlg.exe_0AB76F69E7614CFAB9B0A1906B4E9E4B_3.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-21_18.08.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-22 07:52 . 2011-03-22 07:52 16384 c:\windows\Temp\Perflib_Perfdata_c00.dat
+ 2011-03-22 07:52 . 2011-03-22 07:52 16384 c:\windows\Temp\Perflib_Perfdata_9a4.dat
- 2004-08-04 10:00 . 2011-03-21 17:57 80884 c:\windows\system32\perfc009.dat
+ 2004-08-04 10:00 . 2011-03-22 07:56 80884 c:\windows\system32\perfc009.dat
- 2010-12-15 15:40 . 2010-12-15 15:40 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
+ 2010-12-15 15:40 . 2011-03-21 18:36 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
+ 2005-03-21 11:00 . 2005-03-21 11:00 4096 c:\windows\system32\sabprocenum.sys
- 2004-08-04 10:00 . 2011-03-21 17:57 467240 c:\windows\system32\perfh009.dat
+ 2004-08-04 10:00 . 2011-03-22 07:56 467240 c:\windows\system32\perfh009.dat
+ 2009-05-14 15:41 . 2009-05-14 15:41 380144 c:\windows\Downloaded Program Files\sabspx.dll
+ 2007-08-12 13:22 . 2011-03-02 19:56 37943240 c:\windows\system32\MRT.exe
+ 2011-03-21 18:36 . 2011-03-21 18:36 20304384 c:\windows\Installer\13319e.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="e:\super anti spyware\SUPERAntiSpyware.exe" [2011-03-16 2423752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "e:\super anti spyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- e:\super anti spyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-09-29 18:09 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
backup=c:\windows\pss\Adobe Acrobat Synchronizer.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DynDNS Updater Tray Icon.lnk]
backup=c:\windows\pss\DynDNS Updater Tray Icon.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Giganews Accelerator.lnk]
backup=c:\windows\pss\Giganews Accelerator.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NDAS Device Management.lnk]
backup=c:\windows\pss\NDAS Device Management.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TabUserW.lnk]
backup=c:\windows\pss\TabUserW.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Paul and Jane^Start Menu^Programs^Startup^fgujfsee.exe]
path=c:\documents and settings\Paul and Jane\Start Menu\Programs\Startup\fgujfsee.exe
backup=c:\windows\pss\fgujfsee.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Paul and Jane^Start Menu^Programs^Startup^VQ4.0.lnk]
backup=c:\windows\pss\VQ4.0.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2009-09-12 15:31 357384 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-05-11 02:06 40048 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 06:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-10-23 14:18 202024 ----a-w- c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
2003-01-27 16:16 376912 ----a-w- c:\program files\BroadJump\Client Foundation\CFD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2006-08-17 10:32 17920 ----a-w- c:\windows\CTHELPER.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
2006-03-02 11:00 18944 ----a-w- c:\windows\system32\CTXFIHLP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2010-04-01 09:16 357696 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus DX6000 Series]
2006-02-13 04:00 131072 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIBIE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2011-03-20 14:25 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 11:44 31072 ------w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 12:39 1289000 ------w- e:\active sync\wcescomm.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2011-03-20 14:25 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2005-07-08 04:55 176128 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
2005-07-08 04:55 491520 ----a-w- c:\windows\system32\hphmon05.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IObit Security 360]
2010-06-11 18:14 1280344 ----a-w- c:\program files\IObit\IObit Security 360\is360tray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-21 14:53 141608 ----a-w- e:\i tunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2008-12-20 07:50 2656528 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2008-07-24 17:46 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
2006-12-19 10:27 136768 ----a-w- c:\program files\McAfee\Common Framework\UdaterUI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-16 22:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2007-09-20 08:51 1836328 ----a-w- e:\nero 8\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 14:57 153136 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-01-15 08:19 13680640 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-01-15 08:19 86016 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2009-01-15 08:19 1657376 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-03-20 18:06 421888 ----a-w- e:\quicktime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
2009-10-14 14:43 3217368 ----a-w- e:\registry mechanic\RegMech.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]
2007-02-22 19:50 112216 ----a-w- c:\program files\McAfee\VirusScan Enterprise\shstat.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-10-09 13:11 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-04-19 20:18 1217872 ----a-w- e:\steam\steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 11:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-03-26 08:32 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2007-08-17 20:14 185632 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2011-03-09 12:30 247728 ----a-w- e:\tomtom home 2\TomTomHOMERunner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2009-09-12 15:30 5048488 ----a-w- e:\acronis\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2011-03-20 18:34 17408 ----a-w- e:\unlocker\UnlockerAssistant.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\wizdxp\\wizd.exe"=
"e:\active sync\rapimgr.exe"= e:\active sync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"e:\active sync\wcescomm.exe"= e:\active sync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"e:\active sync\WCESMgr.exe"= e:\active sync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"e:\\Studio 11\\programs\\RM.exe"=
"e:\\Studio 11\\programs\\Studio.exe"=
"e:\\Studio 11\\programs\\PMSRegisterFile.exe"=
"e:\\Studio 11\\programs\\umi.exe"=
"e:\\Steam\\steam.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"e:\\Flight Simulator X\\fsx.exe"=
"e:\\Dreamweaver\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\I Tunes\\iTunes.exe"=
"e:\\Sam Broadcaster\\SAMBC.exe"=
"c:\\Program Files\\NSVtools\\nsvscsrc.exe"=
"e:\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"8010:TCP"= 8010:TCP:shoutcast
"1172:TCP"= 1172:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R0 tdrpman251;Acronis Try&Decide and Restore Points filter (build 251);c:\windows\system32\drivers\tdrpm251.sys [23/04/2010 12:34 902432]
R1 SASDIFSV;SASDIFSV;e:\super anti spyware\sasdifsv.sys [17/02/2010 18:25 12872]
R1 SASKUTIL;SASKUTIL;e:\super anti spyware\SASKUTIL.SYS [10/05/2010 18:41 67656]
R2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [23/04/2010 12:34 2326920]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [04/08/2004 10:00 14336]
R2 DynDNS Updater;DynDNS Updater;c:\program files\DynDNS Updater\DynUpSvc.exe [16/04/2010 16:19 103800]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [20/03/2011 12:16 312152]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [05/10/2010 17:38 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [24/07/2008 17:46 12856]
R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [23/04/2010 12:34 159168]
R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [01/12/2009 18:11 25704]
R3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [01/12/2009 18:11 25704]
R3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [01/12/2009 18:12 25704]
R3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [01/12/2009 18:12 25704]
R3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [01/12/2009 18:12 25704]
S0 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
S2 gupdate1c9aded739d4b74;Google Update Service (gupdate1c9aded739d4b74);c:\program files\Google\Update\GoogleUpdate.exe [26/03/2009 08:32 133104]
S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe --> c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [?]
S3 imhidusb;Immersion's HID USB Driver;c:\windows\system32\drivers\imhidusb.sys [14/10/2007 12:02 30984]
S3 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;c:\windows\system32\PLCNDIS5.SYS [26/04/2004 17:11 17280]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [14/12/2010 21:55 27064]
S3 rk_remover-boot;rk_remover-boot;c:\windows\system32\drivers\rk_remover.sys [18/03/2011 14:18 53248]
S3 XE104Sp50;XE104Sp50 NDIS Protocol Driver;c:\windows\system32\drivers\XE104Sp50.sys [28/11/2006 20:46 27072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 12:34]
.
2011-03-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-07 08:32]
.
2011-03-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-26 08:32]
.
2011-03-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-26 08:32]
.
2011-03-20 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]
.
2011-01-02 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyServer = http=asfd-cache-1.server.ntli.net
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: easyjetairline.com\access
TCP: {C380CE11-9A83-4782-86FB-28CE0B0787E6} = 194.168.4.100,194.168.8.100
DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} - hxxp://assets.photobox.com/assets/aurigma/ImageUploader5.cab?20100902142450
DPF: {195538FD-1C39-44B1-A7C3-5D7137A8A8F1} - hxxps://access.easyjetairline.com/vdesk/terminal/f5opswati.cab#Version=7000,2010,517,1206
DPF: {30CF9713-6614-4556-B5F5-66F8C7F9DEF1} - hxxps://access.easyjetairline.com/vdesk/terminal/f5opswati.cab#Version=7000,2010,517,1206
DPF: {49EC7987-E331-44E3-B170-748B58A268B9} - hxxps://access.easyjetairline.com/vdesk/terminal/f5opswati.cab#Version=7000,2010,517,1206
DPF: {4A026B12-94F3-4D2F-A468-96AA55DE20A5} - hxxp://192.168.1.104/img/NetCamPlayerWeb11g.ocx
DPF: {EBDC91CB-F23F-477D-B152-3F7243760D04} - hxxps://access.easyjetairline.com/vdesk/terminal/f5opswati.cab#Version=7000,2010,517,1206
DPF: {FD0EBBED-0C42-4D0F-82DA-44399B5C420A} - hxxp://downloads.virginmedia.com/CST/ver1/xp_mail.cab
FF - ProfilePath - c:\documents and settings\Paul and Jane\Application Data\Mozilla\Firefox\Profiles\qddxd76b.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=&query=
FF - prefs.js: browser.search.selectedEngine - Winamp Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=&query=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension for Firefox: {B13721C7-F507-4982-B2E5-502A71474FED} - c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: LocalLink: {15756614-ffb8-498b-b961-bce537ea94fe} - %profile%\extensions\{15756614-ffb8-498b-b961-bce537ea94fe}
FF - Ext: LogMeIn, Inc. Remote Access Plugin: [email protected] - %profile%\extensions\[email protected]
FF - Ext: SHOUTcast Radio Toolbar: {12e4c684-c03e-4e4d-85bc-0c065e7a9489} - %profile%\extensions\{12e4c684-c03e-4e4d-85bc-0c065e7a9489}
FF - Ext: CyberShadow's Bejeweled Blitz 3 Cheat: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: XULRunner: {0F32F055-1A7C-493F-871C-B31C822A43A8} - c:\documents and settings\Paul and Jane\Local Settings\Application Data\{0F32F055-1A7C-493F-871C-B31C822A43A8}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: capability.policy.policynames - localfilelinks
FF - user.js: capability.policy.localfilelinks.sites - hxxp://s1.travian.com http://s2.travian.com http://s3.travian.com http://s4.travian.com http://s5.travian.com http://s6.travian.com http://s7.travian.com http://s8.travian.com http://s9.travian.com http://s10.travian.com http://speed.travian.com http://s1.travian.us http://s2.travian.us http://s3.travian.us http://s4.travian.us http://s5.travian.us http://s6.travian.us http://s7.travian.us http://s8.travian.us http://s9.travian.us http://s10.travian.us http://speed.travian.us http://s1.travian.co.uk http://s2.travian.co.uk http://s3.travian.co.uk http://s4.travian.co.uk http://s5.travian.co.uk http://s6.travian.co.uk http://s7.travian.co.uk http://s8.travian.co.uk http://s9.travian.co.uk http://s10.travian.co.uk http://speed.travian.co.uk
FF - user.js: capability.policy.localfilelinks.checkl oaduri.enabled - allAccess
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-22 08:06
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\Paul and Jane\Start Menu\Programs\Startup\fgujfsee.exe 164199 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2052111302-1614895754-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{142CD2CF-756C-381E-759D-20FC7E2F111E}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abehjcdkbnfajfgdfiiomepmfiljnhooln"=hex:65,62,65,68,63,65,64,6d,64,65,62,62,
63,68,6a,62,6c,63,6e,62,69,65,61,6a,67,66,6c,61,6c,63,68,62,68,65,6a,6a,66,\
"bbehjcdkbnfajfgdfihohincaleghhekpfol"=hex:61,62,64,62,64,6c,69,70,6b,6c,6e,6d,
64,66,6e,6c,6a,6c,70,6d,6f,6a,68,6b,6b,6e,6f,65,66,61,70,69,66,65,00,6a
.
[HKEY_USERS\S-1-5-21-2052111302-1614895754-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8F011243-2BF9-227A-A86C-B3C19DB5E2C4}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iabdoenbheaognkbme"=hex:6a,61,66,6d,68,6f,63,70,6e,62,6b,61,6a,66,6b,65,6a,66,
69,6a,00,00
"halndhddfkcbdame"=hex:6b,61,66,6d,63,6f,6a,6f,67,65,6a,6e,68,66,6d,61,6f,65,
61,69,63,6e,00,00
"iafcfikbniidmfemlf"=hex:63,61,64,6d,6f,6f,00,7c
.
[HKEY_USERS\S-1-5-21-2052111302-1614895754-839522115-1003\Software\Sony Creative Software\M*e*d*i*a* *M*a*n*a*g*e*r* *f*o*r* *P*S*P*"!\3.0]
"Percents"=""
"Increment"=".000213"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:e3,ff,fb,3e,89,b9,34,c0,0e,9e,24,b4,a2,21,68,88,0a,3c,f1,03,f1,
04,45,20,0a,31,25,a5,ed,70,67,aa,ea,c0,1f,fb,fb,5e,f8,db,5e,ba,51,a4,9e,1c,\
.
[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:e3,ff,fb,3e,89,b9,34,c0,0e,9e,24,b4,a2,21,68,88,0a,3c,f1,03,f1,
04,45,20,0a,31,25,a5,ed,70,67,aa,ea,c0,1f,fb,fb,5e,f8,db,5e,ba,51,a4,9e,1c,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(944)
e:\super anti spyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll
.
- - - - - - - > 'explorer.exe'(4080)
c:\windows\system32\WININET.dll
c:\windows\system32\tabhook.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Nero\Lib\NeroDigitalExt.dll
c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80.DLL
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2011-03-22 08:09:23
ComboFix-quarantined-files.txt 2011-03-22 08:09
ComboFix2.txt 2011-03-21 19:01
ComboFix3.txt 2011-03-21 18:33
ComboFix4.txt 2011-03-21 18:11
.
Pre-Run: 21,401,432,064 bytes free
Post-Run: 21,487,849,472 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 39323A2ACA7B5DBD4BBF340FF5C78B74
Thanks
Paul
-
Re-running ComboFix to remove infections:
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Open notepad and copy/paste the text in the quotebox below into it:
KillAll::
DDS::
Trusted Zone: easyjetairline.com\access
Folder::
c:\program files\wadwupun
MBR::
- Save this as CFScript.txt, in the same location as ComboFix.exe
(http://img19.imageshack.us/img19/5660/cfscriptb4.gif)
- Referring to the picture above, drag CFScript into ComboFix.exe
- When finished, it shall produce a log for you at C:\ComboFix.txt
- Please post the contents of the log in your next reply.
****************************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.
Link 1 (http://screen317.spywareinfoforum.org/SecurityCheck.exe)
Link 2 (http://screen317.changelog.fr/SecurityCheck.exe)
* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.
Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
*******************************************************
P2P - I see you have P2P software installed on your machine (uTorrent). We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.
Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
******************************************************
Registry cleaners are extremely powerful applications and their potential for harming your OS far outweighs any small potential for improving your computer's performance.
RegCure
There are a number of them available and some are more safe than others. Keep in mind that no two registry cleaners work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad" entry. One cleaner may find entries on your system that will not cause a problem when removed, another may not find the same entries, and still another may want to remove entries required for a program to work. Without research into what the registry entry selected for deletion is, a registry cleaner can end up being an automated method to cause problems with the registry.
For routine use by those not familiar with the registry, the benefits to your computer are negligible while the potential risks are great.
Further reading: XP Fixes Myth #1: Registry Cleaners (http://www.windowsbbs.com/showthread.php?t=61015)
******************************************************
Please go to Jotti's malware scan (http://virusscan.jotti.org/)
(If more than one file needs scanned they must be done separately and links posted for each one)
* Copy the file path in the below Code box:
c:\documents and settings\Paul and Jane\Start Menu\Programs\Startup\fgujfsee.exe
* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.
-
Thanks Dave
A slight issue with what you asked me to do
Starting Combofix with the txt file makes combofix restart the pc after trying to delete wadwupun but unfortunately it reapears and the virus is still there on reboot which stops me downloading the other file you asked me to do.
Anyway, I have done another Combofix without the text file and this is the log
ComboFix 11-03-22.08 - Paul and Jane 23/03/2011 8:50.9.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1504 [GMT 0:00]
Running from: c:\documents and settings\Paul and Jane\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
.
((((((((((((((((((((((((( Files Created from 2011-02-23 to 2011-03-23 )))))))))))))))))))))))))))))))
.
.
2011-03-22 23:59 . 2011-03-22 23:59 -------- d-----w- c:\program files\wadwupun
2011-03-22 22:04 . 2011-03-22 22:04 164199 ----a-w- c:\program files\Mozilla Firefox\firefoxmgr.exe
2011-03-21 17:22 . 2011-03-22 16:43 -------- d-----w- C:\QUARANTINE
2011-03-21 17:12 . 2011-03-21 17:12 -------- d-----w- c:\program files\ophcrack
2011-03-20 12:16 . 2011-03-20 12:16 -------- d-----w- c:\documents and settings\Paul and Jane\Application Data\IObit
2011-03-20 12:16 . 2011-03-20 12:16 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2011-03-20 12:16 . 2011-03-20 12:16 -------- d-----w- c:\program files\IObit
2011-03-20 11:32 . 2011-03-20 11:39 -------- d-----w- c:\program files\Unlocker
2011-03-20 09:29 . 2011-03-20 09:29 -------- d-----w- c:\program files\Trend Micro
2011-03-19 10:49 . 2011-03-19 10:49 -------- d-----w- c:\documents and settings\Paul and Jane\Application Data\SUPERAntiSpyware.com
2011-03-19 10:49 . 2011-03-19 10:49 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-03-18 14:18 . 2011-03-18 15:49 53248 ----a-w- c:\windows\system32\drivers\rk_remover.sys
2011-03-18 10:06 . 2011-03-18 10:08 -------- d-----w- c:\program files\Windows Live Safety Center
2011-03-17 21:54 . 2011-03-21 21:42 233977 ----a-r- c:\documents and settings\Paul and Jane\Application Data\Microsoft\Installer\{2c557f98-ef74-4a1e-a856-9df2f633b41f}\gui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2011-03-17 21:54 . 2011-03-21 21:42 233894 ----a-r- c:\documents and settings\Paul and Jane\Application Data\Microsoft\Installer\{2c557f98-ef74-4a1e-a856-9df2f633b41f}\ARPPRODUCTICON.exe
2011-03-17 21:54 . 2011-03-21 21:42 233854 ----a-r- c:\documents and settings\Paul and Jane\Application Data\Microsoft\Installer\{2c557f98-ef74-4a1e-a856-9df2f633b41f}\gui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2011-03-17 21:54 . 2011-03-17 21:54 -------- d-----w- c:\program files\Sophos
2011-03-17 19:54 . 2011-03-17 19:54 -------- d-----w- c:\documents and settings\Pauls Iphone\Application Data\Malwarebytes
2011-03-17 19:50 . 2011-03-17 19:50 -------- d-----w- c:\documents and settings\Pauls Iphone\Local Settings\Application Data\Adobe
2011-03-17 19:02 . 2011-03-17 19:02 -------- d-----w- c:\documents and settings\Pauls Iphone\Local Settings\Application Data\TomTom
2011-03-17 19:02 . 2011-03-17 19:02 -------- d-----w- c:\documents and settings\Pauls Iphone\Application Data\TomTom
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-21 21:42 . 2007-12-13 18:48 209384 ----a-r- c:\documents and settings\Paul and Jane\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\WinDlg.exe_0AB76F69E7614CFAB9B0A1906B4E9E4B_3.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-21_18.08.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-23 08:39 . 2011-03-23 08:39 16384 c:\windows\Temp\Perflib_Perfdata_aec.dat
+ 2011-03-23 08:39 . 2011-03-23 08:39 16384 c:\windows\Temp\Perflib_Perfdata_234.dat
- 2004-08-04 10:00 . 2011-03-21 17:57 80884 c:\windows\system32\perfc009.dat
+ 2004-08-04 10:00 . 2011-03-23 08:44 80884 c:\windows\system32\perfc009.dat
- 2010-12-15 15:40 . 2010-12-15 15:40 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
+ 2010-12-15 15:40 . 2011-03-21 18:36 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
+ 2005-03-21 11:00 . 2005-03-21 11:00 4096 c:\windows\system32\sabprocenum.sys
- 2004-08-04 10:00 . 2011-03-21 17:57 467240 c:\windows\system32\perfh009.dat
+ 2004-08-04 10:00 . 2011-03-23 08:44 467240 c:\windows\system32\perfh009.dat
+ 2009-05-14 15:41 . 2009-05-14 15:41 380144 c:\windows\Downloaded Program Files\sabspx.dll
+ 2007-08-12 13:22 . 2011-03-02 19:56 37943240 c:\windows\system32\MRT.exe
+ 2011-03-21 18:36 . 2011-03-21 18:36 20304384 c:\windows\Installer\13319e.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="e:\super anti spyware\SUPERAntiSpyware.exe" [2011-03-16 2423752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "e:\super anti spyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- e:\super anti spyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-09-29 18:09 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
backup=c:\windows\pss\Adobe Acrobat Synchronizer.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DynDNS Updater Tray Icon.lnk]
backup=c:\windows\pss\DynDNS Updater Tray Icon.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Giganews Accelerator.lnk]
backup=c:\windows\pss\Giganews Accelerator.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NDAS Device Management.lnk]
backup=c:\windows\pss\NDAS Device Management.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TabUserW.lnk]
backup=c:\windows\pss\TabUserW.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Paul and Jane^Start Menu^Programs^Startup^VQ4.0.lnk]
backup=c:\windows\pss\VQ4.0.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2009-09-12 15:31 357384 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-05-11 02:06 40048 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 06:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-10-23 14:18 202024 ----a-w- c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
2003-01-27 16:16 376912 ----a-w- c:\program files\BroadJump\Client Foundation\CFD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2006-08-17 10:32 17920 ----a-w- c:\windows\CTHELPER.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
2006-03-02 11:00 18944 ----a-w- c:\windows\system32\CTXFIHLP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2010-04-01 09:16 357696 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus DX6000 Series]
2006-02-13 04:00 131072 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIBIE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2011-03-20 14:25 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 11:44 31072 ------w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 12:39 1289000 ------w- e:\active sync\wcescomm.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2011-03-20 14:25 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2005-07-08 04:55 176128 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
2005-07-08 04:55 491520 ----a-w- c:\windows\system32\hphmon05.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IObit Security 360]
2010-06-11 18:14 1280344 ----a-w- c:\program files\IObit\IObit Security 360\is360tray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-21 14:53 141608 ----a-w- e:\i tunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2008-12-20 07:50 2656528 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2008-07-24 17:46 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
2006-12-19 10:27 136768 ----a-w- c:\program files\McAfee\Common Framework\UdaterUI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2007-09-20 08:51 1836328 ----a-w- e:\nero 8\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 14:57 153136 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-01-15 08:19 13680640 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-01-15 08:19 86016 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2009-01-15 08:19 1657376 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-03-20 18:06 421888 ----a-w- e:\quicktime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
2009-10-14 14:43 3217368 ----a-w- e:\registry mechanic\RegMech.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]
2007-02-22 19:50 112216 ----a-w- c:\program files\McAfee\VirusScan Enterprise\shstat.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-10-09 13:11 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-04-19 20:18 1217872 ----a-w- e:\steam\steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 11:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-03-26 08:32 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2007-08-17 20:14 185632 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2011-03-09 12:30 247728 ----a-w- e:\tomtom home 2\TomTomHOMERunner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2009-09-12 15:30 5048488 ----a-w- e:\acronis\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2011-03-20 18:34 17408 ----a-w- e:\unlocker\UnlockerAssistant.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\wizdxp\\wizd.exe"=
"e:\active sync\rapimgr.exe"= e:\active sync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"e:\active sync\wcescomm.exe"= e:\active sync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"e:\active sync\WCESMgr.exe"= e:\active sync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"e:\\Studio 11\\programs\\RM.exe"=
"e:\\Studio 11\\programs\\Studio.exe"=
"e:\\Studio 11\\programs\\PMSRegisterFile.exe"=
"e:\\Studio 11\\programs\\umi.exe"=
"e:\\Steam\\steam.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"e:\\Flight Simulator X\\fsx.exe"=
"e:\\Dreamweaver\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\I Tunes\\iTunes.exe"=
"e:\\Sam Broadcaster\\SAMBC.exe"=
"c:\\Program Files\\NSVtools\\nsvscsrc.exe"=
"e:\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"8010:TCP"= 8010:TCP:shoutcast
"1132:TCP"= 1132:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R0 tdrpman251;Acronis Try&Decide and Restore Points filter (build 251);c:\windows\system32\drivers\tdrpm251.sys [23/04/2010 12:34 902432]
R1 SASDIFSV;SASDIFSV;e:\super anti spyware\sasdifsv.sys [17/02/2010 18:25 12872]
R1 SASKUTIL;SASKUTIL;e:\super anti spyware\SASKUTIL.SYS [10/05/2010 18:41 67656]
R2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [23/04/2010 12:34 2326920]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [04/08/2004 10:00 14336]
R2 DynDNS Updater;DynDNS Updater;c:\program files\DynDNS Updater\DynUpSvc.exe [16/04/2010 16:19 103800]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [20/03/2011 12:16 312152]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [05/10/2010 17:38 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [24/07/2008 17:46 12856]
R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [23/04/2010 12:34 159168]
R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [01/12/2009 18:11 25704]
R3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [01/12/2009 18:11 25704]
R3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [01/12/2009 18:12 25704]
R3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [01/12/2009 18:12 25704]
R3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [01/12/2009 18:12 25704]
S0 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
S2 gupdate1c9aded739d4b74;Google Update Service (gupdate1c9aded739d4b74);c:\program files\Google\Update\GoogleUpdate.exe [26/03/2009 08:32 133104]
S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe --> c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [?]
S3 imhidusb;Immersion's HID USB Driver;c:\windows\system32\drivers\imhidusb.sys [14/10/2007 12:02 30984]
S3 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;c:\windows\system32\PLCNDIS5.SYS [26/04/2004 17:11 17280]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [14/12/2010 21:55 27064]
S3 rk_remover-boot;rk_remover-boot;c:\windows\system32\drivers\rk_remover.sys [18/03/2011 14:18 53248]
S3 XE104Sp50;XE104Sp50 NDIS Protocol Driver;c:\windows\system32\drivers\XE104Sp50.sys [28/11/2006 20:46 27072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 12:34]
.
2011-03-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-07 08:32]
.
2011-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-26 08:32]
.
2011-03-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-26 08:32]
.
2011-03-22 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]
.
2011-01-02 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyServer = http=asfd-cache-1.server.ntli.net
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {C380CE11-9A83-4782-86FB-28CE0B0787E6} = 194.168.4.100,194.168.8.100
DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} - hxxp://assets.photobox.com/assets/aurigma/ImageUploader5.cab?20100902142450
DPF: {195538FD-1C39-44B1-A7C3-5D7137A8A8F1} - hxxps://access.easyjetairline.com/vdesk/terminal/f5opswati.cab#Version=7000,2010,517,1206
DPF: {30CF9713-6614-4556-B5F5-66F8C7F9DEF1} - hxxps://access.easyjetairline.com/vdesk/terminal/f5opswati.cab#Version=7000,2010,517,1206
DPF: {49EC7987-E331-44E3-B170-748B58A268B9} - hxxps://access.easyjetairline.com/vdesk/terminal/f5opswati.cab#Version=7000,2010,517,1206
DPF: {4A026B12-94F3-4D2F-A468-96AA55DE20A5} - hxxp://192.168.1.104/img/NetCamPlayerWeb11g.ocx
DPF: {EBDC91CB-F23F-477D-B152-3F7243760D04} - hxxps://access.easyjetairline.com/vdesk/terminal/f5opswati.cab#Version=7000,2010,517,1206
DPF: {FD0EBBED-0C42-4D0F-82DA-44399B5C420A} - hxxp://downloads.virginmedia.com/CST/ver1/xp_mail.cab
FF - ProfilePath - c:\documents and settings\Paul and Jane\Application Data\Mozilla\Firefox\Profiles\qddxd76b.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=&query=
FF - prefs.js: browser.search.selectedEngine - Winamp Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=&query=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: LocalLink: {15756614-ffb8-498b-b961-bce537ea94fe} - %profile%\extensions\{15756614-ffb8-498b-b961-bce537ea94fe}
FF - Ext: LogMeIn, Inc. Remote Access Plugin: [email protected] - %profile%\extensions\[email protected]
FF - Ext: SHOUTcast Radio Toolbar: {12e4c684-c03e-4e4d-85bc-0c065e7a9489} - %profile%\extensions\{12e4c684-c03e-4e4d-85bc-0c065e7a9489}
FF - Ext: CyberShadow's Bejeweled Blitz 3 Cheat: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: XULRunner: {0F32F055-1A7C-493F-871C-B31C822A43A8} - c:\documents and settings\Paul and Jane\Local Settings\Application Data\{0F32F055-1A7C-493F-871C-B31C822A43A8}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: capability.policy.policynames - localfilelinks
FF - user.js: capability.policy.localfilelinks.sites - hxxp://s1.travian.com http://s2.travian.com http://s3.travian.com http://s4.travian.com http://s5.travian.com http://s6.travian.com http://s7.travian.com http://s8.travian.com http://s9.travian.com http://s10.travian.com http://speed.travian.com http://s1.travian.us http://s2.travian.us http://s3.travian.us http://s4.travian.us http://s5.travian.us http://s6.travian.us http://s7.travian.us http://s8.travian.us http://s9.travian.us http://s10.travian.us http://speed.travian.us http://s1.travian.co.uk http://s2.travian.co.uk http://s3.travian.co.uk http://s4.travian.co.uk http://s5.travian.co.uk http://s6.travian.co.uk http://s7.travian.co.uk http://s8.travian.co.uk http://s9.travian.co.uk http://s10.travian.co.uk http://speed.travian.co.uk
FF - user.js: capability.policy.localfilelinks.checkl oaduri.enabled - allAccess
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-23 08:55
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\Paul and Jane\Start Menu\Programs\Startup\fgujfsee.exe 164199 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2052111302-1614895754-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{142CD2CF-756C-381E-759D-20FC7E2F111E}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abehjcdkbnfajfgdfiiomepmfiljnhooln"=hex:65,62,65,68,63,65,64,6d,64,65,62,62,
63,68,6a,62,6c,63,6e,62,69,65,61,6a,67,66,6c,61,6c,63,68,62,68,65,6a,6a,66,\
"bbehjcdkbnfajfgdfihohincaleghhekpfol"=hex:61,62,64,62,64,6c,69,70,6b,6c,6e,6d,
64,66,6e,6c,6a,6c,70,6d,6f,6a,68,6b,6b,6e,6f,65,66,61,70,69,66,65,00,6a
.
[HKEY_USERS\S-1-5-21-2052111302-1614895754-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8F011243-2BF9-227A-A86C-B3C19DB5E2C4}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iabdoenbheaognkbme"=hex:6a,61,66,6d,68,6f,63,70,6e,62,6b,61,6a,66,6b,65,6a,66,
69,6a,00,00
"halndhddfkcbdame"=hex:6b,61,66,6d,63,6f,6a,6f,67,65,6a,6e,68,66,6d,61,6f,65,
61,69,63,6e,00,00
"iafcfikbniidmfemlf"=hex:63,61,64,6d,6f,6f,00,7c
.
[HKEY_USERS\S-1-5-21-2052111302-1614895754-839522115-1003\Software\Sony Creative Software\M*e*d*i*a* *M*a*n*a*g*e*r* *f*o*r* *P*S*P*"!\3.0]
"Percents"=""
"Increment"=".000213"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:e3,ff,fb,3e,89,b9,34,c0,0e,9e,24,b4,a2,21,68,88,0a,3c,f1,03,f1,
04,45,20,0a,31,25,a5,ed,70,67,aa,ea,c0,1f,fb,fb,5e,f8,db,5e,ba,51,a4,9e,1c,\
.
[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:e3,ff,fb,3e,89,b9,34,c0,0e,9e,24,b4,a2,21,68,88,0a,3c,f1,03,f1,
04,45,20,0a,31,25,a5,ed,70,67,aa,ea,c0,1f,fb,fb,5e,f8,db,5e,ba,51,a4,9e,1c,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(944)
e:\super anti spyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll
.
- - - - - - - > 'explorer.exe'(3964)
c:\windows\system32\WININET.dll
c:\windows\system32\tabhook.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-03-23 08:58:09
ComboFix-quarantined-files.txt 2011-03-23 08:57
ComboFix2.txt 2011-03-22 17:32
ComboFix3.txt 2011-03-22 16:53
ComboFix4.txt 2011-03-22 08:09
ComboFix5.txt 2011-03-22 23:49
.
Pre-Run: 20,397,699,072 bytes free
Post-Run: 20,453,257,216 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 55C57EDF884FECD232DDBB4616B7E5D8
Here is the Security Check Log
Results of screen317's Security Check version 0.99.9
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
McAfee VirusScan Enterprise
Antivirus up to date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:
Out of date Spybot installed!
Ad-Aware
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java(TM) 6 Update 22
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Out of date Java installed!
Adobe Flash Player 10.1.102.64
Adobe Reader 8.1.0
Korean Fonts Support For Adobe Reader 8
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe is disabled!
``````````End of Log````````````
Here is the link to the Scanner you asked for
http://virusscan.jotti.org/en-gb/scanresult/47248e5d687c5cb9b518b41d62b4b9bfd5c5a107
Hope you can help
Paul
-
Update Your Java (JRE)
Old versions of Java have vulnerabilities that malware can use to infect your system.
First Verify your Java Version (http://www.java.com/en/download/installed.jsp)
If there are any other version(s) installed then update now.
Get the new version (if needed)
If your version is out of date install the newest version of the Sun Java Runtime Environment (http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html).
Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.
Be sure to close ALL open web browsers before starting the installation.
Remove any old versions
1. Download JavaRa (http://raproducts.org/click/click.php?id=1) and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.
4. Run CCleaner.
Additional Note: The Java Quick Starter (JQS.exe) (http://java.sun.com/javase/6/docs/technotes/guides/jweb/otherFeatures/jqs.html) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
*******************************************
Please download the newest version of Adobe Acrobat Reader from Adobe.com (http://www.adobe.com/products/acrobat/readstep2.html)
Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.
Once old versions are gone, please install the newest version.
**************************************************
The Security Check shows that your AV is up-to-date but disabled. Please enable it.
Click Start, Search, select All Files and Folders. Copy and paste
c:\documents and settings\Paul and Jane\Start Menu\Programs\Startup\fgujfsee.exe and click search. Delete this file.
************************************************
Delete An Uninstall Entry
•Start HijackThis
•Click on the Open the Misc Tools section
•Click on the Open Uninstall Manager button.
•Highlight the entry you want to remove. (wadwupun)
•Click Delete this entry
-
Hiya Dave
Not getting anywhere here at all
I run a combofix just so I can get to certain sites and programs can update but after a while, the virus kicks in again.
I can not update Jave because of the above reason as it comes back with an error "download failed"
I can not find that file fgujfsee.exe using the search
I can not delete the folder wadwupun using hijackthis
I am on the verge of a re install of the OS to be honest as I think my PC needs a clean up anyway unless you can come up with something else ?
I really do apprecaite your time on this but it seems to be a real tricky one :-(
Any thoughts please ?
Paul
-
What happens when you try to delete that folder using Unlocker?
-
It says object is deleted but it actually doesnt delete at all :-(
-
- Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your Desktop.
- Extract its contents to your desktop.
- Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
- If an infected file is detected, the default action will be Cure, click on Continue.
- If a suspicious file is detected, the default action will be Skip, click on Continue.
- It may ask you to reboot the computer to complete the process. Click on Reboot Now.
- Click the Report button and copy/paste the contents of it into your next reply
Note:It will also create a log in the C:\ directory..
-
No threats found :-(
Here is the report
2011/03/24 18:43:54.0546 5308 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/03/24 18:43:55.0718 5308 ================================================================================
2011/03/24 18:43:55.0718 5308 SystemInfo:
2011/03/24 18:43:55.0718 5308
2011/03/24 18:43:55.0718 5308 OS Version: 5.1.2600 ServicePack: 3.0
2011/03/24 18:43:55.0718 5308 Product type: Workstation
2011/03/24 18:43:55.0718 5308 ComputerName: MAINPC
2011/03/24 18:43:55.0718 5308 UserName: Paul and Jane
2011/03/24 18:43:55.0718 5308 Windows directory: C:\WINDOWS
2011/03/24 18:43:55.0718 5308 System windows directory: C:\WINDOWS
2011/03/24 18:43:55.0718 5308 Processor architecture: Intel x86
2011/03/24 18:43:55.0718 5308 Number of processors: 2
2011/03/24 18:43:55.0718 5308 Page size: 0x1000
2011/03/24 18:43:55.0718 5308 Boot type: Normal boot
2011/03/24 18:43:55.0718 5308 ================================================================================
2011/03/24 18:43:56.0140 5308 Initialize success
2011/03/24 18:43:58.0765 5424 ================================================================================
2011/03/24 18:43:58.0765 5424 Scan started
2011/03/24 18:43:58.0765 5424 Mode: Manual;
2011/03/24 18:43:58.0765 5424 ================================================================================
2011/03/24 18:43:58.0968 5424 61883 (914a9709fc3bf419ad2f85547f2a4832) C:\WINDOWS\system32\DRIVERS\61883.sys
2011/03/24 18:43:59.0031 5424 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/03/24 18:43:59.0062 5424 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/03/24 18:43:59.0109 5424 adfs (6d7f09cd92a9fef3a8efce66231fdd79) C:\WINDOWS\system32\drivers\adfs.sys
2011/03/24 18:43:59.0156 5424 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/03/24 18:43:59.0187 5424 afcdp (f132d0bfde7c5ea1ab42325c5694a969) C:\WINDOWS\system32\DRIVERS\afcdp.sys
2011/03/24 18:43:59.0218 5424 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/03/24 18:43:59.0328 5424 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/03/24 18:43:59.0406 5424 Aspi32 (54ab078660e536da72b21a27f56b035b) C:\WINDOWS\system32\drivers\aspi32.sys
2011/03/24 18:43:59.0453 5424 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/03/24 18:43:59.0468 5424 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/03/24 18:43:59.0500 5424 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/03/24 18:43:59.0562 5424 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/03/24 18:43:59.0593 5424 Avc (f8e6956a614f15a0860474c5e2a7de6b) C:\WINDOWS\system32\DRIVERS\avc.sys
2011/03/24 18:43:59.0625 5424 b57w2k (8c0403aa21029804f31d869e6b0adedf) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2011/03/24 18:43:59.0656 5424 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/03/24 18:43:59.0734 5424 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/03/24 18:43:59.0781 5424 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/03/24 18:43:59.0843 5424 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/03/24 18:43:59.0890 5424 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/03/24 18:43:59.0906 5424 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/03/24 18:43:59.0921 5424 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
2011/03/24 18:44:00.0046 5424 ctac32k (b48945add6acb51d0b2aafc558664d1d) C:\WINDOWS\system32\drivers\ctac32k.sys
2011/03/24 18:44:00.0078 5424 ctaud2k (def704dfad0b702919c2e460309bcb98) C:\WINDOWS\system32\drivers\ctaud2k.sys
2011/03/24 18:44:00.0109 5424 ctdvda2k (f02e5e05ad79111f3b975e2a654aa050) C:\WINDOWS\system32\drivers\ctdvda2k.sys
2011/03/24 18:44:00.0125 5424 ctprxy2k (377dc83c79358c20897df8d4742db7b0) C:\WINDOWS\system32\drivers\ctprxy2k.sys
2011/03/24 18:44:00.0140 5424 ctsfm2k (1967653517d663c8c4b39c622988b910) C:\WINDOWS\system32\drivers\ctsfm2k.sys
2011/03/24 18:44:00.0171 5424 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/03/24 18:44:00.0250 5424 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/03/24 18:44:00.0328 5424 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\DRIVERS\dmio.sys
2011/03/24 18:44:00.0359 5424 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/03/24 18:44:00.0390 5424 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/03/24 18:44:00.0437 5424 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/03/24 18:44:00.0484 5424 emupia (94cea5c33ede311a193008518b4e7723) C:\WINDOWS\system32\drivers\emupia2k.sys
2011/03/24 18:44:00.0531 5424 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/03/24 18:44:00.0562 5424 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/03/24 18:44:00.0593 5424 FilterService (50104c5f1ee1e295781caf9521ca2e56) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
2011/03/24 18:44:00.0625 5424 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/03/24 18:44:00.0656 5424 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/03/24 18:44:00.0703 5424 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/03/24 18:44:00.0734 5424 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/03/24 18:44:00.0765 5424 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/03/24 18:44:00.0812 5424 GcKernel (72fe2bea6863d4eb93442a1c4fb5ca48) C:\WINDOWS\system32\DRIVERS\GcKernel.sys
2011/03/24 18:44:00.0984 5424 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/03/24 18:44:01.0125 5424 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/03/24 18:44:01.0437 5424 ha20x2k (278482909b1d3c4d9d300261cde4c385) C:\WINDOWS\system32\drivers\ha20x2k.sys
2011/03/24 18:44:01.0578 5424 hamachi (7929a161f9951d173ca9900fe7067391) C:\WINDOWS\system32\DRIVERS\hamachi.sys
2011/03/24 18:44:01.0640 5424 HIDSwvd (bd205320308fb41c88a4049a2d1764b4) C:\WINDOWS\system32\DRIVERS\HIDSwvd.sys
2011/03/24 18:44:01.0687 5424 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/03/24 18:44:01.0906 5424 HPZid412 (5faba4775d4c61e55ec669d643ffc71f) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/03/24 18:44:02.0046 5424 HPZipr12 (a3c43980ee1f1beac778b44ea65dbdd4) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/03/24 18:44:02.0187 5424 HPZius12 (2906949bd4e206f2bb0dd1896ce9f66f) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/03/24 18:44:02.0406 5424 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/03/24 18:44:02.0968 5424 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/03/24 18:44:03.0015 5424 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/03/24 18:44:03.0062 5424 imhidusb (0836f03aa73ee78f1c884c4e9211aa72) C:\WINDOWS\system32\DRIVERS\imhidusb.sys
2011/03/24 18:44:03.0140 5424 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/03/24 18:44:03.0171 5424 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/03/24 18:44:03.0218 5424 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/03/24 18:44:03.0265 5424 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/03/24 18:44:03.0312 5424 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/03/24 18:44:03.0359 5424 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/03/24 18:44:03.0421 5424 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/03/24 18:44:03.0531 5424 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/03/24 18:44:03.0703 5424 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/03/24 18:44:03.0843 5424 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/03/24 18:44:04.0140 5424 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/03/24 18:44:04.0218 5424 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/03/24 18:44:04.0281 5424 lfsfilt (1f7366d04e5e32a656e3971b271a63a0) C:\WINDOWS\system32\DRIVERS\lfsfilt.sys
2011/03/24 18:44:04.0437 5424 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys
2011/03/24 18:44:04.0484 5424 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys
2011/03/24 18:44:04.0531 5424 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2011/03/24 18:44:04.0562 5424 lpx (ed8277d9182ffa0f9e6c75acb6dbdb5b) C:\WINDOWS\system32\DRIVERS\lpx.sys
2011/03/24 18:44:04.0625 5424 lvpopflt (6d994fa3d541b63eaccf4f2b3f42b2e1) C:\WINDOWS\system32\DRIVERS\lvpopflt.sys
2011/03/24 18:44:04.0656 5424 LVPr2Mon (f96cfb47903854f228baaf3e2d41a0a3) C:\WINDOWS\system32\Drivers\LVPr2Mon.sys
2011/03/24 18:44:04.0750 5424 LVRS (b895839b8743e400d7c7dae156f74e7e) C:\WINDOWS\system32\DRIVERS\lvrs.sys
2011/03/24 18:44:04.0937 5424 LVUSBSta (23f8ef78bb9553e465a476f3cee5ca18) C:\WINDOWS\system32\drivers\LVUSBSta.sys
2011/03/24 18:44:05.0421 5424 LVUVC (8bc0d5f6e3898f465a94c6d03afb5a20) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
2011/03/24 18:44:05.0781 5424 MarvinBus (a3e700d78eec390f1208098cdca5c6b6) C:\WINDOWS\system32\DRIVERS\MarvinBus.sys
2011/03/24 18:44:05.0875 5424 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/03/24 18:44:05.0921 5424 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/03/24 18:44:05.0953 5424 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/03/24 18:44:05.0984 5424 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/03/24 18:44:06.0031 5424 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/03/24 18:44:06.0093 5424 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/03/24 18:44:06.0171 5424 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/03/24 18:44:06.0234 5424 MSDV (1477849772712bac69c144dcf2c9ce81) C:\WINDOWS\system32\DRIVERS\msdv.sys
2011/03/24 18:44:06.0265 5424 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/03/24 18:44:06.0328 5424 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/03/24 18:44:06.0359 5424 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/03/24 18:44:06.0406 5424 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/03/24 18:44:06.0437 5424 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/03/24 18:44:06.0500 5424 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/03/24 18:44:06.0546 5424 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/03/24 18:44:06.0703 5424 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/03/24 18:44:06.0843 5424 ndasbus (fe173cd26277ab2f91a2b9e22e0efca4) C:\WINDOWS\system32\DRIVERS\ndasbus.sys
2011/03/24 18:44:06.0953 5424 ndasscsi (063d278d1ff1231d2280a42eea20640c) C:\WINDOWS\system32\DRIVERS\ndasscsi.sys
2011/03/24 18:44:07.0062 5424 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/03/24 18:44:07.0328 5424 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/03/24 18:44:07.0406 5424 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/03/24 18:44:07.0421 5424 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/03/24 18:44:07.0421 5424 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/03/24 18:44:07.0468 5424 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/03/24 18:44:07.0515 5424 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/03/24 18:44:07.0531 5424 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/03/24 18:44:07.0562 5424 NetworkX (b8f9384e04d1fdc135d3f67281e1d2c6) C:\WINDOWS\system32\ckldrv.sys
2011/03/24 18:44:07.0656 5424 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/03/24 18:44:07.0718 5424 nm (1e421a6bcf2203cc61b821ada9de878b) C:\WINDOWS\system32\DRIVERS\NMnt.sys
2011/03/24 18:44:07.0765 5424 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/03/24 18:44:07.0812 5424 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/03/24 18:44:07.0843 5424 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/03/24 18:44:08.0031 5424 nv (9e143fb3ef13b7ec1c1dd06529debadd) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/03/24 18:44:08.0250 5424 nvatabus (b7fb72492b753930ec70a0f49d04f12f) C:\WINDOWS\system32\DRIVERS\nvatabus.sys
2011/03/24 18:44:08.0281 5424 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/03/24 18:44:08.0312 5424 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/03/24 18:44:08.0343 5424 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/03/24 18:44:08.0421 5424 ossrv (8a347decf8a4bbcad4501528546b4fad) C:\WINDOWS\system32\drivers\ctoss2k.sys
2011/03/24 18:44:08.0453 5424 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/03/24 18:44:08.0484 5424 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/03/24 18:44:08.0609 5424 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/03/24 18:44:08.0625 5424 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/03/24 18:44:08.0656 5424 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/03/24 18:44:08.0687 5424 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/03/24 18:44:08.0734 5424 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
2011/03/24 18:44:08.0843 5424 PenClass (4a108cc9cc0e0605e68cce7021479879) C:\WINDOWS\system32\Drivers\PenClass.sys
2011/03/24 18:44:08.0906 5424 PLCNDIS5 (2aba2f545b35f9c6cc2cfc4e1d539a80) C:\WINDOWS\system32\PLCNDIS5.SYS
2011/03/24 18:44:08.0984 5424 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/03/24 18:44:09.0031 5424 PQNTDrv (04f3971b70a7855f04d351aa4bee7799) C:\WINDOWS\system32\drivers\PQNTDrv.sys
2011/03/24 18:44:09.0046 5424 prodrv06 (6d3b2fc5dec2f59b28fe5fa17250a7b0) C:\WINDOWS\System32\drivers\prodrv06.sys
2011/03/24 18:44:09.0062 5424 prohlp02 (c5f47b7ec2ec906847d5f80ba779a5bd) C:\WINDOWS\system32\drivers\prohlp02.sys
2011/03/24 18:44:09.0078 5424 prosync1 (f3471e7971ee62420451d958da635064) C:\WINDOWS\system32\drivers\prosync1.sys
2011/03/24 18:44:09.0140 5424 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/03/24 18:44:09.0187 5424 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/03/24 18:44:09.0250 5424 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/03/24 18:44:09.0281 5424 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/03/24 18:44:09.0281 5424 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/03/24 18:44:09.0312 5424 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/03/24 18:44:09.0343 5424 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/03/24 18:44:09.0359 5424 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/03/24 18:44:09.0375 5424 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/03/24 18:44:09.0406 5424 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/03/24 18:44:09.0421 5424 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/03/24 18:44:09.0468 5424 Revoflt (8b5b8a11306190c6963d3473f052d3c8) C:\WINDOWS\system32\DRIVERS\revoflt.sys
2011/03/24 18:44:09.0500 5424 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
2011/03/24 18:44:09.0515 5424 rk_remover-boot (8cdcdcf155482090c0251f75ce63b443) C:\WINDOWS\system32\drivers\rk_remover.sys
2011/03/24 18:44:09.0531 5424 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2011/03/24 18:44:09.0578 5424 s217bus (0266151de3f36429f6ac3c4b28085061) C:\WINDOWS\system32\DRIVERS\s217bus.sys
2011/03/24 18:44:09.0625 5424 s217mdfl (a43c0af0e46be7ef0c7e8ccf0f058600) C:\WINDOWS\system32\DRIVERS\s217mdfl.sys
2011/03/24 18:44:09.0640 5424 s217mdm (005f5ded1ed8f8a9d2399d765ead20f1) C:\WINDOWS\system32\DRIVERS\s217mdm.sys
2011/03/24 18:44:09.0687 5424 s217mgmt (de9562ad0c91e1857d11f65a91ee1a47) C:\WINDOWS\system32\DRIVERS\s217mgmt.sys
2011/03/24 18:44:09.0703 5424 s217obex (0f9f4045799afb66b85eef999d0609ec) C:\WINDOWS\system32\DRIVERS\s217obex.sys
2011/03/24 18:44:09.0750 5424 s217unic (1c91e1023f07b6407d84b5a43537d984) C:\WINDOWS\system32\DRIVERS\s217unic.sys
2011/03/24 18:44:09.0812 5424 SaiNtHid (a007103ef0e50fb0e0ed08b511d721d7) C:\WINDOWS\system32\DRIVERS\SaiNtHid.sys
2011/03/24 18:44:09.0859 5424 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) E:\Super Anti Spyware\SASDIFSV.SYS
2011/03/24 18:44:09.0875 5424 SASKUTIL (61db0d0756a99506207fd724e3692b25) E:\Super Anti Spyware\SASKUTIL.SYS
2011/03/24 18:44:09.0921 5424 sbp2port (b244960e5a1db8e9d5d17086de37c1e4) C:\WINDOWS\system32\DRIVERS\sbp2port.sys
2011/03/24 18:44:10.0000 5424 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/03/24 18:44:10.0031 5424 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/03/24 18:44:10.0078 5424 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/03/24 18:44:10.0125 5424 sfdrv01 (4c0d673281178cb496011a2e28571fc8) C:\WINDOWS\system32\drivers\sfdrv01.sys
2011/03/24 18:44:10.0140 5424 sfhlp01 (462aee0ea0481ea8bd45cac876a4ccc4) C:\WINDOWS\system32\drivers\sfhlp01.sys
2011/03/24 18:44:10.0171 5424 sfhlp02 (15be2b5e4dc5b8623cf167720682abc9) C:\WINDOWS\system32\drivers\sfhlp02.sys
2011/03/24 18:44:10.0203 5424 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/03/24 18:44:10.0218 5424 sfvfs02 (d5a7e09d2c6a702809e49190d52adc9f) C:\WINDOWS\system32\drivers\sfvfs02.sys
2011/03/24 18:44:10.0250 5424 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/03/24 18:44:10.0296 5424 snapman (ffd9b64db2cd7b74b766c3a8452a5816) C:\WINDOWS\system32\DRIVERS\snapman.sys
2011/03/24 18:44:10.0343 5424 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/03/24 18:44:10.0359 5424 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/03/24 18:44:10.0437 5424 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/03/24 18:44:10.0500 5424 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/03/24 18:44:10.0515 5424 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/03/24 18:44:10.0531 5424 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/03/24 18:44:10.0625 5424 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/03/24 18:44:10.0656 5424 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/03/24 18:44:10.0703 5424 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/03/24 18:44:10.0750 5424 tdrpman251 (3630f5b8181554deecfe2e4252bc4c4c) C:\WINDOWS\system32\DRIVERS\tdrpm251.sys
2011/03/24 18:44:10.0781 5424 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/03/24 18:44:10.0828 5424 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/03/24 18:44:10.0843 5424 timounter (c820bfc70feb25ec877c49e81cd477c1) C:\WINDOWS\system32\DRIVERS\timntr.sys
2011/03/24 18:44:10.0890 5424 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/03/24 18:44:10.0953 5424 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/03/24 18:44:11.0000 5424 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/03/24 18:44:11.0046 5424 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/03/24 18:44:11.0062 5424 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/03/24 18:44:11.0093 5424 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/03/24 18:44:11.0109 5424 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/03/24 18:44:11.0156 5424 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/03/24 18:44:11.0187 5424 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/03/24 18:44:11.0234 5424 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/03/24 18:44:11.0281 5424 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/03/24 18:44:11.0312 5424 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2011/03/24 18:44:11.0343 5424 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/03/24 18:44:11.0390 5424 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/03/24 18:44:11.0453 5424 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/03/24 18:44:11.0484 5424 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
2011/03/24 18:44:11.0531 5424 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/03/24 18:44:11.0562 5424 WinDriver6 (94e4312d546048bf31604a8b2ad13fc0) C:\WINDOWS\system32\drivers\windrvr6.sys
2011/03/24 18:44:11.0625 5424 WmBEnum (c8a3f4b7d6ec50a428101ac8c9ff973c) C:\WINDOWS\system32\drivers\WmBEnum.sys
2011/03/24 18:44:11.0640 5424 WmFilter (10a7b8281210f5cbd5a0d978ac547fa6) C:\WINDOWS\system32\drivers\WmFilter.sys
2011/03/24 18:44:11.0671 5424 WmHidLo (baef5220c34238fce2921aaeb9bb21ff) C:\WINDOWS\system32\drivers\WmHidLo.sys
2011/03/24 18:44:11.0687 5424 WmVirHid (a12f19c9234836c66e109513d5be636b) C:\WINDOWS\system32\drivers\WmVirHid.sys
2011/03/24 18:44:11.0703 5424 WmXlCore (79755654f4845b7a5ddd35e68899a44d) C:\WINDOWS\system32\drivers\WmXlCore.sys
2011/03/24 18:44:11.0734 5424 WpdUsb (1385e5aa9c9821790d33a9563b8d2dd0) C:\WINDOWS\system32\Drivers\wpdusb.sys
2011/03/24 18:44:11.0765 5424 WsAudio_DeviceS(1) (4160cbe59d9b5be22e4c3897e8db9d56) C:\WINDOWS\system32\drivers\WsAudio_DeviceS(1).sys
2011/03/24 18:44:11.0781 5424 WsAudio_DeviceS(2) (4160cbe59d9b5be22e4c3897e8db9d56) C:\WINDOWS\system32\drivers\WsAudio_DeviceS(2).sys
2011/03/24 18:44:11.0812 5424 WsAudio_DeviceS(3) (4160cbe59d9b5be22e4c3897e8db9d56) C:\WINDOWS\system32\drivers\WsAudio_DeviceS(3).sys
2011/03/24 18:44:11.0828 5424 WsAudio_DeviceS(4) (4160cbe59d9b5be22e4c3897e8db9d56) C:\WINDOWS\system32\drivers\WsAudio_DeviceS(4).sys
2011/03/24 18:44:11.0843 5424 WsAudio_DeviceS(5) (4160cbe59d9b5be22e4c3897e8db9d56) C:\WINDOWS\system32\drivers\WsAudio_DeviceS(5).sys
2011/03/24 18:44:11.0890 5424 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/03/24 18:44:11.0906 5424 WudfPf (50eb9e21963b4f06fd010d007d54351b) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/03/24 18:44:11.0953 5424 WudfRd (6e209664bdea8a15b5e8e480d6c607c2) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/03/24 18:44:11.0984 5424 XE104Sp50 (1961590aa191b6b7dcf18a6a693af7b8) C:\WINDOWS\system32\Drivers\XE104Sp50.sys
2011/03/24 18:44:12.0078 5424 ================================================================================
2011/03/24 18:44:12.0078 5424 Scan finished
2011/03/24 18:44:12.0078 5424 ================================================================================
-
Ok. Let's try another method.
Copy and paste the text in the code box below into Notepad.
@echo off
del c:\program files\wadwupun
del blackpudding.bat
exit
Then click File > Save as
Save to the Desktop as blackpudding.bat
And Save as type: All Files.
Double-click on blackpudding.bat to run it.
-
wadwupun still there after running blackpudding.bat :-(
-
Copy and paste the text in the code box below into Notepad.
@echo off
del c:\documents and settings\Paul and Jane\Start Menu\Programs\Startup\fgujfsee.exe "
del blackpudding.bat
exit
Then click File > Save as
Save to the Desktop as blackpudding.bat
And Save as type: All Files.
Double-click on blackpudding.bat to run it.
Please run ComboFix after doing the above and post the log.
-
Did as you asked and here is the log
I cant say whether your BAT file worked as i can never see that file anyway
ComboFix 11-03-24.06 - Paul and Jane 25/03/2011 19:06:21.15.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1495 [GMT 0:00]
Running from: c:\documents and settings\Paul and Jane\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-02-25 to 2011-03-25 )))))))))))))))))))))))))))))))
.
.
2011-03-23 12:35 . 2011-03-18 17:57 781272 ------w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-03-23 12:35 . 2011-03-18 17:57 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-03-23 12:35 . 2011-03-18 17:57 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-03-23 12:35 . 2011-03-18 17:57 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-03-23 12:35 . 2011-03-18 17:57 1874904 ------w- c:\program files\Mozilla Firefox\mozjs.dll
2011-03-23 12:35 . 2011-03-18 17:57 15832 ------w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-03-23 12:35 . 2011-03-18 17:57 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-03-23 12:35 . 2011-03-18 17:57 142296 ------w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-03-23 12:30 . 2011-03-24 17:57 -------- d-----w- c:\program files\wadwupun
2011-03-23 12:07 . 2011-03-23 12:07 -------- d-----w- C:\$AVG
2011-03-23 11:56 . 2011-03-23 11:56 -------- d-----w- c:\documents and settings\Paul and Jane\Application Data\AVG10
2011-03-23 11:56 . 2011-03-23 11:56 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-03-23 11:55 . 2011-03-23 13:26 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-03-23 11:55 . 2011-03-23 11:55 -------- d-----w- c:\program files\AVG
2011-03-23 11:53 . 2011-03-24 18:48 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-03-22 22:04 . 2011-03-24 17:57 164199 ----a-w- c:\program files\Mozilla Firefox\firefoxmgr.exe
2011-03-21 17:22 . 2011-03-22 16:43 -------- d-----w- C:\QUARANTINE
2011-03-21 17:12 . 2011-03-21 17:12 -------- d-----w- c:\program files\ophcrack
2011-03-20 12:16 . 2011-03-20 12:16 -------- d-----w- c:\documents and settings\Paul and Jane\Application Data\IObit
2011-03-20 12:16 . 2011-03-20 12:16 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2011-03-20 12:16 . 2011-03-20 12:16 -------- d-----w- c:\program files\IObit
2011-03-20 11:46 . 2011-03-20 11:46 -------- d-----w- C:\1
2011-03-20 11:32 . 2011-03-20 11:39 -------- d-----w- c:\program files\Unlocker
2011-03-20 09:29 . 2011-03-20 09:29 -------- d-----w- c:\program files\Trend Micro
2011-03-19 10:49 . 2011-03-19 10:49 -------- d-----w- c:\documents and settings\Paul and Jane\Application Data\SUPERAntiSpyware.com
2011-03-19 10:49 . 2011-03-19 10:49 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-03-18 14:18 . 2011-03-18 15:49 53248 ----a-w- c:\windows\system32\drivers\rk_remover.sys
2011-03-18 10:06 . 2011-03-18 10:08 -------- d-----w- c:\program files\Windows Live Safety Center
2011-03-17 21:54 . 2011-03-21 21:42 233977 ----a-r- c:\documents and settings\Paul and Jane\Application Data\Microsoft\Installer\{2c557f98-ef74-4a1e-a856-9df2f633b41f}\gui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2011-03-17 21:54 . 2011-03-21 21:42 233894 ----a-r- c:\documents and settings\Paul and Jane\Application Data\Microsoft\Installer\{2c557f98-ef74-4a1e-a856-9df2f633b41f}\ARPPRODUCTICON.exe
2011-03-17 21:54 . 2011-03-21 21:42 233854 ----a-r- c:\documents and settings\Paul and Jane\Application Data\Microsoft\Installer\{2c557f98-ef74-4a1e-a856-9df2f633b41f}\gui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2011-03-17 21:54 . 2011-03-17 21:54 -------- d-----w- c:\program files\Sophos
2011-03-17 19:54 . 2011-03-17 19:54 -------- d-----w- c:\documents and settings\Pauls Iphone\Application Data\Malwarebytes
2011-03-17 19:50 . 2011-03-17 19:50 -------- d-----w- c:\documents and settings\Pauls Iphone\Local Settings\Application Data\Adobe
2011-03-17 19:02 . 2011-03-17 19:02 -------- d-----w- c:\documents and settings\Pauls Iphone\Local Settings\Application Data\TomTom
2011-03-17 19:02 . 2011-03-17 19:02 -------- d-----w- c:\documents and settings\Pauls Iphone\Application Data\TomTom
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-21 21:42 . 2007-12-13 18:48 209384 ----a-r- c:\documents and settings\Paul and Jane\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\WinDlg.exe_0AB76F69E7614CFAB9B0A1906B4E9E4B_3.exe
2011-03-18 17:57 . 2011-03-23 12:35 142296 ------w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-21_18.08.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 00:02 . 2009-07-12 00:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
+ 2009-07-12 00:05 . 2009-07-12 00:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
+ 2009-07-12 00:05 . 2009-07-12 00:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
+ 2011-03-25 18:58 . 2011-03-25 18:58 16384 c:\windows\Temp\Perflib_Perfdata_78c.dat
- 2004-08-04 10:00 . 2011-03-21 17:57 80884 c:\windows\system32\perfc009.dat
+ 2004-08-04 10:00 . 2011-03-25 19:02 80884 c:\windows\system32\perfc009.dat
- 2010-12-15 15:40 . 2010-12-15 15:40 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
+ 2010-12-15 15:40 . 2011-03-21 18:36 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
+ 2005-03-21 11:00 . 2005-03-21 11:00 4096 c:\windows\system32\sabprocenum.sys
+ 2009-07-12 00:02 . 2009-07-12 00:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
+ 2009-07-12 00:05 . 2009-07-12 00:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
+ 2004-08-04 10:00 . 2011-03-25 19:02 467240 c:\windows\system32\perfh009.dat
- 2004-08-04 10:00 . 2011-03-21 17:57 467240 c:\windows\system32\perfh009.dat
+ 2004-08-04 10:00 . 2008-04-14 00:11 640000 c:\windows\system32\dllcache\dbghelp.dll
+ 2011-03-23 11:54 . 2011-03-23 11:54 219648 c:\windows\Installer\b031b0.msi
+ 2009-05-14 15:41 . 2009-05-14 15:41 380144 c:\windows\Downloaded Program Files\sabspx.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
+ 2007-08-12 13:22 . 2011-03-02 19:56 37943240 c:\windows\system32\MRT.exe
+ 2011-03-21 18:36 . 2011-03-21 18:36 20304384 c:\windows\Installer\13319e.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="e:\super anti spyware\SUPERAntiSpyware.exe" [2011-03-16 2423752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "e:\super anti spyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- e:\super anti spyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-09-29 18:09 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
backup=c:\windows\pss\Adobe Acrobat Synchronizer.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DynDNS Updater Tray Icon.lnk]
backup=c:\windows\pss\DynDNS Updater Tray Icon.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Giganews Accelerator.lnk]
backup=c:\windows\pss\Giganews Accelerator.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NDAS Device Management.lnk]
backup=c:\windows\pss\NDAS Device Management.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TabUserW.lnk]
backup=c:\windows\pss\TabUserW.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Paul and Jane^Start Menu^Programs^Startup^VQ4.0.lnk]
backup=c:\windows\pss\VQ4.0.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2009-09-12 15:31 357384 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-05-11 02:06 40048 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 06:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-10-23 14:18 202024 ----a-w- c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
2003-01-27 16:16 376912 ----a-w- c:\program files\BroadJump\Client Foundation\CFD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2006-08-17 10:32 17920 ----a-w- c:\windows\CTHELPER.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
2006-03-02 11:00 18944 ----a-w- c:\windows\system32\CTXFIHLP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2010-04-01 09:16 357696 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus DX6000 Series]
2006-02-13 04:00 131072 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIBIE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2011-03-20 14:25 3907957 ------w- c:\program files\Google\Google Talk\googletalk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 11:44 31072 ------w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 12:39 1289000 ------w- e:\active sync\wcescomm.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2011-03-20 14:25 410025 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2005-07-08 04:55 176128 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
2005-07-08 04:55 491520 ----a-w- c:\windows\system32\hphmon05.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IObit Security 360]
2010-06-11 18:14 1280344 ----a-w- c:\program files\IObit\IObit Security 360\is360tray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-21 14:53 141608 ----a-w- e:\i tunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2008-12-20 07:50 2656528 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2008-07-24 17:46 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2007-09-20 08:51 1836328 ----a-w- e:\nero 8\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 14:57 153136 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-01-15 08:19 13680640 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-01-15 08:19 86016 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2009-01-15 08:19 1657376 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-03-20 18:06 421888 ----a-w- e:\quicktime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
2009-10-14 14:43 3217368 ----a-w- e:\registry mechanic\RegMech.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-10-09 13:11 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-04-19 20:18 1217872 ----a-w- e:\steam\steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 11:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-03-26 08:32 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2007-08-17 20:14 185632 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2011-03-09 12:30 247728 ----a-w- e:\tomtom home 2\TomTomHOMERunner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2009-09-12 15:30 5048488 ----a-w- e:\acronis\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2011-03-20 18:34 17408 ----a-w- e:\unlocker\UnlockerAssistant.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\wizdxp\\wizd.exe"=
"e:\active sync\rapimgr.exe"= e:\active sync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"e:\active sync\wcescomm.exe"= e:\active sync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"e:\active sync\WCESMgr.exe"= e:\active sync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"e:\\Studio 11\\programs\\RM.exe"=
"e:\\Studio 11\\programs\\Studio.exe"=
"e:\\Studio 11\\programs\\PMSRegisterFile.exe"=
"e:\\Studio 11\\programs\\umi.exe"=
"e:\\Steam\\steam.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"e:\\Flight Simulator X\\fsx.exe"=
"e:\\Dreamweaver\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\I Tunes\\iTunes.exe"=
"e:\\Sam Broadcaster\\SAMBC.exe"=
"c:\\Program Files\\NSVtools\\nsvscsrc.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"8010:TCP"= 8010:TCP:shoutcast
"3436:TCP"= 3436:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R0 tdrpman251;Acronis Try&Decide and Restore Points filter (build 251);c:\windows\system32\drivers\tdrpm251.sys [23/04/2010 12:34 902432]
R1 SASDIFSV;SASDIFSV;e:\super anti spyware\sasdifsv.sys [17/02/2010 18:25 12872]
R1 SASKUTIL;SASKUTIL;e:\super anti spyware\SASKUTIL.SYS [10/05/2010 18:41 67656]
R2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [23/04/2010 12:34 2326920]
R2 DynDNS Updater;DynDNS Updater;c:\program files\DynDNS Updater\DynUpSvc.exe [16/04/2010 16:19 103800]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [05/10/2010 17:38 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [24/07/2008 17:46 12856]
R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [23/04/2010 12:34 159168]
R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [01/12/2009 18:11 25704]
R3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [01/12/2009 18:11 25704]
R3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [01/12/2009 18:12 25704]
R3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [01/12/2009 18:12 25704]
R3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [01/12/2009 18:12 25704]
S0 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
S2 gupdate1c9aded739d4b74;Google Update Service (gupdate1c9aded739d4b74);c:\program files\Google\Update\GoogleUpdate.exe [26/03/2009 08:32 133104]
S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe --> c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [?]
S3 imhidusb;Immersion's HID USB Driver;c:\windows\system32\drivers\imhidusb.sys [14/10/2007 12:02 30984]
S3 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [20/03/2011 12:16 312152]
S3 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;c:\windows\system32\PLCNDIS5.SYS [26/04/2004 17:11 17280]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [14/12/2010 21:55 27064]
S3 rk_remover-boot;rk_remover-boot;c:\windows\system32\drivers\rk_remover.sys [18/03/2011 14:18 53248]
S3 XE104Sp50;XE104Sp50 NDIS Protocol Driver;c:\windows\system32\drivers\XE104Sp50.sys [28/11/2006 20:46 27072]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 12:34]
.
2011-03-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-07 08:32]
.
2011-03-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-26 08:32]
.
2011-03-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-26 08:32]
.
2011-03-23 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]
.
2011-01-02 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyServer = http=asfd-cache-1.server.ntli.net
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {C380CE11-9A83-4782-86FB-28CE0B0787E6} = 194.168.4.100,194.168.8.100
DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} - hxxp://assets.photobox.com/assets/aurigma/ImageUploader5.cab?20100902142450
DPF: {195538FD-1C39-44B1-A7C3-5D7137A8A8F1} - hxxps://access.easyjetairline.com/vdesk/terminal/f5opswati.cab#Version=7000,2010,517,1206
DPF: {30CF9713-6614-4556-B5F5-66F8C7F9DEF1} - hxxps://access.easyjetairline.com/vdesk/terminal/f5opswati.cab#Version=7000,2010,517,1206
DPF: {49EC7987-E331-44E3-B170-748B58A268B9} - hxxps://access.easyjetairline.com/vdesk/terminal/f5opswati.cab#Version=7000,2010,517,1206
DPF: {4A026B12-94F3-4D2F-A468-96AA55DE20A5} - hxxp://192.168.1.104/img/NetCamPlayerWeb11g.ocx
DPF: {EBDC91CB-F23F-477D-B152-3F7243760D04} - hxxps://access.easyjetairline.com/vdesk/terminal/f5opswati.cab#Version=7000,2010,517,1206
DPF: {FD0EBBED-0C42-4D0F-82DA-44399B5C420A} - hxxp://downloads.virginmedia.com/CST/ver1/xp_mail.cab
FF - ProfilePath - c:\documents and settings\Paul and Jane\Application Data\Mozilla\Firefox\Profiles\qddxd76b.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=&query=
FF - prefs.js: browser.search.selectedEngine - Winamp Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=&query=
FF - user.js: capability.policy.policynames - localfilelinks
FF - user.js: capability.policy.localfilelinks.sites - hxxp://s1.travian.com http://s2.travian.com http://s3.travian.com http://s4.travian.com http://s5.travian.com http://s6.travian.com http://s7.travian.com http://s8.travian.com http://s9.travian.com http://s10.travian.com http://speed.travian.com http://s1.travian.us http://s2.travian.us http://s3.travian.us http://s4.travian.us http://s5.travian.us http://s6.travian.us http://s7.travian.us http://s8.travian.us http://s9.travian.us http://s10.travian.us http://speed.travian.us http://s1.travian.co.uk http://s2.travian.co.uk http://s3.travian.co.uk http://s4.travian.co.uk http://s5.travian.co.uk http://s6.travian.co.uk http://s7.travian.co.uk http://s8.travian.co.uk http://s9.travian.co.uk http://s10.travian.co.uk http://speed.travian.co.uk
FF - user.js: capability.policy.localfilelinks.checkl oaduri.enabled - allAccess
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-25 19:11
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\Paul and Jane\Start Menu\Programs\Startup\fgujfsee.exe 164199 bytes executable
C:\fgujfsee.exe 164199 bytes executable
.
scan completed successfully
hidden files: 2
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2052111302-1614895754-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{142CD2CF-756C-381E-759D-20FC7E2F111E}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abehjcdkbnfajfgdfiiomepmfiljnhooln"=hex:65,62,65,68,63,65,64,6d,64,65,62,62,
63,68,6a,62,6c,63,6e,62,69,65,61,6a,67,66,6c,61,6c,63,68,62,68,65,6a,6a,66,\
"bbehjcdkbnfajfgdfihohincaleghhekpfol"=hex:61,62,64,62,64,6c,69,70,6b,6c,6e,6d,
64,66,6e,6c,6a,6c,70,6d,6f,6a,68,6b,6b,6e,6f,65,66,61,70,69,66,65,00,6a
.
[HKEY_USERS\S-1-5-21-2052111302-1614895754-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8F011243-2BF9-227A-A86C-B3C19DB5E2C4}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iabdoenbheaognkbme"=hex:6a,61,66,6d,68,6f,63,70,6e,62,6b,61,6a,66,6b,65,6a,66,
69,6a,00,00
"halndhddfkcbdame"=hex:6b,61,66,6d,63,6f,6a,6f,67,65,6a,6e,68,66,6d,61,6f,65,
61,69,63,6e,00,00
"iafcfikbniidmfemlf"=hex:63,61,64,6d,6f,6f,00,7c
.
[HKEY_USERS\S-1-5-21-2052111302-1614895754-839522115-1003\Software\Sony Creative Software\M*e*d*i*a* *M*a*n*a*g*e*r* *f*o*r* *P*S*P*"!\3.0]
"Percents"=""
"Increment"=".000213"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:e3,ff,fb,3e,89,b9,34,c0,0e,9e,24,b4,a2,21,68,88,0a,3c,f1,03,f1,
04,45,20,0a,31,25,a5,ed,70,67,aa,ea,c0,1f,fb,fb,5e,f8,db,5e,ba,51,a4,9e,1c,\
.
[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:e3,ff,fb,3e,89,b9,34,c0,0e,9e,24,b4,a2,21,68,88,0a,3c,f1,03,f1,
04,45,20,0a,31,25,a5,ed,70,67,aa,ea,c0,1f,fb,fb,5e,f8,db,5e,ba,51,a4,9e,1c,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(940)
e:\super anti spyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll
.
- - - - - - - > 'explorer.exe'(340)
c:\windows\system32\WININET.dll
c:\windows\system32\tabhook.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2011-03-25 19:14:24
ComboFix-quarantined-files.txt 2011-03-25 19:14
ComboFix2.txt 2011-03-24 17:57
ComboFix3.txt 2011-03-23 19:47
ComboFix4.txt 2011-03-23 17:10
ComboFix5.txt 2011-03-25 19:03
.
Pre-Run: 19,861,852,160 bytes free
Post-Run: 19,872,595,968 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 5F77D3E82EC762B48E2366BC33B68BFC
-
Re-running ComboFix to remove infections:
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Open notepad and copy/paste the text in the quotebox below into it:
KillAll::
File::
c:\documents and settings\Paul and Jane\Start Menu\Programs\Startup\fgujfsee.exe
C:\fgujfsee.exe
Folder::
C:\Program Files\wadwupun
RegNULL::
[HKEY_USERS\S-1-5-21-2052111302-1614895754-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{142CD2CF-756C-381E-759D-20FC7E2F111E}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abehjcdkbnfajfgdfiiomepmfiljnhooln"=hex:65,62,65,68,63,65,64,6d,64,65,62,62,
63,68,6a,62,6c,63,6e,62,69,65,61,6a,67,66,6c,61,6c,63,68,62,68,65,6a,6a,66,\
"bbehjcdkbnfajfgdfihohincaleghhekpfol"=hex:61,62,64,62,64,6c,69,70,6b,6c,6e,6d,
64,66,6e,6c,6a,6c,70,6d,6f,6a,68,6b,6b,6e,6f,65,66,61,70,69,66,65,00,6a
.
[HKEY_USERS\S-1-5-21-2052111302-1614895754-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8F011243-2BF9-227A-A86C-B3C19DB5E2C4}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iabdoenbheaognkbme"=hex:6a,61,66,6d,68,6f,63,70,6e,62,6b,61,6a,66,6b,65,6a,66,
69,6a,00,00
"halndhddfkcbdame"=hex:6b,61,66,6d,63,6f,6a,6f,67,65,6a,6e,68,66,6d,61,6f,65,
61,69,63,6e,00,00
"iafcfikbniidmfemlf"=hex:63,61,64,6d,6f,6f,00,7c
- Save this as CFScript.txt, in the same location as ComboFix.exe
(http://img19.imageshack.us/img19/5660/cfscriptb4.gif)
- Referring to the picture above, drag CFScript into ComboFix.exe
- When finished, it shall produce a log for you at C:\ComboFix.txt
- Please post the contents of the log in your next reply.
-
Hiya Dave
Just to let you know that I decided to rebuild my pc.
I have wanted to do that for a while now and the way we were struggling to solve this issue, thought now was as good a time as any.
Just like to say thx for all your help and if i have any such issues again, would not hesitate to ask for your help
Once again
Thanks
Paul
-
Ok Paul. If that is your wish. I will lock this thread. If you need it re-opened, please send me a pm.