Author Topic: Need help - Trojan\Malware problem!!! (Read 28827 times)

Freddex · « **Reply #15 on:** September 26, 2010, 06:59:24 PM »

ComboFix 10-09-25.05 - sey administrator 09/25/2010 19:08:35.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.201 [GMT -4:00]
Running from: c:\documents and settings\sey administrator\Desktop\Commy.exe
Command switches used :: c:\documents and settings\sey administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: PC Tools Firewall Plus *disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Freddex\Application Data\Qyelap
c:\documents and settings\Freddex\Application Data\Qyelap\vegu.exe
c:\documents and settings\sey administrator\Application Data\Apezu
c:\documents and settings\sey administrator\Application Data\Apezu\vivy.exe
c:\documents and settings\sey administrator\Application Data\Asabop
c:\documents and settings\sey administrator\Application Data\Asabop\ykziu.xyl
c:\documents and settings\sey administrator\Application Data\Ekqous
c:\documents and settings\sey administrator\Application Data\Ekqous\oqcob.exe
c:\documents and settings\sey administrator\Application Data\Nave
c:\documents and settings\sey administrator\Application Data\Nave\goic.exe
c:\documents and settings\sey administrator\Application Data\Uzkue
c:\documents and settings\sey administrator\Application Data\Uzkue\fyopi.exe
c:\documents and settings\sey administrator\Application Data\Ywyspo
c:\documents and settings\sey administrator\Application Data\Ywyspo\ofxi.epd
c:\documents and settings\sey administrator\Application Data\Zaub
c:\documents and settings\sey administrator\Application Data\Zaub\apald.exe
c:\documents and settings\sey administrator\Application Data\Zeoguw
c:\documents and settings\sey administrator\Application Data\Zeoguw\inpu.asr
c:\program files\Internet Explorer\complete.dat
c:\program files\Internet Explorer\dmlconf.dat
c:\program files\Microsoft\DesktopLayer.exe
c:\windows\ExplorerSrv.exe

.
((((((((((((((((((((((((( Files Created from 2010-08-25 to 2010-09-25 )))))))))))))))))))))))))))))))
.

2010-09-25 16:09 . 2010-09-25 16:09   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\Ashampoo
2010-09-25 16:07 . 2010-09-25 16:07   --------   d-----w-   c:\documents and settings\sey administrator\Local Settings\Application Data\ashampoo
2010-09-25 16:07 . 2010-09-25 16:07   --------   d-----w-   c:\documents and settings\All Users\Application Data\ashampoo
2010-09-25 16:07 . 2010-09-25 16:07   --------   d-----w-   c:\program files\Ashampoo
2010-09-22 13:02 . 2010-09-25 23:20   --------   d-----w-   c:\program files\temp
2010-09-22 02:15 . 2010-09-25 23:21   41984   ----a-w-   c:\windows\system32\rundll32Srv.exe
2010-09-21 04:26 . 2010-09-21 05:11   --------   d-----w-   C:\Commy
2010-09-20 20:14 . 2010-09-21 23:00   --------   d-----w-   c:\program files\sys231
2010-09-18 06:16 . 2010-09-18 06:16   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\AVG9
2010-09-16 17:03 . 2010-09-16 17:04   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-09-16 05:52 . 2010-09-16 05:52   --------   d-----w-   c:\program files\Trend Micro
2010-09-16 04:44 . 2010-07-17 09:00   423656   ----a-w-   c:\windows\system32\deployJava1.dll
2010-09-15 18:04 . 2010-09-15 18:04   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\Malwarebytes
2010-09-15 18:03 . 2010-04-29 19:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-15 18:03 . 2010-09-15 18:03   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-15 18:02 . 2010-04-29 19:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-09-15 18:02 . 2010-09-15 18:04   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-09-15 04:49 . 2010-09-15 04:49   --------   d-----w-   c:\documents and settings\Freddex\Application Data\PCToolsFirewallPlus
2010-09-14 16:25 . 2010-09-20 20:40   95744   ----a-w-   c:\documents and settings\sey administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-14 16:25 . 2010-09-20 20:40   161280   ----a-w-   c:\documents and settings\sey administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-14 16:24 . 2010-09-14 16:24   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-09-14 16:24 . 2010-09-14 16:24   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-09-14 16:24 . 2010-09-14 16:24   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\SUPERAntiSpyware.com
2010-09-14 16:20 . 2010-09-14 16:20   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2010-09-14 15:58 . 2010-09-14 15:58   --------   d-----w-   c:\program files\CCleaner
2010-09-14 15:45 . 2010-09-14 15:46   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\PCToolsFirewallPlus
2010-09-14 15:41 . 2009-11-23 17:54   88040   ----a-w-   c:\windows\system32\drivers\PCTAppEvent.sys
2010-09-14 15:41 . 2009-11-09 15:20   207792   ----a-w-   c:\windows\system32\drivers\PCTCore.sys
2010-09-14 15:41 . 2010-01-07 16:40   233136   ----a-w-   c:\windows\system32\drivers\pctgntdi.sys
2010-09-14 15:40 . 2010-01-12 13:34   70664   ----a-w-   c:\windows\system32\drivers\pctNdis-PacketFilter.sys
2010-09-14 15:40 . 2010-01-07 15:35   58816   ----a-w-   c:\windows\system32\drivers\pctNdis.sys
2010-09-14 15:40 . 2010-01-07 15:35   32680   ----a-w-   c:\windows\system32\drivers\pctNdis-DNS.sys
2010-09-14 15:40 . 2010-01-13 12:59   115216   ----a-w-   c:\windows\system32\drivers\pctplfw.sys
2010-09-14 15:40 . 2010-09-23 01:11   --------   d-----w-   c:\program files\PC Tools Firewall Plus
2010-09-11 21:36 . 2010-09-11 21:36   --------   d-sh--w-   c:\documents and settings\NetworkService\IETldCache
2010-09-11 21:22 . 2010-09-21 04:01   0   ----a-w-   c:\windows\Tfiko.bin
2010-09-11 21:22 . 2010-09-21 02:45   120   ----a-w-   c:\windows\Qwavifetahefozu.dat
2010-09-11 21:16 . 2010-09-13 17:46   --------   d-----w-   c:\documents and settings\Freddex\Application Data\C48C287A5F27A887A3E6CDBB287BDE57
2010-09-04 18:14 . 2010-09-04 22:37   --------   d-----w-   c:\documents and settings\Freddex\Application Data\FileZilla
2010-09-04 18:13 . 2010-09-16 05:54   --------   d-----w-   c:\program files\Filezilla 3.3.2.1
2010-08-31 00:39 . 2010-08-31 00:39   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\IObit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-25 23:23 . 2008-04-21 16:55   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\Hykapo
2010-09-25 23:22 . 2010-01-05 23:15   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-09-25 23:20 . 2010-01-01 16:11   --------   d-----w-   c:\program files\Microsoft
2010-09-25 22:29 . 2008-12-03 12:31   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\Efpea
2010-09-24 00:22 . 2010-08-18 15:27   --------   d-----w-   c:\documents and settings\Freddex\Application Data\Uwdie
2010-09-23 23:47 . 2009-11-10 22:50   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\Gymu
2010-09-21 05:01 . 2010-02-21 18:58   --------   d-----w-   c:\program files\QuickTime
2010-09-20 20:40 . 2010-03-31 20:32   393216   ----a-w-   c:\documents and settings\sey administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-501e625d-n\msvcr71.dll
2010-09-20 20:40 . 2010-05-28 16:56   393216   ----a-w-   c:\documents and settings\sey administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-367bd4db-n\msvcr71.dll
2010-09-20 20:39 . 2010-08-09 00:56   393216   ----a-w-   c:\documents and settings\sey administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-61f91632-n\msvcr71.dll
2010-09-20 20:30 . 2010-03-23 23:46   393216   ----a-w-   c:\documents and settings\Freddex\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-34777ea4-n\msvcr71.dll
2010-09-20 20:30 . 2010-05-25 23:18   393216   ----a-w-   c:\documents and settings\Freddex\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-47f9ff1d-n\msvcr71.dll
2010-09-20 20:29 . 2010-08-03 02:18   393216   ----a-w-   c:\documents and settings\Freddex\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7c91b2a5-n\msvcr71.dll
2010-09-16 16:29 . 2010-03-23 22:54   --------   d-----w-   c:\program files\DivX
2010-09-16 16:29 . 2010-02-21 21:01   --------   d-----w-   c:\program files\LimeWire Music
2010-09-16 05:54 . 2001-09-19 06:51   --------   d-----w-   c:\program files\Microsoft Works
2010-09-16 04:44 . 2010-03-23 23:42   --------   d-----w-   c:\program files\Java
2010-09-14 15:41 . 2010-01-05 23:15   --------   d-----w-   c:\program files\Common Files\PC Tools
2010-09-14 15:04 . 2010-02-21 21:02   --------   d-----w-   c:\program files\ToggleEN
2010-09-14 14:13 . 2010-05-29 21:46   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\Skype
2010-09-14 14:02 . 2010-09-13 15:55   112   ----a-w-   c:\documents and settings\All Users\Application Data\r5NCJ5GrW.dat
2010-09-11 20:32 . 2010-04-14 21:49   --------   d-----w-   c:\documents and settings\Freddex\Application Data\uTorrent
2010-09-11 16:49 . 2010-07-01 19:46   --------   d-----w-   c:\documents and settings\Freddex\Application Data\LimeWire Music
2010-09-05 14:20 . 2010-01-01 16:20   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-08-31 02:30 . 2010-02-21 21:01   --------   d-----w-   c:\program files\Download_Energy
2010-08-22 07:09 . 2010-04-18 15:57   --------   d-----w-   c:\documents and settings\Freddex\Application Data\Skype
2010-08-14 16:09 . 2010-03-23 22:52   --------   d-----w-   c:\documents and settings\All Users\Application Data\DivX
2010-08-11 13:18 . 2010-01-05 23:50   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-08-09 00:56 . 2010-08-09 00:56   503808   ----a-w-   c:\documents and settings\sey administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-61f91632-n\msvcp71.dll
2010-08-09 00:56 . 2010-08-09 00:56   499712   ----a-w-   c:\documents and settings\sey administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-61f91632-n\jmc.dll
2010-08-09 00:56 . 2010-08-09 00:56   61440   ----a-w-   c:\documents and settings\sey administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1ab01405-n\decora-sse.dll
2010-08-09 00:56 . 2010-08-09 00:56   12800   ----a-w-   c:\documents and settings\sey administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1ab01405-n\decora-d3d.dll
2010-08-03 02:18 . 2010-08-03 02:18   503808   ----a-w-   c:\documents and settings\Freddex\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7c91b2a5-n\msvcp71.dll
2010-08-03 02:18 . 2010-08-03 02:18   499712   ----a-w-   c:\documents and settings\Freddex\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7c91b2a5-n\jmc.dll
2010-08-03 02:18 . 2010-08-03 02:18   61440   ----a-w-   c:\documents and settings\Freddex\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-51d40a07-n\decora-sse.dll
2010-08-03 02:18 . 2010-08-03 02:18   12800   ----a-w-   c:\documents and settings\Freddex\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-51d40a07-n\decora-d3d.dll
2010-07-31 17:45 . 2010-02-21 21:01   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\LimeWire Music
2010-07-16 13:30 . 2010-01-05 23:49   243024   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2010-07-16 13:30 . 2010-07-16 13:30   12536   ----a-w-   c:\windows\system32\avgrsstx.dll
2010-07-16 13:29 . 2010-01-05 23:49   25168   ----a-w-   c:\windows\system32\drivers\AVGIDSxx.sys
2010-07-16 13:28 . 2010-01-05 23:49   216400   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
.

Code: [Select]

<pre>
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\COMPAQ\Coloreal\coloreal .exe
c:\program files\COMPAQ\Easy Access Button Support\StartEAK .exe
c:\program files\IObit\Advanced SystemCare 3\AWC .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\Microsoft Works\WkDetect .exe
c:\program files\QuickTime\qttask             .exe
c:\program files\Skype\Phone\Skype .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\windows\system32\rundll32 .exe
</pre>

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\program files\sys231 ----

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]
"{ad708c09-d51b-45b3-9d28-4eba2681febf}"= "c:\program files\Download_Energy\tbDow1.dll" [2010-09-21 2735200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_CLASSES_ROOT\clsid\{ad708c09-d51b-45b3-9d28-4eba2681febf}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 14:25   2117704   ----a-w-   c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ad708c09-d51b-45b3-9d28-4eba2681febf}]
2010-09-21 03:45   2735200   ----a-w-   c:\program files\Download_Energy\tbDow1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]
"{ad708c09-d51b-45b3-9d28-4eba2681febf}"= "c:\program files\Download_Energy\tbDow1.dll" [2010-09-21 2735200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{ad708c09-d51b-45b3-9d28-4eba2681febf}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]
"{AD708C09-D51B-45B3-9D28-4EBA2681FEBF}"= "c:\program files\Download_Energy\tbDow1.dll" [2010-09-21 2735200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{ad708c09-d51b-45b3-9d28-4eba2681febf}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr .exe" [2009-07-26 3883856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [N/A]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [N/A]
"{257715E4-3F57-82F0-2A8F-9F44FF99EE07}"="c:\documents and settings\sey administrator\Application Data\Tagui\haeba.exe" [2007-10-05 113664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2001-08-08 143360]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2001-08-08 90112]
"WCOLOREAL"="c:\program files\COMPAQ\Coloreal\coloreal.exe" [N/A]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2000-07-13 311350]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [N/A]
"EPSON Stylus C44 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S09IC1.EXE" [2002-12-25 75776]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2010-01-12 3168216]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Jfarorerewe"="c:\windows\icehiqijoyiqopa.dll" [N/A]

c:\documents and settings\Freddex\Start Menu\Programs\Startup\
awgu.exe [2010-9-25 113664]
booxoc.exe [2010-9-22 106496]
feybuv.exe [2010-9-21 116224]
hoip.exe [2010-9-21 145408]

c:\documents and settings\Guest\Start Menu\Programs\Startup\
ohxieh.exe [2010-9-25 113664]
oxyta.exe [2010-9-22 106496]
poerb.exe [2010-9-25 113664]
ybxuwo.exe [2010-9-21 116224]
ybykl.exe [2010-9-21 145408]
ylreeb.exe [2010-9-23 109568]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
ewgy.exe [2010-9-21 145408]
heopy.exe [2010-9-22 106496]
higi.exe [2010-9-23 109568]
kiqeow.exe [2010-9-25 113664]
tezie.exe [2010-9-25 113664]
xuwi.exe [2010-9-21 116224]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2010-09-21 122880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-16 13:30   12536   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\LimeWire Music\\LimeWire Music.exe"=
"c:\\Program Files\\WinMX\\WinMX.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [1/5/2010 7:49 PM 25168]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [1/5/2010 7:49 PM 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/5/2010 7:49 PM 216400]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/5/2010 7:49 PM 243024]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [9/14/2010 11:41 AM 233136]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [7/16/2010 9:28 AM 921952]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/16/2010 9:29 AM 308136]
R2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [7/16/2010 9:28 AM 2331032]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [9/14/2010 11:41 AM 88040]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [1/5/2010 7:15 PM 583640]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [1/5/2010 7:48 PM 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [1/5/2010 7:49 PM 122448]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [1/5/2010 7:48 PM 30288]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [1/5/2010 7:48 PM 26192]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [9/14/2010 11:40 AM 70664]
R3 pctNDIS;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [9/14/2010 11:40 AM 58816]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [9/14/2010 11:40 AM 115216]
R3 SUNPLUS;SightCAM PC-100p;c:\windows\system32\drivers\spixnew.sys [1/21/2010 6:10 PM 95528]
S1 EACMOS;EACMOS;c:\windows\system32\drivers\EACMOS.SYS --> c:\windows\system32\drivers\EACMOS.SYS [?]
S2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [7/16/2010 9:29 AM 5897808]
S2 gupdate1cacadbef3afef0;Google Update Service (gupdate1cacadbef3afef0);c:\program files\Google\Update\GoogleUpdate.exe [3/23/2010 6:55 PM 133104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [1/5/2010 7:48 PM 30104]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
.
Contents of the 'Scheduled Tasks' folder

2010-09-25 c:\windows\Tasks\AWC AutoSweep.job
- c:\program files\IObit\Advanced SystemCare 3\AutoSweep.exe [2010-04-14 18:11]

2010-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-23 22:54]

2010-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-23 22:54]

2004-09-01 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-09-20 07:56]

2004-09-01 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-09-20 07:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\sey administrator\Application Data\Mozilla\Firefox\Profiles\3mmgr645.default\
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-25 19:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ACTIVEX_REPURPOSEDETECTION]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_IMG]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
@DACL=(02 0000)
"sllauncher.exe"=dword:00001f40

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_Cross_Domain_Redirect_Mitigation]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_LEGACY_COMPRESSION]
@DACL=(02 0000)
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_SQM_UPLOAD_FOR_APP]
@DACL=(02 0000)
"ieuser.exe"=dword:00000001
"iexplore.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_TELNET_PROTOCOL]
@DACL=(02 0000)
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK]
@DACL=(02 0000)
"YahooMusicEngine.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_SCRIPT_PASTE_URLACTION_IF_PROMPT]
@DACL=(02 0000)
"devenv.exe"=dword:00000001
"dexplore.exe"=dword:00000001
"helppane.exe"=dword:00000001
"sllauncher.exe"=dword:00000000
"PresentationHost.exe"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_FEEDS]
@DACL=(02 0000)
"msfeedssync.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_FORCE_ADDR_AND_STATUS]
@DACL=(02 0000)
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_XML_PROLOG]
@DACL=(02 0000)
"msiexec.exe"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IMAGING_USE_ART]
@DACL=(02 0000)
@=""
"waol.exe"=dword:00000001
"cs.exe"=dword:00000001
"wm.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INTERNET_SHELL_FOLDERS]
@DACL=(02 0000)
"iexplore.exe"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS]
@DACL=(02 0000)
"helppane.exe"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DLCONTROL_BEHAVIORS]
@DACL=(02 0000)
"wlmail.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000006
"explorer.exe"=dword:00000004

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000006
"explorer.exe"=dword:00000002

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME]
@DACL=(02 0000)
"mshta.exe"=dword:00000001
"outlook.exe"=dword:00000001
"sidebar.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RELEASE_CALLBACK_ON_STOP_BINDING]
@DACL=(02 0000)
"communicator.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ABOUT_PROTOCOL_IE7]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD]
@DACL=(02 0000)
"wlmail.exe"=dword:00000001
"msimn.exe"=dword:00000001
"winmail.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_OBJECT_DATA_ATTRIBUTE]
@DACL=(02 0000)
"WindowsLiveWriter.exe"=dword:00000001
"sllauncher.exe"=dword:00000001
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_RES_TO_LMZ]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_APP_PROTOCOL_WARN_DIALOG]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SSLUX]
@DACL=(02 0000)
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SUBDOWNLOAD_LOCKDOWN]
@DACL=(02 0000)
"wlmail.exe"=dword:00000001
"msimn.exe"=dword:00000001
"outlook.exe"=dword:00000001
"winmail.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_WINDOWEDSELECTCONTROL]
@DACL=(02 0000)
"excel.exe"=dword:00000001
"infopath.exe"=dword:00000001
"powerpnt.exe"=dword:00000001
"winword.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VIEWLINKEDWEBOC_IS_UNSAFE]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_MOVESIZECHILD]
@DACL=(02 0000)
"msn.exe"=dword:00000001
"msn6.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER]
@DACL=(02 0000)
"iexplore.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
@=""
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
@=""
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
@=""
"Installed"="1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\NdisWanIp]
@DACL=(02 0000)
"LLInterface"="WANARP"
"IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{E2E03A56-F650-49AD-9458-84AC5A26824B}\00Tcpip\\Parameters\\Interfaces\\{9D1E836B-DDA1-48F1-825D-3BE14B2C290C}\00Tcpip\\Parameters\\Interfaces\\{9215A54E-3EAA-4DC2-8EFE-4731C26E1349}\00Tcpip\\Parameters\\Interfaces\\{6F8E307F-9A7C-408A-AFAF-3615FCFA4CEF}\00\00"
"NumInterfaces"=dword:00000004
"IpInterfaces"=hex:56,3a,e0,e2,50,f6,ad,49,94,58,84,ac,5a,26,82,4b,6b,83,1e,9d,
a1,dd,f1,48,82,5d,3b,e1,4b,2c,29,0c,4e,a5,15,92,aa,3e,c2,4d,8e,fe,47,31,c2,\

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\{6DE38E76-6721-44BE-B4B6-A8A60FA66767}]
@DACL=(02 0000)
"LLInterface"=""
"IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{6DE38E76-6721-44BE-B4B6-A8A60FA66767}\00\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\{B006CFFA-964A-4BFA-84AB-6CB924F4DB19}]
@DACL=(02 0000)
"LLInterface"=""
"IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{B006CFFA-964A-4BFA-84AB-6CB924F4DB19}\00\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0AA05CFB-0DDF-48E4-ABE8-1E78BE894167}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{2F865EAA-DF52-4F83-B627-C01FA56AB1B5}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{6F8E307F-9A7C-408A-AFAF-3615FCFA4CEF}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
"NTEContextList"=multi:"\00"
"DhcpClassIdBin"=hex:
"DhcpIPAddress"="0.0.0.0"
"DhcpSubnetMask"="0.0.0.0"
"Domain"=""
"NameServer"=""
"RegistrationEnabled"=dword:00000000
"RegisterAdapterName"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{8E76D28B-D819-435F-9D94-8F0EC4038520}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9215A54E-3EAA-4DC2-8EFE-4731C26E1349}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{93DFA675-845C-4FB9-B057-A889D11F364B}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9D1E836B-DDA1-48F1-825D-3BE14B2C290C}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
"NTEContextList"=multi:"\00"
"DhcpIPAddress"="0.0.0.0"
"DhcpSubnetMask"="0.0.0.0"
"Domain"=""
"NameServer"=""
"RegistrationEnabled"=dword:00000000
"DhcpClassIdBin"=hex:
"RegisterAdapterName"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{B006CFFA-964A-4BFA-84AB-6CB924F4DB19}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"DefaultGatewayMetric"=multi:"\00"
"NameServer"=""
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=multi:"0\00\00"
"UDPAllowedPorts"=multi:"0\00\00"
"RawIPAllowedProtocols"=multi:"0\00\00"
"NTEContextList"=multi:"0x00000003\00\00"
"DhcpClassIdBin"=hex:

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E2E03A56-F650-49AD-9458-84AC5A26824B}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{F2661AF6-B3C2-4CB3-BEF6-D0571C34617B}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{FF2BE8C5-F6C8-4DEE-9C06-8F61850569D8}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1048)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(372)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\PC Tools Firewall Plus\FWService.exe
c:\windows\system32\pctspk.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
.
**************************************************************************
.
Completion time: 2010-09-25 19:32:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-25 23:32
ComboFix2.txt 2010-09-21 05:11

Pre-Run: 10,927,222,784 bytes free
Post-Run: 10,850,975,744 bytes free

- - End Of File - - BD2FB4A02323E305A69335F83A396B9E

Freddex · « **Reply #16 on:** September 26, 2010, 07:02:10 PM »

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:      2010/09/25 20:00
Program Version:      Version 1.3.5.0
Windows Version:      Windows XP SP2
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\DOCUME~1\SEYADM~1\LOCALS~1\Temp\catchme.sys
Address: 0xF8A77000   Size: 31744   File Visible: No   Signed: -
Status: -

Name: Combo-Fix.sys
Image Path: Combo-Fix.sys
Address: 0xF87D7000   Size: 60416   File Visible: No   Signed: -
Status: -

Name: mbr.sys
Image Path: C:\DOCUME~1\SEYADM~1\LOCALS~1\Temp\mbr.sys
Address: 0xF8B17000   Size: 20864   File Visible: No   Signed: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xF8CCB000   Size: 7872   File Visible: No   Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF21D3000   Size: 49152   File Visible: No   Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\sey administrator\application data\pctoolsfirewallplus\firewallgui.txt
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\sey administrator\application data\pctoolsfirewallplus\firewallguisdk.txt
Status: Allocation size mismatch (API: 8, Raw: 0)

Path: c:\documents and settings\sey administrator\application data\pctoolsfirewallplus\ppmanager.txt
Status: Allocation size mismatch (API: 8, Raw: 0)

Path: c:\documents and settings\all users\application data\avg9\chjw\62304ee7304ec1b1\c1a687a6-b436-41bd-bf6f-ebbf197841a6
Status: Allocation size mismatch (API: 328, Raw: 0)

Path: c:\documents and settings\all users\application data\avg9\chjw\62304ee7304ec1b1\aa7872c6-b321-4c3a-afdf-93e1686ccadf
Status: Allocation size mismatch (API: 424, Raw: 0)

SSDT
-------------------
#: 017   Function Name: NtAllocateVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf2d06752

#: 019   Function Name: NtAssignProcessToJobObject
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf2d06440

#: 031   Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf2d06482

#: 037   Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf2d06530

#: 047   Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf2d06dd8

#: 048   Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf2d06e64

#: 053   Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf2d06ef4

#: 057   Function Name: NtDebugActiveProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf2d06580

#: 068   Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf2d065c2

#: 097   Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf2d06606

#: 119   Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf2d06648

#: 122   Function Name: NtOpenProcess
Status: Hooked by "C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys" at address 0xf8303670

#: 125   Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf2d0668a

#: 128   Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf2d066cc

#: 137   Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf2d0679a

#: 200   Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf2d0670e

#: 204   Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf2d067dc

#: 206   Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf2d06824

#: 210   Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf2d068b4

#: 247   Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf2d06866

#: 253   Function Name: NtSuspendProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf2d06958

#: 255   Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf2d0699a

#: 257   Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf2d069dc

#: 258   Function Name: NtTerminateThread
Status: Hooked by "C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys" at address 0xf83037c0

#: 277   Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf2d06a2a

Shadow SSDT
-------------------
#: 307   Function Name: NtUserAttachThreadInput
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf2d06a6c

#: 323   Function Name: NtUserCallOneParam
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf2d06ab4

#: 383   Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf2d06af8

#: 414   Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys" at address 0xf8302b20

#: 416   Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf2d06b3c

#: 460   Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf2d06b80

#: 475   Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf2d06bd8

#: 476   Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf2d06c30

#: 491   Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf2d06c88

#: 549   Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf2d06d1e

#: 552   Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\system32\drivers\PCTAppEvent.sys" at address 0xf2d06cd0

==EOF==

Freddex · « **Reply #17 on:** September 26, 2010, 07:05:13 PM »

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 2)
Number of processors #1
==============================================
>SSDT State
==============================================
ntoskrnl.exe-->NtAllocateVirtualMemory, Type: Address change 0x80568024-->F2D06752 [C:\WINDOWS\system32\drivers\PCTAppEvent.sys]
ntoskrnl.exe-->NtAssignProcessToJobObject, Type: Address change 0x805A34A9-->F2D06440 [C:\WINDOWS\system32\drivers\PCTAppEvent.sys]
ntoskrnl.exe-->NtConnectPort, Type: Address change 0x8058BBA7-->F2D06482 [C:\WINDOWS\system32\drivers\PCTAppEvent.sys]
ntoskrnl.exe-->NtCreateFile, Type: Address change 0x8056FE58-->F2D06530 [C:\WINDOWS\system32\drivers\PCTAppEvent.sys]
ntoskrnl.exe-->NtCreateProcess, Type: Address change 0x805B246F-->F2D06DD8 [C:\WINDOWS\system32\drivers\PCTAppEvent.sys]
ntoskrnl.exe-->NtCreateProcessEx, Type: Address change 0x805820F6-->F2D06E64 [C:\WINDOWS\system32\drivers\PCTAppEvent.sys]
ntoskrnl.exe-->NtCreateThread, Type: Address change 0x8057C713-->F2D06EF4 [C:\WINDOWS\system32\drivers\PCTAppEvent.sys]
ntoskrnl.exe-->NtDebugActiveProcess, Type: Address change 0x8065975D-->F2D06580 [C:\WINDOWS\system32\drivers\PCTAppEvent.sys]
ntoskrnl.exe-->NtDuplicateObject, Type: Address change 0x80572D8E-->F2D065C2 [C:\WINDOWS\system32\drivers\PCTAppEvent.sys]
ntoskrnl.exe-->NtLoadDriver, Type: Address change 0x805A5972-->F2D06606 [C:\WINDOWS\system32\drivers\PCTAppEvent.sys]
ntoskrnl.exe-->NtOpenKey, Type: Address change 0x80567D6A-->F2D06648 [C:\WINDOWS\system32\drivers\PCTAppEvent.sys]
ntoskrnl.exe-->NtOpenProcess, Type: Address change 0x80572F6E-->F8303670 [C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys]
ntoskrnl.exe-->NtOpenSection, Type: Address change 0x80576973-->F2D0668A [C:\WINDOWS\system32\drivers\PCTAppEvent.sys]
ntoskrnl.exe-->NtOpenThread, Type: Address change 0x8058FCDD-->F2D066CC [C:\WINDOWS\system32\drivers\PCTAppEvent.sys]
ntoskrnl.exe-->NtProtectVirtualMemory, Type: Address change 0x8057331D-->F2D0679A [C:\WINDOWS\system32\drivers\PCTAppEvent.sys]
ntoskrnl.exe-->NtRequestWaitReplyPort, Type: Address change 0x80576192-->F2D0670E [C:\WINDOWS\system32\drivers\PCTAppEvent.sys]
ntoskrnl.exe-->NtRestoreKey, Type: Address change 0x8064C488-->F2D067DC [C:\WINDOWS\system32\drivers\PCTAppEvent.sys]
ntoskrnl.exe-->NtResumeThread, Type: Address change 0x8057CD86-->F2D06824 [C:\WINDOWS\system32\drivers\PCTAppEvent.sys]
ntoskrnl.exe-->NtSecureConnectPort, Type: Address change 0x8057EC62-->F2D068B4 [C:\WINDOWS\system32\drivers\PCTAppEvent.sys]
ntoskrnl.exe-->NtSetValueKey, Type: Address change 0x80573EF5-->F2D06866 [C:\WINDOWS\system32\drivers\PCTAppEvent.sys]
ntoskrnl.exe-->NtSuspendProcess, Type: Address change 0x8062E3DD-->F2D06958 [C:\WINDOWS\system32\drivers\PCTAppEvent.sys]
ntoskrnl.exe-->NtSystemDebugControl, Type: Address change 0x806487DF-->F2D0699A [C:\WINDOWS\system32\drivers\PCTAppEvent.sys]
ntoskrnl.exe-->NtTerminateProcess, Type: Address change 0x805849B4-->F2D069DC [C:\WINDOWS\system32\drivers\PCTAppEvent.sys]
ntoskrnl.exe-->NtTerminateThread, Type: Address change 0x8057BE2C-->F83037C0 [C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys]
ntoskrnl.exe-->NtWriteVirtualMemory, Type: Address change 0x8057A8FF-->F2D06A2A [C:\WINDOWS\system32\drivers\PCTAppEvent.sys]
==============================================
>Shadow
==============================================
win32k.sys-->NtUserAttachThreadInput, Type: Address change 0xBF8F5689-->F2D06A6C [C:\WINDOWS\system32\drivers\PCTAppEvent.sys]
win32k.sys-->NtUserCallOneParam, Type: Address change 0xBF8010EF-->F2D06AB4 [C:\WINDOWS\system32\drivers\PCTAppEvent.sys]
win32k.sys-->NtUserGetAsyncKeyState, Type: Address change 0xBF8670A0-->F2D06AF8 [C:\WINDOWS\system32\drivers\PCTAppEvent.sys]
win32k.sys-->NtUserGetKeyboardState, Type: Address change 0xBF8BA1A0-->F8302B20 [C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys]
win32k.sys-->NtUserGetKeyState, Type: Address change 0xBF81C962-->F2D06B3C [C:\WINDOWS\system32\drivers\PCTAppEvent.sys]
win32k.sys-->NtUserMessageCall, Type: Address change 0xBF80F06A-->F2D06B80 [C:\WINDOWS\system32\drivers\PCTAppEvent.sys]
win32k.sys-->NtUserPostMessage, Type: Address change 0xBF80851A-->F2D06BD8 [C:\WINDOWS\system32\drivers\PCTAppEvent.sys]
win32k.sys-->NtUserPostThreadMessage, Type: Address change 0xBF8716EB-->F2D06C30 [C:\WINDOWS\system32\drivers\PCTAppEvent.sys]
win32k.sys-->NtUserRegisterRawInputDevices, Type: Address change 0xBF916778-->F2D06C88 [C:\WINDOWS\system32\drivers\PCTAppEvent.sys]
win32k.sys-->NtUserSetWindowsHookEx, Type: Address change 0xBF8BA260-->F2D06D1E [C:\WINDOWS\system32\drivers\PCTAppEvent.sys]
win32k.sys-->NtUserSetWinEventHook, Type: Address change 0xBF8F9A43-->F2D06CD0 [C:\WINDOWS\system32\drivers\PCTAppEvent.sys]
==============================================
>Processes
==============================================
0x82FCA7C0 [4] System
0x829E6DA0 [260] C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe (PC Tools, StartMan Application)
0x82A38DA0 [288] C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation, Internet Explorer)
0x82AAF588 [356] C:\WINDOWS\system32\pctspk.exe (PCtel, Inc., PCTSPK.EXE)
0x82D5E398 [372] C:\WINDOWS\explorer.exe (Microsoft Corporation, Windows Explorer)
0x82A7F020 [380] C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation, Microsoft SeaPort Search Enhancement Broker)
0x82A804A0 [512] C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc., AutoUpater Service Module)
0x82CB1B18 [904] C:\WINDOWS\system32\smss.exe (Microsoft Corporation, Windows NT Session Manager)
0x82ADB990 [964] C:\Program Files\AVG\AVG9\avgwdsvc.exe (AVG Technologies CZ, s.r.o., AVG Watchdog Service)
0x82AD7580 [980] C:\Program Files\AVG\AVG9\avgfws9.exe (AVG Technologies CZ, s.r.o., AVG Firewall Service)
0x82A9B990 [1008] C:\Program Files\AVG\AVG9\avgemc.exe (AVG Technologies CZ, s.r.o., AVG E-Mail Scanner)
0x82D68DA0 [1024] C:\WINDOWS\system32\csrss.exe (Microsoft Corporation, Client Server Runtime Process)
0x82C947E0 [1048] C:\WINDOWS\system32\winlogon.exe (Microsoft Corporation, Windows NT Logon Application)
0x82F3EA20 [1092] C:\WINDOWS\system32\services.exe (Microsoft Corporation, Services and Controller app)
0x82D09698 [1104] C:\WINDOWS\system32\lsass.exe (Microsoft Corporation, LSA Shell (Export Version))
0x82C97530 [1264] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x82DB6468 [1324] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x82EC1BC0 [1448] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x82E09778 [1508] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x82B19DA0 [1580] C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc., Java(TM) Quick Starter Service)
0x82F49648 [1592] C:\Program Files\AVG\AVG9\avgchsvx.exe (AVG Technologies CZ, s.r.o., AVG Cache Server)
0x82D6D800 [1600] C:\Program Files\AVG\AVG9\avgrsx.exe (AVG Technologies CZ, s.r.o., AVG Resident Shield Service)
0x829DF020 [1808] C:\Program Files\PC Tools Firewall Plus\FWService.exe (PC Tools, PC Tools Firewall Plus service)
0x82DB4418 [1856] C:\Program Files\AVG\AVG9\avgcsrvx.exe (AVG Technologies CZ, s.r.o., AVG Scanning Core Module - Server Part)
0x82D3B788 [1944] C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation, Spooler SubSystem App)
0x82978DA0 [2252] C:\Program Files\AVG\AVG9\avgnsx.exe (AVG Technologies CZ, s.r.o., AVG Network scanner Service)
0x82909700 [2748] C:\Program Files\AVG\AVG9\avgcsrvx.exe (AVG Technologies CZ, s.r.o., AVG Scanning Core Module - Server Part)
0x82A69580 [3336] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation, hkcmd Module)
0x8290BDA0 [3412] C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S09IC1.EXE (SEIKO EPSON CORPORATION, EPSON Status Monitor 3)
0x82A69A80 [3460] C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe (PC Tools, PC Tools Firewall GUI)
0x82F08990 [3524] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc., Java(TM) Update Scheduler)
0x82A6E998 [3624] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation, CTF Loader)
0x8294B788 [3688] C:\WINDOWS\system32\wuauclt.exe (Microsoft Corporation, Windows Update)
0x82A7E5B0 [3788] C:\WINDOWS\system32\alg.exe (Microsoft Corporation, Application Layer Gateway Service)
0x828AAC70 [4320] C:\Documents and Settings\sey administrator\Desktop\RkU3.8.388.590\MustBeRandomlyNamed\f2o4rDaewo.exe (UG North, RKULE, SR2 Normandy)
==============================================
>Drivers
==============================================
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2181376 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2181376 bytes
0x804D7000 RAW 2181376 bytes
0x804D7000 WMIxWDM 2181376 bytes
0xBF800000 Win32k 1851392 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1851392 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xBF012000 C:\WINDOWS\System32\i81xdnt5.dll 704512 bytes (Intel(R) Corporation, Controller Hub for Intel Graphics Driver)
0xF84E8000 vmodem.sys 606208 bytes (PCTEL, INC., HSP Modem Modem Device Driver)
0xF860B000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xF3466000 C:\WINDOWS\System32\DRIVERS\mrxsmb.sys 454656 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF857C000 vpctcom.sys 401408 bytes (PCtel, Inc., HSP Modem Virtual Control Device)
0xF36DC000 C:\WINDOWS\System32\DRIVERS\tcpip.sys 360448 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xF25A5000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF3643000 C:\WINDOWS\System32\Drivers\avgtdix.sys 237568 bytes (AVG Technologies CZ, s.r.o., AVG Network connection watcher)
0xF36A5000 C:\WINDOWS\system32\drivers\pctgntdi.sys 225280 bytes (PC Tools, PC Tools Generic TDI Driver)
0xF340A000 C:\WINDOWS\System32\Drivers\avgldx86.sys 212992 bytes (AVG Technologies CZ, s.r.o., AVG AVI Loader Driver)
0xF7FB4000 C:\WINDOWS\System32\DRIVERS\update.sys 212992 bytes (Microsoft Corporation, Update Driver)
0xF8728000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xF85DE000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xF34D5000 C:\WINDOWS\System32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF1DA9000 C:\WINDOWS\system32\drivers\kmixer.sys 172032 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xF3007000 C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys 163840 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Driver.)
0xF3543000 C:\WINDOWS\System32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF845E000 C:\WINDOWS\System32\DRIVERS\i81xnt5.sys 159744 bytes (Intel(R) Corporation, Miniport Driver for Intel Graphics Driver)
0xF8398000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF33E7000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 143360 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xF83D4000 C:\WINDOWS\System32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xF8427000 C:\WINDOWS\System32\DRIVERS\USBPORT.SYS 143360 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF3521000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xF3622000 C:\WINDOWS\System32\DRIVERS\ipnat.sys 135168 bytes (Microsoft Corporation, IP Network Address Translator)
0xF3500000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS 135168 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)
0x806EC000 ACPI_HAL 131968 bytes
0x806EC000 C:\WINDOWS\system32\hal.dll 131968 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF86C1000 fltmgr.sys 126976 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF86F8000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF840B000 C:\WINDOWS\System32\DRIVERS\ptserlp.sys 114688 bytes (PCTEL, INC., HSP Modem Serial Device Driver for NT 5.0)
0xF84CD000 Mup.sys 110592 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF2A10000 C:\WINDOWS\system32\drivers\pctplfw.sys 110592 bytes (PC Tools, PC Tools FW Plugin Driver)
0xF83BC000 C:\WINDOWS\system32\drivers\ac97intc.sys 98304 bytes (Intel Corporation, Intel(r) Integrated Controller Hub Audio Driver)
0xF86E0000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xF8698000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF8381000 C:\WINDOWS\System32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xF360B000 C:\WINDOWS\System32\Drivers\SPIXNEW.SYS 94208 bytes (Sunplus Technology Co. LTD., SPCA508A Camera Driver )
0xF2983000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF83F7000 C:\WINDOWS\System32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF2CFB000 C:\WINDOWS\system32\drivers\PCTAppEvent.sys 81920 bytes (PC Tools, PC Tools App Monitor Driver)
0xF844A000 C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xF3734000 C:\WINDOWS\System32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF86AF000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF8717000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF82B0000 C:\WINDOWS\System32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF2E8F000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF2C7B000 C:\WINDOWS\system32\drivers\pctNdis-PacketFilter.sys 65536 bytes (PC Tools, PC Tools NDIS - Packet Filter)
0xF89C7000 C:\WINDOWS\System32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF87C7000 vvoice.sys 65536 bytes (PCtel, Inc., HSP Modem device driver)
0xF87D7000 Combo-Fix.sys 61440 bytes
0xF8837000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF89E7000 C:\WINDOWS\System32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xF2B4B000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF88E7000 C:\WINDOWS\System32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF89D7000 C:\WINDOWS\System32\DRIVERS\cdrom.sys 53248 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF87B7000 C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF89B7000 C:\WINDOWS\System32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF88A7000 C:\WINDOWS\system32\DRIVERS\pctNdis.sys 53248 bytes (PC Tools, PC Tools NDIS Driver)
0xF8857000 C:\WINDOWS\System32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF8797000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF87E7000 avgrkx86.sys 49152 bytes (AVG Technologies CZ, s.r.o., AVG Anti-Rootkit Driver)
0xF359B000 C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys 49152 bytes (Microsoft Corporation, Family Safety Filter Driver (TDI))
0xF8877000 C:\WINDOWS\System32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF8917000 C:\WINDOWS\System32\Drivers\STREAM.SYS 49152 bytes (Microsoft Corporation, WDM CODEC Class Device Driver 2.0)
0xF8827000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF8787000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF8847000 C:\WINDOWS\System32\DRIVERS\p3.sys 45056 bytes (Microsoft Corporation, Processor Device Driver)
0xF8867000 C:\WINDOWS\System32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF8977000 C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys 40960 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Filter Driver.)
0xF8301000 C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys 40960 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Loader Driver.)
0xF88D7000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF8897000 C:\WINDOWS\System32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF87F7000 AVGIDSxx.sys 36864 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Helper Driver.)
0xF87A7000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF8947000 C:\WINDOWS\System32\Drivers\Fips.SYS 36864 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF8957000 C:\WINDOWS\System32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF8777000 isapnp.sys 36864 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF8887000 C:\WINDOWS\System32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF8927000 C:\WINDOWS\System32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xF2A4B000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF8907000 C:\WINDOWS\System32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF8A77000 C:\DOCUME~1\SEYADM~1\LOCALS~1\Temp\catchme.sys 32768 bytes
0xF8AC7000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF8B7F000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF8A17000 C:\WINDOWS\System32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xF8AF7000 C:\WINDOWS\system32\DRIVERS\avgfwdx.sys 28672 bytes (AVG Technologies CZ, s.r.o., AVG Firewall intermediate miniport driver)
0xF8AE7000 C:\WINDOWS\System32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF8B67000 C:\WINDOWS\System32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF89F7000 C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF8A2F000 C:\WINDOWS\System32\Drivers\avgmfx86.sys 24576 bytes (AVG Technologies CZ, s.r.o., AVG Resident Shield Minifilter Driver)
0xF8ADF000 C:\WINDOWS\System32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF8B17000 C:\DOCUME~1\SEYADM~1\LOCALS~1\Temp\mbr.sys 24576 bytes
0xF8AD7000 C:\WINDOWS\System32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF8ACF000 C:\WINDOWS\System32\DRIVERS\RTL8139.SYS 24576 bytes (Realtek Semiconductor Corporation, Realtek RTL8139 NDIS 5.0 Driver)
0xF8A1F000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)
0xF8B6F000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF8B57000 C:\WINDOWS\System32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF8B77000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF89FF000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF8B07000 C:\WINDOWS\System32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF8B0F000 C:\WINDOWS\System32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xF8AFF000 C:\WINDOWS\System32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF8ABF000 C:\WINDOWS\System32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xF8AEF000 C:\WINDOWS\System32\DRIVERS\usbuhci.sys 20480 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF8A3F000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF82A0000 C:\WINDOWS\System32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF8C5F000 C:\WINDOWS\System32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xF3293000 C:\WINDOWS\System32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF8C3F000 C:\WINDOWS\System32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF8B87000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF3F10000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF82A4000 C:\WINDOWS\System32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xF8C4B000 C:\WINDOWS\System32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF8C13000 C:\WINDOWS\System32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF82AC000 C:\WINDOWS\System32\drivers\ws2ifsl.sys 12288 bytes (Microsoft Corporation, Winsock2 IFS Layer)
0xF8CA1000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF8C9F000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF8C7B000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xF8C77000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF8CA3000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF8CEF000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF8CCB000 C:\WINDOWS\system32\Drivers\PROCEXP113.SYS 8192 bytes
0xF8CA5000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF8C9B000 C:\WINDOWS\System32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF8C9D000 C:\WINDOWS\System32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF8C79000 C:\WINDOWS\System32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF8DEC000 C:\WINDOWS\System32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF8D78000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF8D49000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
==============================================
>Stealth
==============================================
==============================================
>Files
==============================================
!-->[Hidden] C:\System Volume Information\_restore{E759405A-2405-40DD-8B5A-1C3C5A4575E4}\RP11\A0034198.exe
!-->[Hidden] C:\System Volume Information\_restore{E759405A-2405-40DD-8B5A-1C3C5A4575E4}\RP11\A0034199.exe
!-->[Hidden] C:\System Volume Information\_restore{E759405A-2405-40DD-8B5A-1C3C5A4575E4}\RP11\A0034200.dll
!-->[Hidden] C:\System Volume Information\_restore{E759405A-2405-40DD-8B5A-1C3C5A4575E4}\RP11\A0034201.dll
!-->[Hidden] C:\System Volume Information\_restore{E759405A-2405-40DD-8B5A-1C3C5A4575E4}\RP11\A0034202.exe
!-->[Hidden] C:\System Volume Information\_restore{E759405A-2405-40DD-8B5A-1C3C5A4575E4}\RP11\A0034203.exe
==============================================
>Hooks
==============================================
ntoskrnl.exe+0x00004AA2, Type: Inline - RelativeJump 0x804DBAA2-->804DBAA9 [ntoskrnl.exe]
ntoskrnl.exe+0x0000B7C8, Type: Inline - PushRet 0x804E27C8-->82F2D065 [unknown_code_page]
ntoskrnl.exe+0x0000B8A0, Type: Inline - RelativeJump 0x804E28A0-->804E28DC [ntoskrnl.exe]
[288]iexplore.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
[288]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77DD1214-->00000000 [aclayers.dll]
[288]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77DD105C-->00000000 [aclayers.dll]
[288]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77DD11E0-->00000000 [aclayers.dll]
[288]iexplore.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[288]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77F11084-->00000000 [aclayers.dll]
[288]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77F11078-->00000000 [aclayers.dll]
[288]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77F110B8-->00000000 [aclayers.dll]
[288]iexplore.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x0040106C-->00000000 [shimeng.dll]
[288]iexplore.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x00401098-->00000000 [aclayers.dll]
[288]iexplore.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x004010E8-->00000000 [aclayers.dll]
[288]iexplore.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x004010C0-->00000000 [aclayers.dll]
[288]iexplore.exe-->mswsock.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71A51178-->00000000 [shimeng.dll]
[288]iexplore.exe-->mswsock.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x71A51184-->00000000 [aclayers.dll]
[288]iexplore.exe-->mswsock.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x71A511A0-->00000000 [aclayers.dll]
[288]iexplore.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A8-->00000000 [shimeng.dll]
[288]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7C9C13EC-->00000000 [aclayers.dll]
[288]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExA, Type: IAT modification 0x7C9C163C-->00000000 [aclayers.dll]
[288]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7C9C161C-->00000000 [aclayers.dll]
[288]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7C9C15A4-->00000000 [aclayers.dll]
[288]iexplore.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77D4128C-->00000000 [shimeng.dll]
[288]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77D41248-->00000000 [aclayers.dll]
[288]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77D41158-->00000000 [aclayers.dll]
[288]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77D41290-->00000000 [aclayers.dll]
[288]iexplore.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB115C-->00000000 [shimeng.dll]
[288]iexplore.exe-->ws2_32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x71AB1168-->00000000 [aclayers.dll]
[3336]hkcmd.exe-->kernel32.dll-->GetFileAttributesExW, Type: Inline - RelativeJump 0x7C811105-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C915CBB-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->ntdll.dll-->NtCreateThread, Type: Inline - RelativeJump 0x7C90D1AE-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->user32.dll-->BeginPaint, Type: Inline - RelativeJump 0x77D4B4B1-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->user32.dll-->CallWindowProcA, Type: Inline - RelativeJump 0x77D4E34B-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->user32.dll-->CallWindowProcW, Type: Inline - RelativeJump 0x77D4C019-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->user32.dll-->DefDlgProcA, Type: Inline - RelativeJump 0x77D5759D-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->user32.dll-->DefDlgProcW, Type: Inline - RelativeJump 0x77D54CFA-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->user32.dll-->DefFrameProcA, Type: Inline - RelativeJump 0x77D7F685-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->user32.dll-->DefFrameProcW, Type: Inline - RelativeJump 0x77D6430C-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->user32.dll-->DefMDIChildProcA, Type: Inline - RelativeJump 0x77D7F6D4-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->user32.dll-->DefMDIChildProcW, Type: Inline - RelativeJump 0x77D64520-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->user32.dll-->DefWindowProcA, Type: Inline - RelativeJump 0x77D4DF6B-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->user32.dll-->DefWindowProcW, Type: Inline - RelativeJump 0x77D4B1E5-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->user32.dll-->EndPaint, Type: Inline - RelativeJump 0x77D4B4C5-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->user32.dll-->GetCapture, Type: Inline - RelativeJump 0x77D494FF-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->user32.dll-->GetClipboardData, Type: Inline - RelativeJump 0x77D6FCB2-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->user32.dll-->GetCursorPos, Type: Inline - RelativeJump 0x77D4C566-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->user32.dll-->GetDC, Type: Inline - RelativeJump 0x77D48697-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->user32.dll-->GetDCEx, Type: Inline - RelativeJump 0x77D4F21D-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->user32.dll-->GetMessageA, Type: Inline - RelativeJump 0x77D6EA45-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->user32.dll-->GetMessagePos, Type: Inline - RelativeJump 0x77D4C6E4-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->user32.dll-->GetMessageW, Type: Inline - RelativeJump 0x77D491A3-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->user32.dll-->GetUpdateRect, Type: Inline - RelativeJump 0x77D4BCEC-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->user32.dll-->GetUpdateRgn, Type: Inline - RelativeJump 0x77D4CE3B-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->user32.dll-->GetWindowDC, Type: Inline - RelativeJump 0x77D48FF9-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->user32.dll-->OpenInputDesktop, Type: Inline - RelativeJump 0x77D66607-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->user32.dll-->PeekMessageA, Type: Inline - RelativeJump 0x77D4CEFD-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->user32.dll-->PeekMessageW, Type: Inline - RelativeJump 0x77D49278-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->user32.dll-->RegisterClassA, Type: Inline - RelativeJump 0x77D52316-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->user32.dll-->RegisterClassExA, Type: Inline - RelativeJump 0x77D54315-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->user32.dll-->RegisterClassExW, Type: Inline - RelativeJump 0x77D4AE29-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->user32.dll-->RegisterClassW, Type: Inline - RelativeJump 0x77D4A5EC-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->user32.dll-->ReleaseCapture, Type: Inline - RelativeJump 0x77D4C9A4-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->user32.dll-->ReleaseDC, Type: Inline - RelativeJump 0x77D4866D-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->user32.dll-->SetCapture, Type: Inline - RelativeJump 0x77D4C988-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->user32.dll-->SetCursorPos, Type: Inline - RelativeJump 0x77D85E8C-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->user32.dll-->SwitchDesktop, Type: Inline - RelativeJump 0x77D679A3-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->user32.dll-->TranslateMessage, Type: Inline - RelativeJump 0x77D48BCE-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->wininet.dll-->HttpQueryInfoA, Type: Inline - RelativeJump 0x3D94878D-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->wininet.dll-->HttpSendRequestA, Type: Inline - RelativeJump 0x3D95EE89-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->wininet.dll-->HttpSendRequestExA, Type: Inline - RelativeJump 0x3D9BA70A-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->wininet.dll-->HttpSendRequestExW, Type: Inline - RelativeJump 0x3D9BA763-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->wininet.dll-->HttpSendRequestW, Type: Inline - RelativeJump 0x3D94FABE-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->wininet.dll-->InternetCloseHandle, Type: Inline - RelativeJump 0x3D949088-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->wininet.dll-->InternetQueryDataAvailable, Type: Inline - RelativeJump 0x3D94BF7F-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump 0x3D94654B-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->wininet.dll-->InternetReadFileExA, Type: Inline - RelativeJump 0x3D963381-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump 0x71AB9639-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB428A-->00000000 [unknown_code_page]
[3336]hkcmd.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB6233-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->kernel32.dll-->GetFileAttributesExW, Type: Inline - RelativeJump 0x7C811105-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C915CBB-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->ntdll.dll-->NtCreateThread, Type: Inline - RelativeJump 0x7C90D1AE-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->user32.dll-->BeginPaint, Type: Inline - RelativeJump 0x77D4B4B1-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->user32.dll-->CallWindowProcA, Type: Inline - RelativeJump 0x77D4E34B-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->user32.dll-->CallWindowProcW, Type: Inline - RelativeJump 0x77D4C019-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->user32.dll-->DefDlgProcA, Type: Inline - RelativeJump 0x77D5759D-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->user32.dll-->DefDlgProcW, Type: Inline - RelativeJump 0x77D54CFA-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->user32.dll-->DefFrameProcA, Type: Inline - RelativeJump 0x77D7F685-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->user32.dll-->DefFrameProcW, Type: Inline - RelativeJump 0x77D6430C-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->user32.dll-->DefMDIChildProcA, Type: Inline - RelativeJump 0x77D7F6D4-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->user32.dll-->DefMDIChildProcW, Type: Inline - RelativeJump 0x77D64520-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->user32.dll-->DefWindowProcA, Type: Inline - RelativeJump 0x77D4DF6B-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->user32.dll-->DefWindowProcW, Type: Inline - RelativeJump 0x77D4B1E5-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->user32.dll-->EndPaint, Type: Inline - RelativeJump 0x77D4B4C5-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->user32.dll-->GetCapture, Type: Inline - RelativeJump 0x77D494FF-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->user32.dll-->GetClipboardData, Type: Inline - RelativeJump 0x77D6FCB2-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->user32.dll-->GetCursorPos, Type: Inline - RelativeJump 0x77D4C566-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->user32.dll-->GetDC, Type: Inline - RelativeJump 0x77D48697-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->user32.dll-->GetDCEx, Type: Inline - RelativeJump 0x77D4F21D-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->user32.dll-->GetMessageA, Type: Inline - RelativeJump 0x77D6EA45-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->user32.dll-->GetMessagePos, Type: Inline - RelativeJump 0x77D4C6E4-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->user32.dll-->GetMessageW, Type: Inline - RelativeJump 0x77D491A3-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->user32.dll-->GetUpdateRect, Type: Inline - RelativeJump 0x77D4BCEC-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->user32.dll-->GetUpdateRgn, Type: Inline - RelativeJump 0x77D4CE3B-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->user32.dll-->GetWindowDC, Type: Inline - RelativeJump 0x77D48FF9-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->user32.dll-->OpenInputDesktop, Type: Inline - RelativeJump 0x77D66607-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->user32.dll-->PeekMessageA, Type: Inline - RelativeJump 0x77D4CEFD-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->user32.dll-->PeekMessageW, Type: Inline - RelativeJump 0x77D49278-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->user32.dll-->RegisterClassA, Type: Inline - RelativeJump 0x77D52316-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->user32.dll-->RegisterClassExA, Type: Inline - RelativeJump 0x77D54315-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->user32.dll-->RegisterClassExW, Type: Inline - RelativeJump 0x77D4AE29-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->user32.dll-->RegisterClassW, Type: Inline - RelativeJump 0x77D4A5EC-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->user32.dll-->ReleaseCapture, Type: Inline - RelativeJump 0x77D4C9A4-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->user32.dll-->ReleaseDC, Type: Inline - RelativeJump 0x77D4866D-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->user32.dll-->SetCapture, Type: Inline - RelativeJump 0x77D4C988-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->user32.dll-->SetCursorPos, Type: Inline - RelativeJump 0x77D85E8C-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->user32.dll-->SwitchDesktop, Type: Inline - RelativeJump 0x77D679A3-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->user32.dll-->TranslateMessage, Type: Inline - RelativeJump 0x77D48BCE-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->wininet.dll-->HttpQueryInfoA, Type: Inline - RelativeJump 0x3D94878D-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->wininet.dll-->HttpSendRequestA, Type: Inline - RelativeJump 0x3D95EE89-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->wininet.dll-->HttpSendRequestExA, Type: Inline - RelativeJump 0x3D9BA70A-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->wininet.dll-->HttpSendRequestExW, Type: Inline - RelativeJump 0x3D9BA763-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->wininet.dll-->HttpSendRequestW, Type: Inline - RelativeJump 0x3D94FABE-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->wininet.dll-->InternetCloseHandle, Type: Inline - RelativeJump 0x3D949088-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->wininet.dll-->InternetQueryDataAvailable, Type: Inline - RelativeJump 0x3D94BF7F-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump 0x3D94654B-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->wininet.dll-->InternetReadFileExA, Type: Inline - RelativeJump 0x3D963381-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump 0x71AB9639-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB428A-->00000000 [unknown_code_page]
[3412]E_S09IC1.EXE-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB6233-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->kernel32.dll-->GetFileAttributesExW, Type: Inline - RelativeJump 0x7C811105-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C915CBB-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->ntdll.dll-->NtCreateThread, Type: Inline - RelativeJump 0x7C90D1AE-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->user32.dll-->BeginPaint, Type: Inline - RelativeJump 0x77D4B4B1-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->user32.dll-->CallWindowProcA, Type: Inline - RelativeJump 0x77D4E34B-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->user32.dll-->CallWindowProcW, Type: Inline - RelativeJump 0x77D4C019-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->user32.dll-->DefDlgProcA, Type: Inline - RelativeJump 0x77D5759D-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->user32.dll-->DefDlgProcW, Type: Inline - RelativeJump 0x77D54CFA-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->user32.dll-->DefFrameProcA, Type: Inline - RelativeJump 0x77D7F685-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->user32.dll-->DefFrameProcW, Type: Inline - RelativeJump 0x77D6430C-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->user32.dll-->DefMDIChildProcA, Type: Inline - RelativeJump 0x77D7F6D4-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->user32.dll-->DefMDIChildProcW, Type: Inline - RelativeJump 0x77D64520-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->user32.dll-->DefWindowProcA, Type: Inline - RelativeJump 0x77D4DF6B-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->user32.dll-->DefWindowProcW, Type: Inline - RelativeJump 0x77D4B1E5-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->user32.dll-->EndPaint, Type: Inline - RelativeJump 0x77D4B4C5-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->user32.dll-->GetCapture, Type: Inline - RelativeJump 0x77D494FF-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->user32.dll-->GetClipboardData, Type: Inline - RelativeJump 0x77D6FCB2-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->user32.dll-->GetCursorPos, Type: Inline - RelativeJump 0x77D4C566-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->user32.dll-->GetDC, Type: Inline - RelativeJump 0x77D48697-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->user32.dll-->GetDCEx, Type: Inline - RelativeJump 0x77D4F21D-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->user32.dll-->GetMessageA, Type: Inline - RelativeJump 0x77D6EA45-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->user32.dll-->GetMessagePos, Type: Inline - RelativeJump 0x77D4C6E4-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->user32.dll-->GetMessageW, Type: Inline - RelativeJump 0x77D491A3-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->user32.dll-->GetUpdateRect, Type: Inline - RelativeJump 0x77D4BCEC-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->user32.dll-->GetUpdateRgn, Type: Inline - RelativeJump 0x77D4CE3B-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->user32.dll-->GetWindowDC, Type: Inline - RelativeJump 0x77D48FF9-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->user32.dll-->OpenInputDesktop, Type: Inline - RelativeJump 0x77D66607-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->user32.dll-->PeekMessageA, Type: Inline - RelativeJump 0x77D4CEFD-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->user32.dll-->PeekMessageW, Type: Inline - RelativeJump 0x77D49278-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->user32.dll-->RegisterClassA, Type: Inline - RelativeJump 0x77D52316-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->user32.dll-->RegisterClassExA, Type: Inline - RelativeJump 0x77D54315-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->user32.dll-->RegisterClassExW, Type: Inline - RelativeJump 0x77D4AE29-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->user32.dll-->RegisterClassW, Type: Inline - RelativeJump 0x77D4A5EC-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->user32.dll-->ReleaseCapture, Type: Inline - RelativeJump 0x77D4C9A4-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->user32.dll-->ReleaseDC, Type: Inline - RelativeJump 0x77D4866D-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->user32.dll-->SetCapture, Type: Inline - RelativeJump 0x77D4C988-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->user32.dll-->SetCursorPos, Type: Inline - RelativeJump 0x77D85E8C-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->user32.dll-->SwitchDesktop, Type: Inline - RelativeJump 0x77D679A3-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->user32.dll-->TranslateMessage, Type: Inline - RelativeJump 0x77D48BCE-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->wininet.dll-->HttpQueryInfoA, Type: Inline - RelativeJump 0x3D94878D-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->wininet.dll-->HttpSendRequestA, Type: Inline - RelativeJump 0x3D95EE89-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->wininet.dll-->HttpSendRequestExA, Type: Inline - RelativeJump 0x3D9BA70A-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->wininet.dll-->HttpSendRequestExW, Type: Inline - RelativeJump 0x3D9BA763-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->wininet.dll-->HttpSendRequestW, Type: Inline - RelativeJump 0x3D94FABE-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->wininet.dll-->InternetCloseHandle, Type: Inline - RelativeJump 0x3D949088-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->wininet.dll-->InternetQueryDataAvailable, Type: Inline - RelativeJump 0x3D94BF7F-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump 0x3D94654B-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->wininet.dll-->InternetReadFileExA, Type: Inline - RelativeJump 0x3D963381-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump 0x71AB9639-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB428A-->00000000 [unknown_code_page]
[3460]FirewallGUI.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB6233-->00000000 [unknown_code_page]
[3524]jusched.exe-->kernel32.dll-->GetFileAttributesExW, Type: Inline - RelativeJump 0x7C811105-->00000000 [unknown_code_page]
[3524]jusched.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C915CBB-->00000000 [unknown_code_page]
[3524]jusched.exe-->ntdll.dll-->NtCreateThread, Type: Inline - RelativeJump 0x7C90D1AE-->00000000 [unknown_code_page]
[3524]jusched.exe-->user32.dll-->BeginPaint, Type: Inline - RelativeJump 0x77D4B4B1-->00000000 [unknown_code_page]
[3524]jusched.exe-->user32.dll-->CallWindowProcA, Type: Inline - RelativeJump 0x77D4E34B-->00000000 [unknown_code_page]
[3524]jusched.exe-->user32.dll-->CallWindowProcW, Type: Inline - RelativeJump 0x77D4C019-->00000000 [unknown_code_page]
[3524]jusched.exe-->user32.dll-->DefDlgProcA, Type: Inline - RelativeJump 0x77D5759D-->00000000 [unknown_code_page]
[3524]jusched.exe-->user32.dll-->DefDlgProcW, Type: Inline - RelativeJump 0x77D54CFA-->00000000 [unknown_code_page]
[3524]jusched.exe-->user32.dll-->DefFrameProcA, Type: Inline - RelativeJump 0x77D7F685-->00000000 [unknown_code_page]
[3524]jusched.exe-->user32.dll-->DefFrameProcW, Type: Inline - RelativeJump 0x77D6430C-->00000000 [unknown_code_page]
[3524]jusched.exe-->user32.dll-->DefMDIChildProcA, Type: Inline - RelativeJump 0x77D7F6D4-->00000000 [unknown_code_page]
[3524]jusched.exe-->user32.dll-->DefMDIChildProcW, Type: Inline - RelativeJump 0x77D64520-->00000000 [unknown_code_page]
[3524]jusched.exe-->user32.dll-->DefWindowProcA, Type: Inline - RelativeJump 0x77D4DF6B-->00000000 [unknown_code_page]
[3524]jusched.exe-->user32.dll-->DefWindowProcW, Type: Inline - RelativeJump 0x77D4B1E5-->00000000 [unknown_code_page]
[3524]jusched.exe-->user32.dll-->EndPaint, Type: Inline - RelativeJump 0x77D4B4C5-->00000000 [unknown_code_page]
[3524]jusched.exe-->user32.dll-->GetCapture, Type: Inline - RelativeJump 0x77D494FF-->00000000 [unknown_code_page]
[3524]jusched.exe-->user32.dll-->GetClipboardData, Type: Inline - RelativeJump 0x77D6FCB2-->00000000 [unknown_code_page]
[3524]jusched.exe-->user32.dll-->GetCursorPos, Type: Inline - RelativeJump 0x77D4C566-->00000000 [unknown_code_page]
[3524]jusched.exe-->user32.dll-->GetDC, Type: Inline - RelativeJump 0x77D48697-->00000000 [unknown_code_page]
[3524]jusched.exe-->user32.dll-->GetDCEx, Type: Inline - RelativeJump 0x77D4F21D-->00000000 [unknown_code_page]
[3524]jusched.exe-->user32.dll-->GetMessageA, Type: Inline - RelativeJump 0x77D6EA45-->00000000 [unknown_code_page]
[3524]jusched.exe-->user32.dll-->GetMessagePos, Type: Inline - RelativeJump 0x77D4C6E4-->00000000 [unknown_code_page]
[3524]jusched.exe-->user32.dll-->GetMessageW, Type: Inline - RelativeJump 0x77D491A3-->00000000 [unknown_code_page]
[3524]jusched.exe-->user32.dll-->GetUpdateRect, Type: Inline - RelativeJump 0x77D4BCEC-->00000000 [unknown_code_page]
[3524]jusched.exe-->user32.dll-->GetUpdateRgn, Type: Inline - RelativeJump 0x77D4CE3B-->00000000 [unknown_code_page]
[3524]jusched.exe-->user32.dll-->GetWindowDC, Type: Inline - RelativeJump 0x77D48FF9-->00000000 [unknown_code_page]
[3524]jusched.exe-->user32.dll-->OpenInputDesktop, Type: Inline - RelativeJump 0x77D66607-->00000000 [unknown_code_page]
[3524]jusched.exe-->user32.dll-->PeekMessageA, Type: Inline - RelativeJump 0x77D4CEFD-->00000000 [unknown_code_page]
[3524]jusched.exe-->user32.dll-->PeekMessageW, Type: Inline - RelativeJump 0x77D49278-->00000000 [unknown_code_page]
[3524]jusched.exe-->user32.dll-->RegisterClassA, Type: Inline - RelativeJump 0x77D52316-->00000000 [unknown_code_page]
[3524]jusched.exe-->user32.dll-->RegisterClassExA, Type: Inline - RelativeJump 0x77D54315-->00000000 [unknown_code_page]
[3524]jusched.exe-->user32.dll-->RegisterClassExW, Type: Inline - RelativeJump 0x77D4AE29-->00000000 [unknown_code_page]
[3524]jusched.exe-->user32.dll-->RegisterClassW, Type: Inline - RelativeJump 0x77D4A5EC-->00000000 [unknown_code_page]
[3524]jusched.exe-->user32.dll-->ReleaseCapture, Type: Inline - RelativeJump 0x77D4C9A4-->00000000 [unknown_code_page]
[3524]jusched.exe-->user32.dll-->ReleaseDC, Type: Inline - RelativeJump 0x77D4866D-->00000000 [unknown_code_page]
[3524]jusched.exe-->user32.dll-->SetCapture, Type: Inline - RelativeJump 0x77D4C988-->00000000 [unknown_code_page]
[3524]jusched.exe-->user32.dll-->SetCursorPos, Type: Inline - RelativeJump 0x77D85E8C-->00000000 [unknown_code_page]
[3524]jusched.exe-->user32.dll-->SwitchDesktop, Type: Inline - RelativeJump 0x77D679A3-->00000000 [unknown_code_page]
[3524]jusched.exe-->user32.dll-->TranslateMessage, Type: Inline - RelativeJump 0x77D48BCE-->00000000 [unknown_code_page]
[3524]jusched.exe-->wininet.dll-->HttpQueryInfoA, Type: Inline - RelativeJump 0x3D94878D-->00000000 [unknown_code_page]
[3524]jusched.exe-->wininet.dll-->HttpSendRequestA, Type: Inline - RelativeJump 0x3D95EE89-->00000000 [unknown_code_page]
[3524]jusched.exe-->wininet.dll-->HttpSendRequestExA, Type: Inline - RelativeJump 0x3D9BA70A-->00000000 [unknown_code_page]
[3524]jusched.exe-->wininet.dll-->HttpSendRequestExW, Type: Inline - RelativeJump 0x3D9BA763-->00000000 [unknown_code_page]
[3524]jusched.exe-->wininet.dll-->HttpSendRequestW, Type: Inline - RelativeJump 0x3D94FABE-->00000000 [unknown_code_page]
[3524]jusched.exe-->wininet.dll-->InternetCloseHandle, Type: Inline - RelativeJump 0x3D949088-->00000000 [unknown_code_page]
[3524]jusched.exe-->wininet.dll-->InternetQueryDataAvailable, Type: Inline - RelativeJump 0x3D94BF7F-->00000000 [unknown_code_page]
[3524]jusched.exe-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump 0x3D94654B-->00000000 [unknown_code_page]
[3524]jusched.exe-->wininet.dll-->InternetReadFileExA, Type: Inline - RelativeJump 0x3D963381-->00000000 [unknown_code_page]
[3524]jusched.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump 0x71AB9639-->00000000 [unknown_code_page]
[3524]jusched.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB428A-->00000000 [unknown_code_page]
[3524]jusched.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB6233-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->kernel32.dll-->GetFileAttributesExW, Type: Inline - RelativeJump 0x7C811105-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C915CBB-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->ntdll.dll-->NtCreateThread, Type: Inline - RelativeJump 0x7C90D1AE-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->user32.dll-->BeginPaint, Type: Inline - RelativeJump 0x77D4B4B1-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->user32.dll-->CallWindowProcA, Type: Inline - RelativeJump 0x77D4E34B-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->user32.dll-->CallWindowProcW, Type: Inline - RelativeJump 0x77D4C019-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->user32.dll-->DefDlgProcA, Type: Inline - RelativeJump 0x77D5759D-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->user32.dll-->DefDlgProcW, Type: Inline - RelativeJump 0x77D54CFA-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->user32.dll-->DefFrameProcA, Type: Inline - RelativeJump 0x77D7F685-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->user32.dll-->DefFrameProcW, Type: Inline - RelativeJump 0x77D6430C-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->user32.dll-->DefMDIChildProcA, Type: Inline - RelativeJump 0x77D7F6D4-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->user32.dll-->DefMDIChildProcW, Type: Inline - RelativeJump 0x77D64520-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->user32.dll-->DefWindowProcA, Type: Inline - RelativeJump 0x77D4DF6B-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->user32.dll-->DefWindowProcW, Type: Inline - RelativeJump 0x77D4B1E5-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->user32.dll-->EndPaint, Type: Inline - RelativeJump 0x77D4B4C5-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->user32.dll-->GetCapture, Type: Inline - RelativeJump 0x77D494FF-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->user32.dll-->GetClipboardData, Type: Inline - RelativeJump 0x77D6FCB2-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->user32.dll-->GetCursorPos, Type: Inline - RelativeJump 0x77D4C566-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->user32.dll-->GetDC, Type: Inline - RelativeJump 0x77D48697-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->user32.dll-->GetDCEx, Type: Inline - RelativeJump 0x77D4F21D-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->user32.dll-->GetMessageA, Type: Inline - RelativeJump 0x77D6EA45-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->user32.dll-->GetMessagePos, Type: Inline - RelativeJump 0x77D4C6E4-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->user32.dll-->GetMessageW, Type: Inline - RelativeJump 0x77D491A3-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->user32.dll-->GetUpdateRect, Type: Inline - RelativeJump 0x77D4BCEC-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->user32.dll-->GetUpdateRgn, Type: Inline - RelativeJump 0x77D4CE3B-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->user32.dll-->GetWindowDC, Type: Inline - RelativeJump 0x77D48FF9-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->user32.dll-->OpenInputDesktop, Type: Inline - RelativeJump 0x77D66607-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->user32.dll-->PeekMessageA, Type: Inline - RelativeJump 0x77D4CEFD-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->user32.dll-->PeekMessageW, Type: Inline - RelativeJump 0x77D49278-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->user32.dll-->RegisterClassA, Type: Inline - RelativeJump 0x77D52316-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->user32.dll-->RegisterClassExA, Type: Inline - RelativeJump 0x77D54315-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->user32.dll-->RegisterClassExW, Type: Inline - RelativeJump 0x77D4AE29-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->user32.dll-->RegisterClassW, Type: Inline - RelativeJump 0x77D4A5EC-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->user32.dll-->ReleaseCapture, Type: Inline - RelativeJump 0x77D4C9A4-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->user32.dll-->ReleaseDC, Type: Inline - RelativeJump 0x77D4866D-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->user32.dll-->SetCapture, Type: Inline - RelativeJump 0x77D4C988-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->user32.dll-->SetCursorPos, Type: Inline - RelativeJump 0x77D85E8C-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->user32.dll-->SwitchDesktop, Type: Inline - RelativeJump 0x77D679A3-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->user32.dll-->TranslateMessage, Type: Inline - RelativeJump 0x77D48BCE-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->wininet.dll-->HttpQueryInfoA, Type: Inline - RelativeJump 0x3D94878D-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->wininet.dll-->HttpSendRequestA, Type: Inline - RelativeJump 0x3D95EE89-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->wininet.dll-->HttpSendRequestExA, Type: Inline - RelativeJump 0x3D9BA70A-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->wininet.dll-->HttpSendRequestExW, Type: Inline - RelativeJump 0x3D9BA763-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->wininet.dll-->HttpSendRequestW, Type: Inline - RelativeJump 0x3D94FABE-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->wininet.dll-->InternetCloseHandle, Type: Inline - RelativeJump 0x3D949088-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->wininet.dll-->InternetQueryDataAvailable, Type: Inline - RelativeJump 0x3D94BF7F-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump 0x3D94654B-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->wininet.dll-->InternetReadFileExA, Type: Inline - RelativeJump 0x3D963381-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump 0x71AB9639-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB428A-->00000000 [unknown_code_page]
[3688]wuauclt.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB6233-->00000000 [unknown_code_page]

!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

SuperDave · « **Reply #18 on:** September 26, 2010, 07:41:21 PM »

Do you know what this program is? c:\program files\temp

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
Quote
KillAll::

File::
c:\windows\Tfiko.bin
c:\documents and settings\Freddex\Start Menu\Programs\Startup\
awgu.exe
c:\documents and settings\Freddex\Start Menu\Programs\Startup\
booxoc.exe
c:\documents and settings\Freddex\Start Menu\Programs\Startup\
feybuv.exe
c:\documents and settings\Freddex\Start Menu\Programs\Startup\
hoip.exe
c:\documents and settings\Guest\Start Menu\Programs\Startup\
ohxieh.exe
c:\documents and settings\Guest\Start Menu\Programs\Startup\
oxyta.exe
c:\documents and settings\Guest\Start Menu\Programs\Startup\
poerb.exe
c:\documents and settings\Guest\Start Menu\Programs\Startup\
ybxuwo.exe
c:\documents and settings\Guest\Start Menu\Programs\Startup\
ybykl.exe
c:\documents and settings\Guest\Start Menu\Programs\Startup\
ylreeb.exe
c:\documents and settings\Default User\Start Menu\Programs\Startup\
ewgy.exe
c:\documents and settings\Default User\Start Menu\Programs\Startup\
heopy.exe
c:\documents and settings\Default User\Start Menu\Programs\Startup\
higi.exe
c:\documents and settings\Default User\Start Menu\Programs\Startup\
kiqeow.exe
c:\documents and settings\Default User\Start Menu\Programs\Startup\
tezie.exe
c:\documents and settings\Default User\Start Menu\Programs\Startup\
xuwi.exe
c:\program files\microsoft\desktoplayer.exe
c:\windows\system32\rundll32Srv.exe
c:\windows\Qwavifetahefozu.dat

Folder::
c:\program files\sys231

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"=-
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

Freddex · « **Reply #19 on:** September 26, 2010, 09:45:36 PM »

Hi Dave,
No I do not know what "c:\program files\temp" is for.

Freddex · « **Reply #20 on:** September 26, 2010, 09:46:35 PM »

ComboFix 10-09-25.05 - sey administrator 09/26/2010 22:59:49.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.196 [GMT -4:00]
Running from: c:\documents and settings\sey administrator\Desktop\Commy.exe
Command switches used :: c:\documents and settings\sey administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: PC Tools Firewall Plus *disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"c:\documents and settings\Freddex\Start Menu\Programs\Startup\"
"c:\windows\Tfiko.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\sey administrator\Application Data\Tagui
c:\documents and settings\sey administrator\Application Data\Tagui\haeba.exe
c:\program files\Internet Explorer\complete.dat
c:\program files\Internet Explorer\dmlconf.dat
c:\program files\Microsoft\DesktopLayer.exe
c:\program files\sys231
c:\windows\ExplorerSrv.exe
c:\windows\Tfiko.bin

.
((((((((((((((((((((((((( Files Created from 2010-08-27 to 2010-09-27 )))))))))))))))))))))))))))))))
.

2010-09-27 02:41 . 2010-09-27 02:41   41984   ----a-w-   c:\windows\system32\runonceSrv.exe
2010-09-26 00:31 . 2010-09-26 00:32   --------   d-----w-   c:\program files\7-Zip
2010-09-25 23:54 . 2010-09-26 00:09   --------   d-----w-   C:\RootRepeal
2010-09-25 22:36 . 2010-09-25 23:32   --------   d-----w-   C:\Commy18057C
2010-09-25 16:09 . 2010-09-25 16:09   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\Ashampoo
2010-09-25 16:07 . 2010-09-25 16:07   --------   d-----w-   c:\documents and settings\sey administrator\Local Settings\Application Data\ashampoo
2010-09-25 16:07 . 2010-09-25 16:07   --------   d-----w-   c:\documents and settings\All Users\Application Data\ashampoo
2010-09-25 16:07 . 2010-09-25 16:07   --------   d-----w-   c:\program files\Ashampoo
2010-09-22 13:02 . 2010-09-27 03:11   --------   d-----w-   c:\program files\temp
2010-09-22 02:15 . 2010-09-27 03:12   41984   ----a-w-   c:\windows\system32\rundll32Srv.exe
2010-09-21 04:26 . 2010-09-21 05:11   --------   d-----w-   C:\Commy
2010-09-18 06:16 . 2010-09-18 06:16   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\AVG9
2010-09-16 17:03 . 2010-09-16 17:04   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-09-16 05:52 . 2010-09-16 05:52   --------   d-----w-   c:\program files\Trend Micro
2010-09-16 04:44 . 2010-07-17 09:00   423656   ----a-w-   c:\windows\system32\deployJava1.dll
2010-09-15 18:04 . 2010-09-15 18:04   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\Malwarebytes
2010-09-15 18:03 . 2010-04-29 19:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-15 18:03 . 2010-09-15 18:03   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-15 18:02 . 2010-04-29 19:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-09-15 18:02 . 2010-09-15 18:04   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-09-15 04:49 . 2010-09-15 04:49   --------   d-----w-   c:\documents and settings\Freddex\Application Data\PCToolsFirewallPlus
2010-09-14 16:25 . 2010-09-20 20:40   95744   ----a-w-   c:\documents and settings\sey administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-14 16:25 . 2010-09-20 20:40   161280   ----a-w-   c:\documents and settings\sey administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-14 16:24 . 2010-09-14 16:24   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-09-14 16:24 . 2010-09-14 16:24   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-09-14 16:24 . 2010-09-14 16:24   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\SUPERAntiSpyware.com
2010-09-14 16:20 . 2010-09-14 16:20   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2010-09-14 15:58 . 2010-09-14 15:58   --------   d-----w-   c:\program files\CCleaner
2010-09-14 15:45 . 2010-09-14 15:46   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\PCToolsFirewallPlus
2010-09-14 15:41 . 2009-11-23 17:54   88040   ----a-w-   c:\windows\system32\drivers\PCTAppEvent.sys
2010-09-14 15:41 . 2009-11-09 15:20   207792   ----a-w-   c:\windows\system32\drivers\PCTCore.sys
2010-09-14 15:41 . 2010-01-07 16:40   233136   ----a-w-   c:\windows\system32\drivers\pctgntdi.sys
2010-09-14 15:40 . 2010-01-12 13:34   70664   ----a-w-   c:\windows\system32\drivers\pctNdis-PacketFilter.sys
2010-09-14 15:40 . 2010-01-07 15:35   58816   ----a-w-   c:\windows\system32\drivers\pctNdis.sys
2010-09-14 15:40 . 2010-01-07 15:35   32680   ----a-w-   c:\windows\system32\drivers\pctNdis-DNS.sys
2010-09-14 15:40 . 2010-01-13 12:59   115216   ----a-w-   c:\windows\system32\drivers\pctplfw.sys
2010-09-14 15:40 . 2010-09-23 01:11   --------   d-----w-   c:\program files\PC Tools Firewall Plus
2010-09-11 21:36 . 2010-09-11 21:36   --------   d-sh--w-   c:\documents and settings\NetworkService\IETldCache
2010-09-11 21:22 . 2010-09-21 02:45   120   ----a-w-   c:\windows\Qwavifetahefozu.dat
2010-09-11 21:16 . 2010-09-13 17:46   --------   d-----w-   c:\documents and settings\Freddex\Application Data\C48C287A5F27A887A3E6CDBB287BDE57
2010-09-04 18:14 . 2010-09-04 22:37   --------   d-----w-   c:\documents and settings\Freddex\Application Data\FileZilla
2010-09-04 18:13 . 2010-09-16 05:54   --------   d-----w-   c:\program files\Filezilla 3.3.2.1
2010-08-31 00:39 . 2010-08-31 00:39   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\IObit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-27 03:15 . 2010-01-05 23:15   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-09-27 03:15 . 2005-08-30 02:56   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\Mewao
2010-09-27 03:11 . 2010-01-01 16:11   --------   d-----w-   c:\program files\Microsoft
2010-09-27 01:48 . 2008-04-21 16:55   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\Hykapo
2010-09-25 22:29 . 2008-12-03 12:31   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\Efpea
2010-09-24 00:22 . 2010-08-18 15:27   --------   d-----w-   c:\documents and settings\Freddex\Application Data\Uwdie
2010-09-23 23:47 . 2009-11-10 22:50   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\Gymu
2010-09-21 05:01 . 2010-02-21 18:58   --------   d-----w-   c:\program files\QuickTime
2010-09-20 20:40 . 2010-03-31 20:32   393216   ----a-w-   c:\documents and settings\sey administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-501e625d-n\msvcr71.dll
2010-09-20 20:40 . 2010-05-28 16:56   393216   ----a-w-   c:\documents and settings\sey administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-367bd4db-n\msvcr71.dll
2010-09-20 20:39 . 2010-08-09 00:56   393216   ----a-w-   c:\documents and settings\sey administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-61f91632-n\msvcr71.dll
2010-09-20 20:30 . 2010-03-23 23:46   393216   ----a-w-   c:\documents and settings\Freddex\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-34777ea4-n\msvcr71.dll
2010-09-20 20:30 . 2010-05-25 23:18   393216   ----a-w-   c:\documents and settings\Freddex\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-47f9ff1d-n\msvcr71.dll
2010-09-20 20:29 . 2010-08-03 02:18   393216   ----a-w-   c:\documents and settings\Freddex\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7c91b2a5-n\msvcr71.dll
2010-09-16 16:29 . 2010-03-23 22:54   --------   d-----w-   c:\program files\DivX
2010-09-16 16:29 . 2010-02-21 21:01   --------   d-----w-   c:\program files\LimeWire Music
2010-09-16 05:54 . 2001-09-19 06:51   --------   d-----w-   c:\program files\Microsoft Works
2010-09-16 04:44 . 2010-03-23 23:42   --------   d-----w-   c:\program files\Java
2010-09-14 15:41 . 2010-01-05 23:15   --------   d-----w-   c:\program files\Common Files\PC Tools
2010-09-14 15:04 . 2010-02-21 21:02   --------   d-----w-   c:\program files\ToggleEN
2010-09-14 14:13 . 2010-05-29 21:46   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\Skype
2010-09-14 14:02 . 2010-09-13 15:55   112   ----a-w-   c:\documents and settings\All Users\Application Data\r5NCJ5GrW.dat
2010-09-11 20:32 . 2010-04-14 21:49   --------   d-----w-   c:\documents and settings\Freddex\Application Data\uTorrent
2010-09-11 16:49 . 2010-07-01 19:46   --------   d-----w-   c:\documents and settings\Freddex\Application Data\LimeWire Music
2010-09-05 14:20 . 2010-01-01 16:20   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-08-31 02:30 . 2010-02-21 21:01   --------   d-----w-   c:\program files\Download_Energy
2010-08-22 07:09 . 2010-04-18 15:57   --------   d-----w-   c:\documents and settings\Freddex\Application Data\Skype
2010-08-14 16:09 . 2010-03-23 22:52   --------   d-----w-   c:\documents and settings\All Users\Application Data\DivX
2010-08-11 13:18 . 2010-01-05 23:50   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-08-09 00:56 . 2010-08-09 00:56   503808   ----a-w-   c:\documents and settings\sey administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-61f91632-n\msvcp71.dll
2010-08-09 00:56 . 2010-08-09 00:56   499712   ----a-w-   c:\documents and settings\sey administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-61f91632-n\jmc.dll
2010-08-09 00:56 . 2010-08-09 00:56   61440   ----a-w-   c:\documents and settings\sey administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1ab01405-n\decora-sse.dll
2010-08-09 00:56 . 2010-08-09 00:56   12800   ----a-w-   c:\documents and settings\sey administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1ab01405-n\decora-d3d.dll
2010-08-03 02:18 . 2010-08-03 02:18   503808   ----a-w-   c:\documents and settings\Freddex\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7c91b2a5-n\msvcp71.dll
2010-08-03 02:18 . 2010-08-03 02:18   499712   ----a-w-   c:\documents and settings\Freddex\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7c91b2a5-n\jmc.dll
2010-08-03 02:18 . 2010-08-03 02:18   61440   ----a-w-   c:\documents and settings\Freddex\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-51d40a07-n\decora-sse.dll
2010-08-03 02:18 . 2010-08-03 02:18   12800   ----a-w-   c:\documents and settings\Freddex\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-51d40a07-n\decora-d3d.dll
2010-07-31 17:45 . 2010-02-21 21:01   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\LimeWire Music
2010-07-16 13:30 . 2010-01-05 23:49   243024   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2010-07-16 13:30 . 2010-07-16 13:30   12536   ----a-w-   c:\windows\system32\avgrsstx.dll
2010-07-16 13:29 . 2010-01-05 23:49   25168   ----a-w-   c:\windows\system32\drivers\AVGIDSxx.sys
2010-07-16 13:28 . 2010-01-05 23:49   216400   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
.

Code: [Select]

<pre>
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\COMPAQ\Coloreal\coloreal .exe
c:\program files\COMPAQ\Easy Access Button Support\StartEAK .exe
c:\program files\IObit\Advanced SystemCare 3\AWC .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\Microsoft Works\WkDetect .exe
c:\program files\QuickTime\qttask             .exe
c:\program files\Skype\Phone\Skype .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\windows\system32\rundll32 .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]
"{ad708c09-d51b-45b3-9d28-4eba2681febf}"= "c:\program files\Download_Energy\tbDow1.dll" [2010-09-21 2735200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_CLASSES_ROOT\clsid\{ad708c09-d51b-45b3-9d28-4eba2681febf}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 14:25   2117704   ----a-w-   c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ad708c09-d51b-45b3-9d28-4eba2681febf}]
2010-09-21 03:45   2735200   ----a-w-   c:\program files\Download_Energy\tbDow1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]
"{ad708c09-d51b-45b3-9d28-4eba2681febf}"= "c:\program files\Download_Energy\tbDow1.dll" [2010-09-21 2735200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{ad708c09-d51b-45b3-9d28-4eba2681febf}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]
"{AD708C09-D51B-45B3-9D28-4EBA2681FEBF}"= "c:\program files\Download_Energy\tbDow1.dll" [2010-09-21 2735200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{ad708c09-d51b-45b3-9d28-4eba2681febf}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr .exe" [2009-07-26 3883856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [N/A]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [N/A]
"{257715E4-3F57-82F0-2A8F-9F44FF99EE07}"="c:\documents and settings\sey administrator\Application Data\Ycqyak\fimev.exe" [2005-05-05 113664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2001-08-08 143360]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2001-08-08 90112]
"WCOLOREAL"="c:\program files\COMPAQ\Coloreal\coloreal.exe" [N/A]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2000-07-13 311350]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [N/A]
"EPSON Stylus C44 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S09IC1.EXE" [2002-12-25 75776]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2010-01-12 3168216]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Jfarorerewe"="c:\windows\icehiqijoyiqopa.dll" [N/A]

c:\documents and settings\Freddex\Start Menu\Programs\Startup\
awgu.exe [2010-9-25 113664]
booxoc.exe [2010-9-22 106496]
feybuv.exe [2010-9-21 116224]
hierb.exe [2010-9-26 113664]
hoip.exe [2010-9-21 145408]
hoteb.exe [2010-9-26 113664]

c:\documents and settings\Guest\Start Menu\Programs\Startup\
fifyys.exe [2010-9-26 113664]
kyuq.exe [2010-9-26 113664]
ohxieh.exe [2010-9-25 113664]
oxyta.exe [2010-9-22 106496]
poerb.exe [2010-9-25 113664]
ybxuwo.exe [2010-9-21 116224]
ybykl.exe [2010-9-21 145408]
ylreeb.exe [2010-9-23 109568]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
afowy.exe [2010-9-26 113664]
ewgy.exe [2010-9-21 145408]
heopy.exe [2010-9-22 106496]
higi.exe [2010-9-23 109568]
kiqeow.exe [2010-9-25 113664]
loqayh.exe [2010-9-26 113664]
tezie.exe [2010-9-25 113664]
xuwi.exe [2010-9-21 116224]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2010-09-21 122880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-16 13:30   12536   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\LimeWire Music\\LimeWire Music.exe"=
"c:\\Program Files\\WinMX\\WinMX.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [1/5/2010 7:49 PM 25168]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [1/5/2010 7:49 PM 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/5/2010 7:49 PM 216400]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/5/2010 7:49 PM 243024]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [9/14/2010 11:41 AM 233136]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [7/16/2010 9:28 AM 921952]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/16/2010 9:29 AM 308136]
R2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [7/16/2010 9:28 AM 2331032]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [9/14/2010 11:41 AM 88040]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [1/5/2010 7:15 PM 583640]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [1/5/2010 7:48 PM 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [1/5/2010 7:49 PM 122448]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [1/5/2010 7:48 PM 30288]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [1/5/2010 7:48 PM 26192]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [9/14/2010 11:40 AM 70664]
R3 pctNDIS;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [9/14/2010 11:40 AM 58816]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [9/14/2010 11:40 AM 115216]
R3 SUNPLUS;SightCAM PC-100p;c:\windows\system32\drivers\spixnew.sys [1/21/2010 6:10 PM 95528]
S1 EACMOS;EACMOS;c:\windows\system32\drivers\EACMOS.SYS --> c:\windows\system32\drivers\EACMOS.SYS [?]
S2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [7/16/2010 9:29 AM 5897808]
S2 gupdate1cacadbef3afef0;Google Update Service (gupdate1cacadbef3afef0);c:\program files\Google\Update\GoogleUpdate.exe [3/23/2010 6:55 PM 133104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [1/5/2010 7:48 PM 30104]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
.
Contents of the 'Scheduled Tasks' folder

2010-09-27 c:\windows\Tasks\AWC AutoSweep.job
- c:\program files\IObit\Advanced SystemCare 3\AutoSweep.exe [2010-04-14 18:11]

2010-09-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-23 22:54]

2010-09-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-23 22:54]

2004-09-01 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-09-20 07:56]

2004-09-01 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-09-20 07:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\sey administrator\Application Data\Mozilla\Firefox\Profiles\3mmgr645.default\
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-26 23:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ACTIVEX_REPURPOSEDETECTION]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_IMG]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
@DACL=(02 0000)
"sllauncher.exe"=dword:00001f40

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_Cross_Domain_Redirect_Mitigation]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_LEGACY_COMPRESSION]
@DACL=(02 0000)
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_SQM_UPLOAD_FOR_APP]
@DACL=(02 0000)
"ieuser.exe"=dword:00000001
"iexplore.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_TELNET_PROTOCOL]
@DACL=(02 0000)
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK]
@DACL=(02 0000)
"YahooMusicEngine.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_SCRIPT_PASTE_URLACTION_IF_PROMPT]
@DACL=(02 0000)
"devenv.exe"=dword:00000001
"dexplore.exe"=dword:00000001
"helppane.exe"=dword:00000001
"sllauncher.exe"=dword:00000000
"PresentationHost.exe"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_FEEDS]
@DACL=(02 0000)
"msfeedssync.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_FORCE_ADDR_AND_STATUS]
@DACL=(02 0000)
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_XML_PROLOG]
@DACL=(02 0000)
"msiexec.exe"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IMAGING_USE_ART]
@DACL=(02 0000)
@=""
"waol.exe"=dword:00000001
"cs.exe"=dword:00000001
"wm.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INTERNET_SHELL_FOLDERS]
@DACL=(02 0000)
"iexplore.exe"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS]
@DACL=(02 0000)
"helppane.exe"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DLCONTROL_BEHAVIORS]
@DACL=(02 0000)
"wlmail.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000006
"explorer.exe"=dword:00000004

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000006
"explorer.exe"=dword:00000002

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME]
@DACL=(02 0000)
"mshta.exe"=dword:00000001
"outlook.exe"=dword:00000001
"sidebar.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RELEASE_CALLBACK_ON_STOP_BINDING]
@DACL=(02 0000)
"communicator.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ABOUT_PROTOCOL_IE7]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD]
@DACL=(02 0000)
"wlmail.exe"=dword:00000001
"msimn.exe"=dword:00000001
"winmail.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_OBJECT_DATA_ATTRIBUTE]
@DACL=(02 0000)
"WindowsLiveWriter.exe"=dword:00000001
"sllauncher.exe"=dword:00000001
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_RES_TO_LMZ]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_APP_PROTOCOL_WARN_DIALOG]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SSLUX]
@DACL=(02 0000)
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SUBDOWNLOAD_LOCKDOWN]
@DACL=(02 0000)
"wlmail.exe"=dword:00000001
"msimn.exe"=dword:00000001
"outlook.exe"=dword:00000001
"winmail.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_WINDOWEDSELECTCONTROL]
@DACL=(02 0000)
"excel.exe"=dword:00000001
"infopath.exe"=dword:00000001
"powerpnt.exe"=dword:00000001
"winword.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VIEWLINKEDWEBOC_IS_UNSAFE]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_MOVESIZECHILD]
@DACL=(02 0000)
"msn.exe"=dword:00000001
"msn6.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER]
@DACL=(02 0000)
"iexplore.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
@=""
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
@=""
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
@=""
"Installed"="1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\NdisWanIp]
@DACL=(02 0000)
"LLInterface"="WANARP"
"IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{E2E03A56-F650-49AD-9458-84AC5A26824B}\00Tcpip\\Parameters\\Interfaces\\{9D1E836B-DDA1-48F1-825D-3BE14B2C290C}\00Tcpip\\Parameters\\Interfaces\\{9215A54E-3EAA-4DC2-8EFE-4731C26E1349}\00Tcpip\\Parameters\\Interfaces\\{6F8E307F-9A7C-408A-AFAF-3615FCFA4CEF}\00\00"
"NumInterfaces"=dword:00000004
"IpInterfaces"=hex:56,3a,e0,e2,50,f6,ad,49,94,58,84,ac,5a,26,82,4b,6b,83,1e,9d,
a1,dd,f1,48,82,5d,3b,e1,4b,2c,29,0c,4e,a5,15,92,aa,3e,c2,4d,8e,fe,47,31,c2,\

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\{6DE38E76-6721-44BE-B4B6-A8A60FA66767}]
@DACL=(02 0000)
"LLInterface"=""
"IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{6DE38E76-6721-44BE-B4B6-A8A60FA66767}\00\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\{B006CFFA-964A-4BFA-84AB-6CB924F4DB19}]
@DACL=(02 0000)
"LLInterface"=""
"IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{B006CFFA-964A-4BFA-84AB-6CB924F4DB19}\00\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0AA05CFB-0DDF-48E4-ABE8-1E78BE894167}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{2F865EAA-DF52-4F83-B627-C01FA56AB1B5}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{4D0EE19D-53FB-42ED-929E-2CAD8D4DA3A2}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{56A4F766-5440-49EE-96D3-D509BA7BE4E9}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{6F8E307F-9A7C-408A-AFAF-3615FCFA4CEF}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
"NTEContextList"=multi:"\00"
"DhcpClassIdBin"=hex:
"DhcpIPAddress"="0.0.0.0"
"DhcpSubnetMask"="0.0.0.0"
"Domain"=""
"NameServer"=""
"RegistrationEnabled"=dword:00000000
"RegisterAdapterName"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{8E76D28B-D819-435F-9D94-8F0EC4038520}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9215A54E-3EAA-4DC2-8EFE-4731C26E1349}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{93DFA675-845C-4FB9-B057-A889D11F364B}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9D1E836B-DDA1-48F1-825D-3BE14B2C290C}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
"NTEContextList"=multi:"\00"
"DhcpIPAddress"="0.0.0.0"
"DhcpSubnetMask"="0.0.0.0"
"Domain"=""
"NameServer"=""
"RegistrationEnabled"=dword:00000000
"DhcpClassIdBin"=hex:
"RegisterAdapterName"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{B006CFFA-964A-4BFA-84AB-6CB924F4DB19}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"DefaultGatewayMetric"=multi:"\00"
"NameServer"=""
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=multi:"0\00\00"
"UDPAllowedPorts"=multi:"0\00\00"
"RawIPAllowedProtocols"=multi:"0\00\00"
"NTEContextList"=multi:"0x00000003\00\00"
"DhcpClassIdBin"=hex:

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E2E03A56-F650-49AD-9458-84AC5A26824B}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{EB685907-EFEF-49BC-836B-43B28D8A9E73}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{F2661AF6-B3C2-4CB3-BEF6-D0571C34617B}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{FF2BE8C5-F6C8-4DEE-9C06-8F61850569D8}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1048)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3856)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\PC Tools Firewall Plus\FWService.exe
c:\windows\system32\pctspk.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
.
**************************************************************************
.
Completion time: 2010-09-26 23:23:28 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-27 03:23
ComboFix2.txt 2010-09-25 23:32
ComboFix3.txt 2010-09-21 05:11

Pre-Run: 9,371,951,104 bytes free
Post-Run: 9,252,749,312 bytes free

- - End Of File - - DF174DF5AC4C5027D9BB4BFB0DA54073

SuperDave · « **Reply #21 on:** September 27, 2010, 06:20:00 PM »

Quote

No I do not know what "c:\program files\temp" is for.

If you don't need it, you may as well uninstall it.

Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and links posted for each one)

* Copy the file path in the below Code box:

Code: [Select]

c:\windows\system32\drivers\EACMOS.SYS
* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.
**************************************
Sorry. I forgot something here.

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
Quote
KillAll::

File::
c:\windows\system32\runonceSrv.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Jfarorerewe"=-
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

Freddex · « **Reply #22 on:** September 28, 2010, 11:11:05 PM »

Hi Dave,
Ok I deleted the file that was in the "c:\program files\temp" folder.

I was NOT able to run Jotti's malware scan. It has never allowed me to do a Ctrl+V in the window. So I've been using the Browse button and finding the file paths you've been giving me. But I was not able to find c:\windows\system32\drivers\EACMOS.SYS in my system.

Freddex · « **Reply #23 on:** September 28, 2010, 11:13:25 PM »

ComboFix 10-09-27.05 - sey administrator 09/29/2010 0:31.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.239 [GMT -4:00]
Running from: c:\documents and settings\sey administrator\Desktop\Commy.exe
Command switches used :: c:\documents and settings\sey administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: PC Tools Firewall Plus *disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore point

FILE ::
"c:\windows\system32\runonceSrv.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Freddex\Application Data\Mobiab
c:\documents and settings\Freddex\Application Data\Mobiab\xuvu.exe
c:\documents and settings\sey administrator\Application Data\Cyfiax
c:\documents and settings\sey administrator\Application Data\Cyfiax\tewow.duf
c:\documents and settings\sey administrator\Application Data\Ycqyak
c:\documents and settings\sey administrator\Application Data\Ycqyak\fimev.exe
c:\program files\Internet Explorer\complete.dat
c:\program files\Internet Explorer\dmlconf.dat
c:\program files\Microsoft\DesktopLayer.exe
c:\windows\ExplorerSrv.exe
c:\windows\system32\runonceSrv.exe

.
((((((((((((((((((((((((( Files Created from 2010-08-28 to 2010-09-29 )))))))))))))))))))))))))))))))
.

2010-09-29 04:51 . 2010-09-29 04:51   41984   ----a-w-   c:\windows\ExplorerSrv.exe
2010-09-29 04:26 . 2010-09-29 04:26   185856   ----a-w-   c:\documents and settings\sey administrator\Application Data\Fako\anuq.exe
2010-09-29 04:26 . 2010-09-29 04:26   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\Fako
2010-09-29 04:26 . 2010-09-29 04:48   --------   d-----w-   c:\program files\temp
2010-09-29 02:20 . 2010-09-29 02:20   --------   d--h--w-   c:\windows\PIF
2010-09-27 02:42 . 2010-09-27 03:23   --------   d-----w-   C:\Commy9393C
2010-09-26 00:31 . 2010-09-26 00:32   --------   d-----w-   c:\program files\7-Zip
2010-09-25 23:54 . 2010-09-26 00:09   --------   d-----w-   C:\RootRepeal
2010-09-25 22:36 . 2010-09-25 23:32   --------   d-----w-   C:\Commy18057C
2010-09-25 16:09 . 2010-09-25 16:09   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\Ashampoo
2010-09-25 16:07 . 2010-09-25 16:07   --------   d-----w-   c:\documents and settings\sey administrator\Local Settings\Application Data\ashampoo
2010-09-25 16:07 . 2010-09-25 16:07   --------   d-----w-   c:\documents and settings\All Users\Application Data\ashampoo
2010-09-25 16:07 . 2010-09-25 16:07   --------   d-----w-   c:\program files\Ashampoo
2010-09-22 02:15 . 2010-09-29 04:49   41984   ----a-w-   c:\windows\system32\rundll32Srv.exe
2010-09-21 04:26 . 2010-09-21 05:11   --------   d-----w-   C:\Commy
2010-09-18 06:16 . 2010-09-18 06:16   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\AVG9
2010-09-16 17:03 . 2010-09-16 17:04   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-09-16 05:52 . 2010-09-16 05:52   --------   d-----w-   c:\program files\Trend Micro
2010-09-16 04:44 . 2010-07-17 09:00   423656   ----a-w-   c:\windows\system32\deployJava1.dll
2010-09-15 18:04 . 2010-09-15 18:04   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\Malwarebytes
2010-09-15 18:03 . 2010-04-29 19:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-15 18:03 . 2010-09-15 18:03   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-15 18:02 . 2010-04-29 19:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-09-15 18:02 . 2010-09-15 18:04   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-09-15 04:49 . 2010-09-15 04:49   --------   d-----w-   c:\documents and settings\Freddex\Application Data\PCToolsFirewallPlus
2010-09-14 16:25 . 2010-09-20 20:40   95744   ----a-w-   c:\documents and settings\sey administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-14 16:25 . 2010-09-20 20:40   161280   ----a-w-   c:\documents and settings\sey administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-14 16:24 . 2010-09-14 16:24   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-09-14 16:24 . 2010-09-14 16:24   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-09-14 16:24 . 2010-09-14 16:24   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\SUPERAntiSpyware.com
2010-09-14 16:20 . 2010-09-14 16:20   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2010-09-14 15:58 . 2010-09-14 15:58   --------   d-----w-   c:\program files\CCleaner
2010-09-14 15:45 . 2010-09-14 15:46   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\PCToolsFirewallPlus
2010-09-14 15:41 . 2009-11-23 17:54   88040   ----a-w-   c:\windows\system32\drivers\PCTAppEvent.sys
2010-09-14 15:41 . 2009-11-09 15:20   207792   ----a-w-   c:\windows\system32\drivers\PCTCore.sys
2010-09-14 15:41 . 2010-01-07 16:40   233136   ----a-w-   c:\windows\system32\drivers\pctgntdi.sys
2010-09-14 15:40 . 2010-01-12 13:34   70664   ----a-w-   c:\windows\system32\drivers\pctNdis-PacketFilter.sys
2010-09-14 15:40 . 2010-01-07 15:35   58816   ----a-w-   c:\windows\system32\drivers\pctNdis.sys
2010-09-14 15:40 . 2010-01-07 15:35   32680   ----a-w-   c:\windows\system32\drivers\pctNdis-DNS.sys
2010-09-14 15:40 . 2010-01-13 12:59   115216   ----a-w-   c:\windows\system32\drivers\pctplfw.sys
2010-09-14 15:40 . 2010-09-23 01:11   --------   d-----w-   c:\program files\PC Tools Firewall Plus
2010-09-11 21:36 . 2010-09-11 21:36   --------   d-sh--w-   c:\documents and settings\NetworkService\IETldCache
2010-09-11 21:22 . 2010-09-21 02:45   120   ----a-w-   c:\windows\Qwavifetahefozu.dat
2010-09-11 21:16 . 2010-09-13 17:46   --------   d-----w-   c:\documents and settings\Freddex\Application Data\C48C287A5F27A887A3E6CDBB287BDE57
2010-09-04 18:14 . 2010-09-04 22:37   --------   d-----w-   c:\documents and settings\Freddex\Application Data\FileZilla
2010-09-04 18:13 . 2010-09-16 05:54   --------   d-----w-   c:\program files\Filezilla 3.3.2.1
2010-08-31 00:39 . 2010-08-31 00:39   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\IObit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-29 04:54 . 2008-08-28 05:11   229376   ----a-w-   c:\documents and settings\sey administrator\Application Data\Zagy\xocu.exe
2010-09-29 04:51 . 2006-02-01 21:03   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\Ossiv
2010-09-29 04:51 . 2010-01-05 23:15   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-09-29 04:48 . 2010-01-01 16:11   --------   d-----w-   c:\program files\Microsoft
2010-09-27 22:48 . 2010-07-17 10:38   --------   d-----w-   c:\documents and settings\Freddex\Application Data\Ihduy
2010-09-27 03:15 . 2005-08-30 02:56   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\Mewao
2010-09-27 01:48 . 2008-04-21 16:55   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\Hykapo
2010-09-25 22:29 . 2008-12-03 12:31   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\Efpea
2010-09-24 00:22 . 2010-08-18 15:27   --------   d-----w-   c:\documents and settings\Freddex\Application Data\Uwdie
2010-09-23 23:47 . 2009-11-10 22:50   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\Gymu
2010-09-21 05:01 . 2010-02-21 18:58   --------   d-----w-   c:\program files\QuickTime
2010-09-20 20:40 . 2010-03-31 20:32   393216   ----a-w-   c:\documents and settings\sey administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-501e625d-n\msvcr71.dll
2010-09-20 20:40 . 2010-05-28 16:56   393216   ----a-w-   c:\documents and settings\sey administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-367bd4db-n\msvcr71.dll
2010-09-20 20:39 . 2010-08-09 00:56   393216   ----a-w-   c:\documents and settings\sey administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-61f91632-n\msvcr71.dll
2010-09-20 20:30 . 2010-03-23 23:46   393216   ----a-w-   c:\documents and settings\Freddex\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-34777ea4-n\msvcr71.dll
2010-09-20 20:30 . 2010-05-25 23:18   393216   ----a-w-   c:\documents and settings\Freddex\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-47f9ff1d-n\msvcr71.dll
2010-09-20 20:29 . 2010-08-03 02:18   393216   ----a-w-   c:\documents and settings\Freddex\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7c91b2a5-n\msvcr71.dll
2010-09-16 16:29 . 2010-03-23 22:54   --------   d-----w-   c:\program files\DivX
2010-09-16 16:29 . 2010-02-21 21:01   --------   d-----w-   c:\program files\LimeWire Music
2010-09-16 05:54 . 2001-09-19 06:51   --------   d-----w-   c:\program files\Microsoft Works
2010-09-16 04:44 . 2010-03-23 23:42   --------   d-----w-   c:\program files\Java
2010-09-14 15:41 . 2010-01-05 23:15   --------   d-----w-   c:\program files\Common Files\PC Tools
2010-09-14 15:04 . 2010-02-21 21:02   --------   d-----w-   c:\program files\ToggleEN
2010-09-14 14:13 . 2010-05-29 21:46   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\Skype
2010-09-14 14:02 . 2010-09-13 15:55   112   ----a-w-   c:\documents and settings\All Users\Application Data\r5NCJ5GrW.dat
2010-09-11 20:32 . 2010-04-14 21:49   --------   d-----w-   c:\documents and settings\Freddex\Application Data\uTorrent
2010-09-11 16:49 . 2010-07-01 19:46   --------   d-----w-   c:\documents and settings\Freddex\Application Data\LimeWire Music
2010-09-05 14:20 . 2010-01-01 16:20   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-08-31 02:30 . 2010-02-21 21:01   --------   d-----w-   c:\program files\Download_Energy
2010-08-22 07:09 . 2010-04-18 15:57   --------   d-----w-   c:\documents and settings\Freddex\Application Data\Skype
2010-08-14 16:09 . 2010-03-23 22:52   --------   d-----w-   c:\documents and settings\All Users\Application Data\DivX
2010-08-11 13:18 . 2010-01-05 23:50   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-08-09 00:56 . 2010-08-09 00:56   503808   ----a-w-   c:\documents and settings\sey administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-61f91632-n\msvcp71.dll
2010-08-09 00:56 . 2010-08-09 00:56   499712   ----a-w-   c:\documents and settings\sey administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-61f91632-n\jmc.dll
2010-08-09 00:56 . 2010-08-09 00:56   61440   ----a-w-   c:\documents and settings\sey administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1ab01405-n\decora-sse.dll
2010-08-09 00:56 . 2010-08-09 00:56   12800   ----a-w-   c:\documents and settings\sey administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1ab01405-n\decora-d3d.dll
2010-08-03 02:18 . 2010-08-03 02:18   503808   ----a-w-   c:\documents and settings\Freddex\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7c91b2a5-n\msvcp71.dll
2010-08-03 02:18 . 2010-08-03 02:18   499712   ----a-w-   c:\documents and settings\Freddex\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7c91b2a5-n\jmc.dll
2010-08-03 02:18 . 2010-08-03 02:18   61440   ----a-w-   c:\documents and settings\Freddex\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-51d40a07-n\decora-sse.dll
2010-08-03 02:18 . 2010-08-03 02:18   12800   ----a-w-   c:\documents and settings\Freddex\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-51d40a07-n\decora-d3d.dll
2010-07-31 17:45 . 2010-02-21 21:01   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\LimeWire Music
2010-07-16 13:30 . 2010-01-05 23:49   243024   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2010-07-16 13:30 . 2010-07-16 13:30   12536   ----a-w-   c:\windows\system32\avgrsstx.dll
2010-07-16 13:29 . 2010-01-05 23:49   25168   ----a-w-   c:\windows\system32\drivers\AVGIDSxx.sys
2010-07-16 13:28 . 2010-01-05 23:49   216400   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
.

Code: [Select]

<pre>
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\COMPAQ\Coloreal\coloreal .exe
c:\program files\COMPAQ\Easy Access Button Support\StartEAK .exe
c:\program files\IObit\Advanced SystemCare 3\AWC .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\Microsoft Works\WkDetect .exe
c:\program files\QuickTime\qttask             .exe
c:\program files\Skype\Phone\Skype .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\windows\system32\rundll32 .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]
"{ad708c09-d51b-45b3-9d28-4eba2681febf}"= "c:\program files\Download_Energy\tbDow1.dll" [2010-09-21 2735200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_CLASSES_ROOT\clsid\{ad708c09-d51b-45b3-9d28-4eba2681febf}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 14:25   2117704   ----a-w-   c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ad708c09-d51b-45b3-9d28-4eba2681febf}]
2010-09-21 03:45   2735200   ----a-w-   c:\program files\Download_Energy\tbDow1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]
"{ad708c09-d51b-45b3-9d28-4eba2681febf}"= "c:\program files\Download_Energy\tbDow1.dll" [2010-09-21 2735200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{ad708c09-d51b-45b3-9d28-4eba2681febf}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]
"{AD708C09-D51B-45B3-9D28-4EBA2681FEBF}"= "c:\program files\Download_Energy\tbDow1.dll" [2010-09-21 2735200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{ad708c09-d51b-45b3-9d28-4eba2681febf}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr .exe" [2009-07-26 3883856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [N/A]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [N/A]
"{257715E4-3F57-82F0-2A8F-9F44FF99EE07}"="c:\documents and settings\sey administrator\Application Data\Zagy\xocu.exe" [2010-09-29 229376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2001-08-08 143360]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2001-08-08 90112]
"WCOLOREAL"="c:\program files\COMPAQ\Coloreal\coloreal.exe" [N/A]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2000-07-13 311350]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [N/A]
"EPSON Stylus C44 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S09IC1.EXE" [2002-12-25 75776]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2010-01-12 3168216]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"nonep"="c:\docume~1\SEYADM~1\LOCALS~1\Temp\tmpd0eca8c7\KillEXE.exe" [2010-09-29 237056]

c:\documents and settings\Freddex\Start Menu\Programs\Startup\
asmup.exe [2010-9-29 229376]
awgu.exe [2010-9-25 113664]
booxoc.exe [2010-9-22 106496]
feybuv.exe [2010-9-21 116224]
hierb.exe [2010-9-26 113664]
hoip.exe [2010-9-21 145408]

c:\documents and settings\Guest\Start Menu\Programs\Startup\
dobi.exe [2010-9-29 229376]
fifyys.exe [2010-9-26 113664]
kyuq.exe [2010-9-26 113664]
ohxieh.exe [2010-9-25 113664]
oxyta.exe [2010-9-22 106496]
poerb.exe [2010-9-25 113664]
ybxuwo.exe [2010-9-21 116224]
ybykl.exe [2010-9-21 145408]
ylreeb.exe [2010-9-23 109568]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
afowy.exe [2010-9-26 113664]
avwe.exe [2010-9-29 229376]
ewgy.exe [2010-9-21 145408]
heopy.exe [2010-9-22 106496]
higi.exe [2010-9-23 109568]
kiqeow.exe [2010-9-25 113664]
loqayh.exe [2010-9-26 113664]
tezie.exe [2010-9-25 113664]
xuwi.exe [2010-9-21 116224]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2010-09-21 122880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-16 13:30   12536   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\LimeWire Music\\LimeWire Music.exe"=
"c:\\Program Files\\WinMX\\WinMX.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [1/5/2010 7:49 PM 25168]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [1/5/2010 7:49 PM 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/5/2010 7:49 PM 216400]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/5/2010 7:49 PM 243024]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [9/14/2010 11:41 AM 233136]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [7/16/2010 9:28 AM 921952]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/16/2010 9:29 AM 308136]
R2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [7/16/2010 9:28 AM 2331032]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [9/14/2010 11:41 AM 88040]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [1/5/2010 7:15 PM 583640]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [1/5/2010 7:48 PM 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [1/5/2010 7:49 PM 122448]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [1/5/2010 7:48 PM 30288]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [1/5/2010 7:48 PM 26192]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [9/14/2010 11:40 AM 70664]
R3 pctNDIS;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [9/14/2010 11:40 AM 58816]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [9/14/2010 11:40 AM 115216]
R3 SUNPLUS;SightCAM PC-100p;c:\windows\system32\drivers\spixnew.sys [1/21/2010 6:10 PM 95528]
S1 EACMOS;EACMOS;c:\windows\system32\drivers\EACMOS.SYS --> c:\windows\system32\drivers\EACMOS.SYS [?]
S2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [7/16/2010 9:29 AM 5897808]
S2 gupdate1cacadbef3afef0;Google Update Service (gupdate1cacadbef3afef0);c:\program files\Google\Update\GoogleUpdate.exe [3/23/2010 6:55 PM 133104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [1/5/2010 7:48 PM 30104]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
.
Contents of the 'Scheduled Tasks' folder

2010-09-29 c:\windows\Tasks\AWC AutoSweep.job
- c:\program files\IObit\Advanced SystemCare 3\AutoSweep.exe [2010-04-14 18:11]

2010-09-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-23 22:54]

2010-09-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-23 22:54]

2004-09-01 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-09-20 07:56]

2004-09-01 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-09-20 07:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\sey administrator\Application Data\Mozilla\Firefox\Profiles\3mmgr645.default\
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-29 00:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ACTIVEX_REPURPOSEDETECTION]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_IMG]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
@DACL=(02 0000)
"sllauncher.exe"=dword:00001f40

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_Cross_Domain_Redirect_Mitigation]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_LEGACY_COMPRESSION]
@DACL=(02 0000)
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_SQM_UPLOAD_FOR_APP]
@DACL=(02 0000)
"ieuser.exe"=dword:00000001
"iexplore.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_TELNET_PROTOCOL]
@DACL=(02 0000)
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK]
@DACL=(02 0000)
"YahooMusicEngine.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_SCRIPT_PASTE_URLACTION_IF_PROMPT]
@DACL=(02 0000)
"devenv.exe"=dword:00000001
"dexplore.exe"=dword:00000001
"helppane.exe"=dword:00000001
"sllauncher.exe"=dword:00000000
"PresentationHost.exe"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_FEEDS]
@DACL=(02 0000)
"msfeedssync.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_FORCE_ADDR_AND_STATUS]
@DACL=(02 0000)
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_XML_PROLOG]
@DACL=(02 0000)
"msiexec.exe"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IMAGING_USE_ART]
@DACL=(02 0000)
@=""
"waol.exe"=dword:00000001
"cs.exe"=dword:00000001
"wm.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INTERNET_SHELL_FOLDERS]
@DACL=(02 0000)
"iexplore.exe"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS]
@DACL=(02 0000)
"helppane.exe"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DLCONTROL_BEHAVIORS]
@DACL=(02 0000)
"wlmail.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000006
"explorer.exe"=dword:00000004

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000006
"explorer.exe"=dword:00000002

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME]
@DACL=(02 0000)
"mshta.exe"=dword:00000001
"outlook.exe"=dword:00000001
"sidebar.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RELEASE_CALLBACK_ON_STOP_BINDING]
@DACL=(02 0000)
"communicator.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ABOUT_PROTOCOL_IE7]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD]
@DACL=(02 0000)
"wlmail.exe"=dword:00000001
"msimn.exe"=dword:00000001
"winmail.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_OBJECT_DATA_ATTRIBUTE]
@DACL=(02 0000)
"WindowsLiveWriter.exe"=dword:00000001
"sllauncher.exe"=dword:00000001
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_RES_TO_LMZ]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_APP_PROTOCOL_WARN_DIALOG]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SSLUX]
@DACL=(02 0000)
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SUBDOWNLOAD_LOCKDOWN]
@DACL=(02 0000)
"wlmail.exe"=dword:00000001
"msimn.exe"=dword:00000001
"outlook.exe"=dword:00000001
"winmail.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_WINDOWEDSELECTCONTROL]
@DACL=(02 0000)
"excel.exe"=dword:00000001
"infopath.exe"=dword:00000001
"powerpnt.exe"=dword:00000001
"winword.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VIEWLINKEDWEBOC_IS_UNSAFE]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_MOVESIZECHILD]
@DACL=(02 0000)
"msn.exe"=dword:00000001
"msn6.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER]
@DACL=(02 0000)
"iexplore.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
@=""
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
@=""
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
@=""
"Installed"="1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\NdisWanIp]
@DACL=(02 0000)
"LLInterface"="WANARP"
"IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{E2E03A56-F650-49AD-9458-84AC5A26824B}\00Tcpip\\Parameters\\Interfaces\\{9D1E836B-DDA1-48F1-825D-3BE14B2C290C}\00Tcpip\\Parameters\\Interfaces\\{9215A54E-3EAA-4DC2-8EFE-4731C26E1349}\00Tcpip\\Parameters\\Interfaces\\{6F8E307F-9A7C-408A-AFAF-3615FCFA4CEF}\00\00"
"NumInterfaces"=dword:00000004
"IpInterfaces"=hex:56,3a,e0,e2,50,f6,ad,49,94,58,84,ac,5a,26,82,4b,6b,83,1e,9d,
a1,dd,f1,48,82,5d,3b,e1,4b,2c,29,0c,4e,a5,15,92,aa,3e,c2,4d,8e,fe,47,31,c2,\

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\{6DE38E76-6721-44BE-B4B6-A8A60FA66767}]
@DACL=(02 0000)
"LLInterface"=""
"IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{6DE38E76-6721-44BE-B4B6-A8A60FA66767}\00\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\{B006CFFA-964A-4BFA-84AB-6CB924F4DB19}]
@DACL=(02 0000)
"LLInterface"=""
"IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{B006CFFA-964A-4BFA-84AB-6CB924F4DB19}\00\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0AA05CFB-0DDF-48E4-ABE8-1E78BE894167}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{1ADA907D-9145-41B7-BD1B-0B8078EF8185}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{22DC89FD-1B4F-4DDE-97E1-D2BF70D78AF0}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{2F865EAA-DF52-4F83-B627-C01FA56AB1B5}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{4D0EE19D-53FB-42ED-929E-2CAD8D4DA3A2}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{56A4F766-5440-49EE-96D3-D509BA7BE4E9}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{5B98C0D8-F928-4D49-9882-4DFE65D95C61}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{6F8E307F-9A7C-408A-AFAF-3615FCFA4CEF}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
"NTEContextList"=multi:"\00"
"DhcpClassIdBin"=hex:
"DhcpIPAddress"="0.0.0.0"
"DhcpSubnetMask"="0.0.0.0"
"Domain"=""
"NameServer"=""
"RegistrationEnabled"=dword:00000000
"RegisterAdapterName"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{8E76D28B-D819-435F-9D94-8F0EC4038520}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9215A54E-3EAA-4DC2-8EFE-4731C26E1349}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{93DFA675-845C-4FB9-B057-A889D11F364B}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9D1E836B-DDA1-48F1-825D-3BE14B2C290C}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
"NTEContextList"=multi:"\00"
"DhcpIPAddress"="0.0.0.0"
"DhcpSubnetMask"="0.0.0.0"
"Domain"=""
"NameServer"=""
"RegistrationEnabled"=dword:00000000
"DhcpClassIdBin"=hex:
"RegisterAdapterName"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{B006CFFA-964A-4BFA-84AB-6CB924F4DB19}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"DefaultGatewayMetric"=multi:"\00"
"NameServer"=""
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=multi:"0\00\00"
"UDPAllowedPorts"=multi:"0\00\00"
"RawIPAllowedProtocols"=multi:"0\00\00"
"NTEContextList"=multi:"0x00000003\00\00"
"DhcpClassIdBin"=hex:

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E2E03A56-F650-49AD-9458-84AC5A26824B}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{EB685907-EFEF-49BC-836B-43B28D8A9E73}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{F2661AF6-B3C2-4CB3-BEF6-D0571C34617B}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{FF2BE8C5-F6C8-4DEE-9C06-8F61850569D8}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1048)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(4032)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\PC Tools Firewall Plus\FWService.exe
c:\windows\system32\pctspk.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
.
**************************************************************************
.
Completion time: 2010-09-29 01:01:06 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-29 05:00
ComboFix2.txt 2010-09-27 03:23
ComboFix3.txt 2010-09-25 23:32
ComboFix4.txt 2010-09-21 05:11

Pre-Run: 12,095,152,128 bytes free
Post-Run: 12,122,836,992 bytes free

- - End Of File - - E5DE3B69E0C6F1B9A6B2203A56ADB11B

SuperDave · « **Reply #24 on:** September 29, 2010, 01:37:12 PM »

Quote

Ok I deleted the file that was in the "c:\program files\temp" folder.

You can ininstall/ delete the folder also.

•Start HijackThis
•Click on the Misc Tools button
•Click on the Open Uninstall Manager button.
•Click on the Save list... button and specify where you would like to save this file. When you press Save button a Notepad will open with the contents of that file. Save the file to your desktop.
Copy and paste this file in your next reply.

Freddex · « **Reply #25 on:** September 29, 2010, 04:24:13 PM »

I had deleted the whole "temp" folder but it has recreated itself but the folder is empty this time.

Also I had to r-download the Hijackthis app as the one I already had wouldn't open for some reason.

Here's the list.

*********************************************************

µTorrent
7-Zip 9.16 beta
Ad-Aware SE Personal
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3
Advanced SystemCare 3
Apple Application Support
Apple Software Update
Ashampoo Burning Studio 6 FREE
AVG 9.0
CCleaner
Coloreal
Compaq Advisor
Compaq Wallpaper
Compaq WinDVD
Download_Energy Toolbar
Easy Access Button Support
Encarta Online
EPSON Printer Software
Film Factory
Google Chrome
Google Update Helper
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
InterVideo Installer
Java(TM) 6 Update 21
Junk Mail filter update
LimeWire Music
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Choice Guard
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 6.0
Mozilla Firefox (3.6.10)
MSVCRT
MSXML 6 Service Pack 2 (KB973686)
NTI CD-Maker 2000 Standard
PC Tools Firewall Plus 6.0
Quicken 2001 Install
QuickTime
Registry Mechanic 9.0
Rootkit Unhooker LE 3.8 SR 2
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Segoe UI
SightCAM PC-100p
SightCAM PC-100p
Skype™ 4.2
SUPERAntiSpyware Free Edition
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB898461)
Update for Windows XP (KB925720)
Update for Windows XP (KB955759)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Family Safety
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB891781
Windows XP Related
Windows XP Service Pack 2
WinMX
WinRAR archiver
Yahoo! Address AutoComplete
Yahoo! Internet Mail
Yahoo! Messenger Explorer Bar
Yahoo! Software Update
Yahoo! Toolbar

Freddex · « **Reply #26 on:** September 29, 2010, 04:34:32 PM »

Dave,
I just wanted to give you some more info. I got the virus from clicking on a link from a Google search (I was using my Mozilla browser at the time). My AVG started going crazy almost instantly. Now recently I noticed that my Mozilla browser no longer works but my Explorer is still working fine.

SuperDave · « **Reply #27 on:** September 29, 2010, 07:24:12 PM »

Registry cleaners are extremely powerful applications and their potential for harming your OS far outweighs any small potential for improving your computer's performance.
Registry Mechanic 9.0

There are a number of them available and some are more safe than others. Keep in mind that no two registry cleaners work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad" entry. One cleaner may find entries on your system that will not cause a problem when removed, another may not find the same entries, and still another may want to remove entries required for a program to work. Without research into what the registry entry selected for deletion is, a registry cleaner can end up being an automated method to cause problems with the registry.

For routine use by those not familiar with the registry, the benefits to your computer are negligible while the potential risks are great.

Further reading: XP Fixes Myth #1: Registry Cleaners

*************************************

Quote

Now recently I noticed that my Mozilla browser no longer works but my Explorer is still working fine.

You may have to uninstall and re-install Mozilla.
**********************************
Ok. Let's try this again and see if we can rid of the infection.

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
Quote
KillAll::

File::
c:\documents and settings\Freddex\Start Menu\Programs\Startup\asmup.exe
c:\documents and settings\Freddex\Start Menu\Programs\Startup\awgu.exe
c:\documents and settings\Freddex\Start Menu\Programs\Startup\booxoc.exe
c:\documents and settings\Freddex\Start Menu\Programs\Startup\feybuv.exe
c:\documents and settings\Freddex\Start Menu\Programs\Startup\hierb.exe
c:\documents and settings\Freddex\Start Menu\Programs\Startup\hoip.exe

c:\documents and settings\Guest\Start Menu\Programs\Startup\dobi.exe
c:\documents and settings\Guest\Start Menu\Programs\Startup\fifyys.exe
c:\documents and settings\Guest\Start Menu\Programs\Startup\kyuq.exe
c:\documents and settings\Guest\Start Menu\Programs\Startup\ohxieh.exe
c:\documents and settings\Guest\Start Menu\Programs\Startup\oxyta.exe
c:\documents and settings\Guest\Start Menu\Programs\Startup\poerb.exe
c:\documents and settings\Guest\Start Menu\Programs\Startup\ybxuwo.exe
c:\documents and settings\Guest\Start Menu\Programs\Startup\ybykl.exe
c:\documents and settings\Guest\Start Menu\Programs\Startup\ylreeb.exe

c:\documents and settings\Default User\Start Menu\Programs\Startup\afowy.exe
c:\documents and settings\Default User\Start Menu\Programs\Startup\avwe.exe
c:\documents and settings\Default User\Start Menu\Programs\Startup\ewgy.exe
c:\documents and settings\Default User\Start Menu\Programs\Startup\heopy.exe
c:\documents and settings\Default User\Start Menu\Programs\Startup\higi.exe
c:\documents and settings\Default User\Start Menu\Programs\Startup\kiqeow.exe
c:\documents and settings\Default User\Start Menu\Programs\Startup\loqayh.exe
c:\documents and settings\Default User\Start Menu\Programs\Startup\tezie.exe
c:\documents and settings\Default User\Start Menu\Programs\Startup\xuwi.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"=-
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

Freddex · « **Reply #28 on:** September 30, 2010, 08:37:32 PM »

ComboFix 10-09-30.03 - sey administrator 09/30/2010 21:57:27.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.112 [GMT -4:00]
Running from: c:\documents and settings\sey administrator\Desktop\Commy.exe
Command switches used :: c:\documents and settings\sey administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: PC Tools Firewall Plus *disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"c:\documents and settings\Default User\Start Menu\Programs\Startup\afowy.exe"
"c:\documents and settings\Default User\Start Menu\Programs\Startup\avwe.exe"
"c:\documents and settings\Default User\Start Menu\Programs\Startup\ewgy.exe"
"c:\documents and settings\Default User\Start Menu\Programs\Startup\heopy.exe"
"c:\documents and settings\Default User\Start Menu\Programs\Startup\higi.exe"
"c:\documents and settings\Default User\Start Menu\Programs\Startup\kiqeow.exe"
"c:\documents and settings\Default User\Start Menu\Programs\Startup\loqayh.exe"
"c:\documents and settings\Default User\Start Menu\Programs\Startup\tezie.exe"
"c:\documents and settings\Default User\Start Menu\Programs\Startup\xuwi.exe"
"c:\documents and settings\Freddex\Start Menu\Programs\Startup\asmup.exe"
"c:\documents and settings\Freddex\Start Menu\Programs\Startup\awgu.exe"
"c:\documents and settings\Freddex\Start Menu\Programs\Startup\booxoc.exe"
"c:\documents and settings\Freddex\Start Menu\Programs\Startup\feybuv.exe"
"c:\documents and settings\Freddex\Start Menu\Programs\Startup\hierb.exe"
"c:\documents and settings\Freddex\Start Menu\Programs\Startup\hoip.exe"
"c:\documents and settings\Guest\Start Menu\Programs\Startup\dobi.exe"
"c:\documents and settings\Guest\Start Menu\Programs\Startup\fifyys.exe"
"c:\documents and settings\Guest\Start Menu\Programs\Startup\kyuq.exe"
"c:\documents and settings\Guest\Start Menu\Programs\Startup\ohxieh.exe"
"c:\documents and settings\Guest\Start Menu\Programs\Startup\oxyta.exe"
"c:\documents and settings\Guest\Start Menu\Programs\Startup\poerb.exe"
"c:\documents and settings\Guest\Start Menu\Programs\Startup\ybxuwo.exe"
"c:\documents and settings\Guest\Start Menu\Programs\Startup\ybykl.exe"
"c:\documents and settings\Guest\Start Menu\Programs\Startup\ylreeb.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Default User\Start Menu\Programs\Startup\afowy.exe
c:\documents and settings\Default User\Start Menu\Programs\Startup\avwe.exe
c:\documents and settings\Default User\Start Menu\Programs\Startup\ewgy.exe
c:\documents and settings\Default User\Start Menu\Programs\Startup\heopy.exe
c:\documents and settings\Default User\Start Menu\Programs\Startup\higi.exe
c:\documents and settings\Default User\Start Menu\Programs\Startup\kiqeow.exe
c:\documents and settings\Default User\Start Menu\Programs\Startup\loqayh.exe
c:\documents and settings\Default User\Start Menu\Programs\Startup\tezie.exe
c:\documents and settings\Default User\Start Menu\Programs\Startup\xuwi.exe
c:\documents and settings\Freddex\Start Menu\Programs\Startup\asmup.exe
c:\documents and settings\Freddex\Start Menu\Programs\Startup\awgu.exe
c:\documents and settings\Freddex\Start Menu\Programs\Startup\booxoc.exe
c:\documents and settings\Freddex\Start Menu\Programs\Startup\feybuv.exe
c:\documents and settings\Freddex\Start Menu\Programs\Startup\hierb.exe
c:\documents and settings\Freddex\Start Menu\Programs\Startup\hoip.exe
c:\documents and settings\Guest\Start Menu\Programs\Startup\dobi.exe
c:\documents and settings\Guest\Start Menu\Programs\Startup\fifyys.exe
c:\documents and settings\Guest\Start Menu\Programs\Startup\kyuq.exe
c:\documents and settings\Guest\Start Menu\Programs\Startup\ohxieh.exe
c:\documents and settings\Guest\Start Menu\Programs\Startup\oxyta.exe
c:\documents and settings\Guest\Start Menu\Programs\Startup\poerb.exe
c:\documents and settings\Guest\Start Menu\Programs\Startup\ybxuwo.exe
c:\documents and settings\Guest\Start Menu\Programs\Startup\ybykl.exe
c:\documents and settings\Guest\Start Menu\Programs\Startup\ylreeb.exe
c:\documents and settings\sey administrator\Application Data\Zagy\xocu.exe
c:\program files\Internet Explorer\dmlconf.dat
c:\program files\Microsoft\DesktopLayer.exe
c:\windows\ExplorerSrv.exe
c:\windows\system32\rundll32Srv.exe

.
((((((((((((((((((((((((( Files Created from 2010-09-01 to 2010-10-01 )))))))))))))))))))))))))))))))
.

2010-09-29 22:11 . 2010-09-29 22:11   388096   ----a-r-   c:\documents and settings\sey administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-29 04:28 . 2010-09-29 05:01   --------   d-----w-   C:\Commy2756C
2010-09-29 04:26 . 2010-09-29 04:54   229376   ----a-w-   c:\documents and settings\sey administrator\Application Data\Fako\anuq.exe
2010-09-29 04:26 . 2010-09-29 04:26   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\Fako
2010-09-29 04:26 . 2010-10-01 02:09   --------   d-----w-   c:\program files\temp
2010-09-29 02:20 . 2010-09-29 02:20   --------   d--h--w-   c:\windows\PIF
2010-09-27 02:42 . 2010-09-27 03:23   --------   d-----w-   C:\Commy9393C
2010-09-26 00:31 . 2010-09-26 00:32   --------   d-----w-   c:\program files\7-Zip
2010-09-25 23:54 . 2010-09-26 00:09   --------   d-----w-   C:\RootRepeal
2010-09-25 22:36 . 2010-09-25 23:32   --------   d-----w-   C:\Commy18057C
2010-09-25 16:09 . 2010-09-25 16:09   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\Ashampoo
2010-09-25 16:07 . 2010-09-25 16:07   --------   d-----w-   c:\documents and settings\sey administrator\Local Settings\Application Data\ashampoo
2010-09-25 16:07 . 2010-09-25 16:07   --------   d-----w-   c:\documents and settings\All Users\Application Data\ashampoo
2010-09-25 16:07 . 2010-09-25 16:07   --------   d-----w-   c:\program files\Ashampoo
2010-09-21 04:26 . 2010-09-21 05:11   --------   d-----w-   C:\Commy
2010-09-18 06:16 . 2010-09-18 06:16   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\AVG9
2010-09-16 17:03 . 2010-09-16 17:04   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-09-16 05:52 . 2010-09-16 05:52   --------   d-----w-   c:\program files\Trend Micro
2010-09-16 04:44 . 2010-07-17 09:00   423656   ----a-w-   c:\windows\system32\deployJava1.dll
2010-09-15 18:04 . 2010-09-15 18:04   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\Malwarebytes
2010-09-15 18:03 . 2010-04-29 19:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-15 18:03 . 2010-09-15 18:03   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-15 18:02 . 2010-04-29 19:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-09-15 18:02 . 2010-09-15 18:04   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-09-15 04:49 . 2010-09-15 04:49   --------   d-----w-   c:\documents and settings\Freddex\Application Data\PCToolsFirewallPlus
2010-09-14 16:25 . 2010-09-20 20:40   95744   ----a-w-   c:\documents and settings\sey administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-14 16:25 . 2010-09-20 20:40   161280   ----a-w-   c:\documents and settings\sey administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-14 16:24 . 2010-09-14 16:24   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-09-14 16:24 . 2010-09-14 16:24   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-09-14 16:24 . 2010-09-14 16:24   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\SUPERAntiSpyware.com
2010-09-14 16:20 . 2010-09-14 16:20   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2010-09-14 15:58 . 2010-09-14 15:58   --------   d-----w-   c:\program files\CCleaner
2010-09-14 15:45 . 2010-09-14 15:46   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\PCToolsFirewallPlus
2010-09-14 15:41 . 2009-11-23 17:54   88040   ----a-w-   c:\windows\system32\drivers\PCTAppEvent.sys
2010-09-14 15:41 . 2009-11-09 15:20   207792   ----a-w-   c:\windows\system32\drivers\PCTCore.sys
2010-09-14 15:41 . 2010-01-07 16:40   233136   ----a-w-   c:\windows\system32\drivers\pctgntdi.sys
2010-09-14 15:40 . 2010-01-12 13:34   70664   ----a-w-   c:\windows\system32\drivers\pctNdis-PacketFilter.sys
2010-09-14 15:40 . 2010-01-07 15:35   58816   ----a-w-   c:\windows\system32\drivers\pctNdis.sys
2010-09-14 15:40 . 2010-01-07 15:35   32680   ----a-w-   c:\windows\system32\drivers\pctNdis-DNS.sys
2010-09-14 15:40 . 2010-01-13 12:59   115216   ----a-w-   c:\windows\system32\drivers\pctplfw.sys
2010-09-14 15:40 . 2010-09-23 01:11   --------   d-----w-   c:\program files\PC Tools Firewall Plus
2010-09-11 21:36 . 2010-09-11 21:36   --------   d-sh--w-   c:\documents and settings\NetworkService\IETldCache
2010-09-11 21:22 . 2010-09-21 02:45   120   ----a-w-   c:\windows\Qwavifetahefozu.dat
2010-09-11 21:16 . 2010-09-13 17:46   --------   d-----w-   c:\documents and settings\Freddex\Application Data\C48C287A5F27A887A3E6CDBB287BDE57
2010-09-04 18:14 . 2010-09-04 22:37   --------   d-----w-   c:\documents and settings\Freddex\Application Data\FileZilla
2010-09-04 18:13 . 2010-09-16 05:54   --------   d-----w-   c:\program files\Filezilla 3.3.2.1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-01 02:15 . 2010-01-05 23:15   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-10-01 02:14 . 2006-01-05 19:52   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\Zyinl
2010-10-01 02:08 . 2010-01-01 16:11   --------   d-----w-   c:\program files\Microsoft
2010-10-01 02:06 . 2008-08-28 05:11   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\Zagy
2010-09-30 11:00 . 2010-01-01 16:20   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-09-29 04:51 . 2006-02-01 21:03   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\Ossiv
2010-09-27 22:48 . 2010-07-17 10:38   --------   d-----w-   c:\documents and settings\Freddex\Application Data\Ihduy
2010-09-27 03:15 . 2005-08-30 02:56   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\Mewao
2010-09-27 01:48 . 2008-04-21 16:55   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\Hykapo
2010-09-25 22:29 . 2008-12-03 12:31   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\Efpea
2010-09-24 00:22 . 2010-08-18 15:27   --------   d-----w-   c:\documents and settings\Freddex\Application Data\Uwdie
2010-09-23 23:47 . 2009-11-10 22:50   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\Gymu
2010-09-21 05:01 . 2010-02-21 18:58   --------   d-----w-   c:\program files\QuickTime
2010-09-20 20:40 . 2010-03-31 20:32   393216   ----a-w-   c:\documents and settings\sey administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-501e625d-n\msvcr71.dll
2010-09-20 20:40 . 2010-05-28 16:56   393216   ----a-w-   c:\documents and settings\sey administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-367bd4db-n\msvcr71.dll
2010-09-20 20:39 . 2010-08-09 00:56   393216   ----a-w-   c:\documents and settings\sey administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-61f91632-n\msvcr71.dll
2010-09-20 20:30 . 2010-03-23 23:46   393216   ----a-w-   c:\documents and settings\Freddex\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-34777ea4-n\msvcr71.dll
2010-09-20 20:30 . 2010-05-25 23:18   393216   ----a-w-   c:\documents and settings\Freddex\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-47f9ff1d-n\msvcr71.dll
2010-09-20 20:29 . 2010-08-03 02:18   393216   ----a-w-   c:\documents and settings\Freddex\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7c91b2a5-n\msvcr71.dll
2010-09-16 16:29 . 2010-03-23 22:54   --------   d-----w-   c:\program files\DivX
2010-09-16 16:29 . 2010-02-21 21:01   --------   d-----w-   c:\program files\LimeWire Music
2010-09-16 05:54 . 2001-09-19 06:51   --------   d-----w-   c:\program files\Microsoft Works
2010-09-16 04:44 . 2010-03-23 23:42   --------   d-----w-   c:\program files\Java
2010-09-14 15:41 . 2010-01-05 23:15   --------   d-----w-   c:\program files\Common Files\PC Tools
2010-09-14 15:04 . 2010-02-21 21:02   --------   d-----w-   c:\program files\ToggleEN
2010-09-14 14:13 . 2010-05-29 21:46   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\Skype
2010-09-14 14:02 . 2010-09-13 15:55   112   ----a-w-   c:\documents and settings\All Users\Application Data\r5NCJ5GrW.dat
2010-09-11 20:32 . 2010-04-14 21:49   --------   d-----w-   c:\documents and settings\Freddex\Application Data\uTorrent
2010-09-11 16:49 . 2010-07-01 19:46   --------   d-----w-   c:\documents and settings\Freddex\Application Data\LimeWire Music
2010-08-31 02:30 . 2010-02-21 21:01   --------   d-----w-   c:\program files\Download_Energy
2010-08-31 00:39 . 2010-08-31 00:39   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\IObit
2010-08-22 07:09 . 2010-04-18 15:57   --------   d-----w-   c:\documents and settings\Freddex\Application Data\Skype
2010-08-14 16:09 . 2010-03-23 22:52   --------   d-----w-   c:\documents and settings\All Users\Application Data\DivX
2010-08-11 13:18 . 2010-01-05 23:50   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-08-09 00:56 . 2010-08-09 00:56   503808   ----a-w-   c:\documents and settings\sey administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-61f91632-n\msvcp71.dll
2010-08-09 00:56 . 2010-08-09 00:56   499712   ----a-w-   c:\documents and settings\sey administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-61f91632-n\jmc.dll
2010-08-09 00:56 . 2010-08-09 00:56   61440   ----a-w-   c:\documents and settings\sey administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1ab01405-n\decora-sse.dll
2010-08-09 00:56 . 2010-08-09 00:56   12800   ----a-w-   c:\documents and settings\sey administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1ab01405-n\decora-d3d.dll
2010-08-03 02:18 . 2010-08-03 02:18   503808   ----a-w-   c:\documents and settings\Freddex\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7c91b2a5-n\msvcp71.dll
2010-08-03 02:18 . 2010-08-03 02:18   499712   ----a-w-   c:\documents and settings\Freddex\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7c91b2a5-n\jmc.dll
2010-08-03 02:18 . 2010-08-03 02:18   61440   ----a-w-   c:\documents and settings\Freddex\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-51d40a07-n\decora-sse.dll
2010-08-03 02:18 . 2010-08-03 02:18   12800   ----a-w-   c:\documents and settings\Freddex\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-51d40a07-n\decora-d3d.dll
2010-07-16 13:30 . 2010-01-05 23:49   243024   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2010-07-16 13:30 . 2010-07-16 13:30   12536   ----a-w-   c:\windows\system32\avgrsstx.dll
2010-07-16 13:29 . 2010-01-05 23:49   25168   ----a-w-   c:\windows\system32\drivers\AVGIDSxx.sys
2010-07-16 13:28 . 2010-01-05 23:49   216400   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
.

Code: [Select]

<pre>
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\COMPAQ\Coloreal\coloreal .exe
c:\program files\COMPAQ\Easy Access Button Support\StartEAK .exe
c:\program files\IObit\Advanced SystemCare 3\AWC .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\Microsoft Works\WkDetect .exe
c:\program files\QuickTime\qttask             .exe
c:\program files\Skype\Phone\Skype .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\windows\system32\rundll32 .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]
"{ad708c09-d51b-45b3-9d28-4eba2681febf}"= "c:\program files\Download_Energy\tbDow1.dll" [2010-09-21 2735200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_CLASSES_ROOT\clsid\{ad708c09-d51b-45b3-9d28-4eba2681febf}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 14:25   2117704   ----a-w-   c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ad708c09-d51b-45b3-9d28-4eba2681febf}]
2010-09-21 03:45   2735200   ----a-w-   c:\program files\Download_Energy\tbDow1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]
"{ad708c09-d51b-45b3-9d28-4eba2681febf}"= "c:\program files\Download_Energy\tbDow1.dll" [2010-09-21 2735200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{ad708c09-d51b-45b3-9d28-4eba2681febf}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]
"{AD708C09-D51B-45B3-9D28-4EBA2681FEBF}"= "c:\program files\Download_Energy\tbDow1.dll" [2010-09-21 2735200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{ad708c09-d51b-45b3-9d28-4eba2681febf}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr .exe" [2009-07-26 3883856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [N/A]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [N/A]
"{257715E4-3F57-82F0-2A8F-9F44FF99EE07}"="c:\documents and settings\sey administrator\Application Data\Ysulne\emxy.exe" [2006-06-26 185856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2001-08-08 143360]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2001-08-08 90112]
"WCOLOREAL"="c:\program files\COMPAQ\Coloreal\coloreal.exe" [N/A]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2000-07-13 311350]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [N/A]
"EPSON Stylus C44 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S09IC1.EXE" [2002-12-25 75776]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2010-01-12 3168216]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"nonep"="c:\docume~1\SEYADM~1\LOCALS~1\Temp\tmp11fbc224\KillEXE.exe" [2010-10-01 237056]

c:\documents and settings\Freddex\Start Menu\Programs\Startup\
pypa.exe [2010-9-30 229376]

c:\documents and settings\Guest\Start Menu\Programs\Startup\
faopew.exe [2010-9-30 229376]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
maqa.exe [2010-9-30 229376]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2010-09-21 122880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-16 13:30   12536   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\LimeWire Music\\LimeWire Music.exe"=
"c:\\Program Files\\WinMX\\WinMX.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [1/5/2010 7:49 PM 25168]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [1/5/2010 7:49 PM 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/5/2010 7:49 PM 216400]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/5/2010 7:49 PM 243024]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [9/14/2010 11:41 AM 233136]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [7/16/2010 9:28 AM 921952]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/16/2010 9:29 AM 308136]
R2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [7/16/2010 9:28 AM 2331032]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [9/14/2010 11:41 AM 88040]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [1/5/2010 7:15 PM 583640]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [1/5/2010 7:48 PM 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [1/5/2010 7:49 PM 122448]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [1/5/2010 7:48 PM 30288]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [1/5/2010 7:48 PM 26192]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [9/14/2010 11:40 AM 70664]
R3 pctNDIS;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [9/14/2010 11:40 AM 58816]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [9/14/2010 11:40 AM 115216]
R3 SUNPLUS;SightCAM PC-100p;c:\windows\system32\drivers\spixnew.sys [1/21/2010 6:10 PM 95528]
S1 EACMOS;EACMOS;c:\windows\system32\drivers\EACMOS.SYS --> c:\windows\system32\drivers\EACMOS.SYS [?]
S2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [7/16/2010 9:29 AM 5897808]
S2 gupdate1cacadbef3afef0;Google Update Service (gupdate1cacadbef3afef0);c:\program files\Google\Update\GoogleUpdate.exe [3/23/2010 6:55 PM 133104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [1/5/2010 7:48 PM 30104]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
.
Contents of the 'Scheduled Tasks' folder

2010-10-01 c:\windows\Tasks\AWC AutoSweep.job
- c:\program files\IObit\Advanced SystemCare 3\AutoSweep.exe [2010-04-14 18:11]

2010-10-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-23 22:54]

2010-09-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-23 22:54]

2004-09-01 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-09-20 07:56]

2004-09-01 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-09-20 07:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\sey administrator\Application Data\Mozilla\Firefox\Profiles\3mmgr645.default\
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-30 22:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ACTIVEX_REPURPOSEDETECTION]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_IMG]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
@DACL=(02 0000)
"sllauncher.exe"=dword:00001f40

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_Cross_Domain_Redirect_Mitigation]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_LEGACY_COMPRESSION]
@DACL=(02 0000)
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_SQM_UPLOAD_FOR_APP]
@DACL=(02 0000)
"ieuser.exe"=dword:00000001
"iexplore.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_TELNET_PROTOCOL]
@DACL=(02 0000)
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK]
@DACL=(02 0000)
"YahooMusicEngine.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_SCRIPT_PASTE_URLACTION_IF_PROMPT]
@DACL=(02 0000)
"devenv.exe"=dword:00000001
"dexplore.exe"=dword:00000001
"helppane.exe"=dword:00000001
"sllauncher.exe"=dword:00000000
"PresentationHost.exe"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_FEEDS]
@DACL=(02 0000)
"msfeedssync.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_FORCE_ADDR_AND_STATUS]
@DACL=(02 0000)
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_XML_PROLOG]
@DACL=(02 0000)
"msiexec.exe"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IMAGING_USE_ART]
@DACL=(02 0000)
@=""
"waol.exe"=dword:00000001
"cs.exe"=dword:00000001
"wm.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INTERNET_SHELL_FOLDERS]
@DACL=(02 0000)
"iexplore.exe"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS]
@DACL=(02 0000)
"helppane.exe"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DLCONTROL_BEHAVIORS]
@DACL=(02 0000)
"wlmail.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000006
"explorer.exe"=dword:00000004

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000006
"explorer.exe"=dword:00000002

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME]
@DACL=(02 0000)
"mshta.exe"=dword:00000001
"outlook.exe"=dword:00000001
"sidebar.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RELEASE_CALLBACK_ON_STOP_BINDING]
@DACL=(02 0000)
"communicator.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ABOUT_PROTOCOL_IE7]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD]
@DACL=(02 0000)
"wlmail.exe"=dword:00000001
"msimn.exe"=dword:00000001
"winmail.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_OBJECT_DATA_ATTRIBUTE]
@DACL=(02 0000)
"WindowsLiveWriter.exe"=dword:00000001
"sllauncher.exe"=dword:00000001
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_RES_TO_LMZ]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_APP_PROTOCOL_WARN_DIALOG]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SSLUX]
@DACL=(02 0000)
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SUBDOWNLOAD_LOCKDOWN]
@DACL=(02 0000)
"wlmail.exe"=dword:00000001
"msimn.exe"=dword:00000001
"outlook.exe"=dword:00000001
"winmail.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_WINDOWEDSELECTCONTROL]
@DACL=(02 0000)
"excel.exe"=dword:00000001
"infopath.exe"=dword:00000001
"powerpnt.exe"=dword:00000001
"winword.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VIEWLINKEDWEBOC_IS_UNSAFE]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_MOVESIZECHILD]
@DACL=(02 0000)
"msn.exe"=dword:00000001
"msn6.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER]
@DACL=(02 0000)
"iexplore.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
@=""
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
@=""
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
@=""
"Installed"="1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\NdisWanIp]
@DACL=(02 0000)
"LLInterface"="WANARP"
"IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{E2E03A56-F650-49AD-9458-84AC5A26824B}\00Tcpip\\Parameters\\Interfaces\\{9D1E836B-DDA1-48F1-825D-3BE14B2C290C}\00Tcpip\\Parameters\\Interfaces\\{9215A54E-3EAA-4DC2-8EFE-4731C26E1349}\00Tcpip\\Parameters\\Interfaces\\{6F8E307F-9A7C-408A-AFAF-3615FCFA4CEF}\00\00"
"NumInterfaces"=dword:00000004
"IpInterfaces"=hex:56,3a,e0,e2,50,f6,ad,49,94,58,84,ac,5a,26,82,4b,6b,83,1e,9d,
a1,dd,f1,48,82,5d,3b,e1,4b,2c,29,0c,4e,a5,15,92,aa,3e,c2,4d,8e,fe,47,31,c2,\

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\{6DE38E76-6721-44BE-B4B6-A8A60FA66767}]
@DACL=(02 0000)
"LLInterface"=""
"IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{6DE38E76-6721-44BE-B4B6-A8A60FA66767}\00\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\{B006CFFA-964A-4BFA-84AB-6CB924F4DB19}]
@DACL=(02 0000)
"LLInterface"=""
"IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{B006CFFA-964A-4BFA-84AB-6CB924F4DB19}\00\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0AA05CFB-0DDF-48E4-ABE8-1E78BE894167}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{1ADA907D-9145-41B7-BD1B-0B8078EF8185}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{22DC89FD-1B4F-4DDE-97E1-D2BF70D78AF0}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{2F865EAA-DF52-4F83-B627-C01FA56AB1B5}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3C6A114E-ACC8-482C-A644-165006071E4F}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{4D0EE19D-53FB-42ED-929E-2CAD8D4DA3A2}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{56A4F766-5440-49EE-96D3-D509BA7BE4E9}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{5B98C0D8-F928-4D49-9882-4DFE65D95C61}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{6F8E307F-9A7C-408A-AFAF-3615FCFA4CEF}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
"NTEContextList"=multi:"\00"
"DhcpClassIdBin"=hex:
"DhcpIPAddress"="0.0.0.0"
"DhcpSubnetMask"="0.0.0.0"
"Domain"=""
"NameServer"=""
"RegistrationEnabled"=dword:00000000
"RegisterAdapterName"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{865C35FD-C16A-4B32-B547-8928CE953669}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{8E76D28B-D819-435F-9D94-8F0EC4038520}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9215A54E-3EAA-4DC2-8EFE-4731C26E1349}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{93DFA675-845C-4FB9-B057-A889D11F364B}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9D1E836B-DDA1-48F1-825D-3BE14B2C290C}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
"NTEContextList"=multi:"\00"
"DhcpIPAddress"="0.0.0.0"
"DhcpSubnetMask"="0.0.0.0"
"Domain"=""
"NameServer"=""
"RegistrationEnabled"=dword:00000000
"DhcpClassIdBin"=hex:
"RegisterAdapterName"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{B006CFFA-964A-4BFA-84AB-6CB924F4DB19}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"DefaultGatewayMetric"=multi:"\00"
"NameServer"=""
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=multi:"0\00\00"
"UDPAllowedPorts"=multi:"0\00\00"
"RawIPAllowedProtocols"=multi:"0\00\00"
"NTEContextList"=multi:"0x00000003\00\00"
"DhcpClassIdBin"=hex:

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{D42BF3B8-5D36-47B6-AA88-2A5C0A88AFF6}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E2E03A56-F650-49AD-9458-84AC5A26824B}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{EB685907-EFEF-49BC-836B-43B28D8A9E73}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{F2661AF6-B3C2-4CB3-BEF6-D0571C34617B}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{FF2BE8C5-F6C8-4DEE-9C06-8F61850569D8}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1048)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3376)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\PC Tools Firewall Plus\FWService.exe
c:\windows\system32\pctspk.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
.
**************************************************************************
.
Completion time: 2010-09-30 22:22:57 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-01 02:22
ComboFix2.txt 2010-09-29 05:01
ComboFix3.txt 2010-09-27 03:23
ComboFix4.txt 2010-09-25 23:32
ComboFix5.txt 2010-10-01 01:53

Pre-Run: 11,981,570,048 bytes free
Post-Run: 11,984,351,232 bytes free

- - End Of File - - 4BDE2E4968DAF9B28B098BB3C67D1876

SuperDave · « **Reply #29 on:** October 03, 2010, 12:24:25 PM »

Re-run MBAM:

Code:
Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply..

Computer Hope Forum

News:

Author Topic: Need help - Trojan\Malware problem!!! (Read 28827 times)

Freddex

Re: Need help - Trojan\Malware problem!!!

Freddex

Re: Need help - Trojan\Malware problem!!!

Freddex

Re: Need help - Trojan\Malware problem!!!

SuperDave

Re: Need help - Trojan\Malware problem!!!

Freddex

Re: Need help - Trojan\Malware problem!!!

Freddex

Re: Need help - Trojan\Malware problem!!!

SuperDave

Re: Need help - Trojan\Malware problem!!!

Freddex

Re: Need help - Trojan\Malware problem!!!

Freddex

Re: Need help - Trojan\Malware problem!!!

SuperDave

Re: Need help - Trojan\Malware problem!!!

Freddex

Re: Need help - Trojan\Malware problem!!!

Freddex

Re: Need help - Trojan\Malware problem!!!

SuperDave

Re: Need help - Trojan\Malware problem!!!

Freddex

Re: Need help - Trojan\Malware problem!!!

SuperDave

Re: Need help - Trojan\Malware problem!!!