Multiple infections HELP!

[tsf1jay]

My Java was older v1.3.1, so I just had upgraded my Java to JRE version 6 two days back. I am making sure if you really want me to move/quarantine following?

C:\Program Files\Java\jre1.6.0\bin\keytool.exe
C:\Program Files\Java\jre1.6.0\bin\kinit.exe
C:\Program Files\Java\jre1.6.0\bin\klist.exe
C:\Program Files\Java\jre1.6.0\bin\ktab.exe
C:\Program Files\Java\jre1.6.0\bin\orbd.exe
C:\Program Files\Java\jre1.6.0\bin\pack200.exe
C:\Program Files\Java\jre1.6.0\bin\policytool.exe
C:\Program Files\Java\jre1.6.0\bin\rmid.exe
C:\Program Files\Java\jre1.6.0\bin\rmiregistry.exe
C:\Program Files\Java\jre1.6.0\bin\servertool.exe

[Sempurna]

Yep, they are infected files. If we need to move them out of quarantine, we can always do so later. Better yet, once your system is clean, you can then reinstall Jave Runtime Environment (JRE) 6.

Let me know how things are running now.

Cheers!
~ Semps

[tsf1jay]

Here are the logs..
===winlogon.exe.txt====
Process PID CPU Description Company Name
System Idle Process 0 91.43
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 416 Windows NT Session Manager Microsoft Corporation
csrss.exe 464 Client Server Runtime Process Microsoft Corporation
winlogon.exe 488
services.exe 532 2.86 Services and Controller app Microsoft Corporation
svchost.exe 696 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 752 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 820 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 864 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 984 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 1164 Spooler SubSystem App Microsoft Corporation
Mcdetect.exe 1664 McAfee WSC Integration Service McAfee, Inc
McShield.exe 1684 On-Access Scanner service McAfee Inc.
McTskshd.exe 1732 McAfee Task Scheduler McAfee, Inc
svchost.exe 1856 Generic Host Process for Win32 Services Microsoft Corporation
lsass.exe 544 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 1348 Windows Explorer Microsoft Corporation
zHotkey.exe 1460 Chicony Multimedia Driver Chicony
mcvsshld.exe 1484 McAfee VirusScan ActiveShield Resource McAfee, Inc.
McVSEscn.exe 1524 McAfee VirusScan E-mail Scan Module McAfee, Inc.
oasclnt.exe 1492 McAfee VirusScan OAS Client McAfee, Inc.
jusched.exe 1528 Java(TM) Platform SE binary Sun Microsystems, Inc.
googletalk.exe 1552 Google Talk Google
iexplore.exe 3148 Internet Explorer Microsoft Corporation
procexp.exe 2772 5.71 Sysinternals Process Explorer Sysinternals

Process: winlogon.exe Pid: 488

Name Description Company Name Version
advapi32.dll Advanced Windows 32 Base API Microsoft Corporation 5.01.2600.2180
apphelp.dll Application Compatibility Client Library Microsoft Corporation 5.01.2600.2180
authz.dll Authorization Framework Microsoft Corporation 5.01.2600.2180
clbcatq.dll Microsoft Corporation 2001.12.4414.0258
comctl32.dll Common Controls Library Microsoft Corporation 5.82.2900.2180
comctl32.dll User Experience Controls Library Microsoft Corporation 6.00.2900.2180
comdlg32.dll Common Dialogs DLL Microsoft Corporation 6.00.2900.2180
comres.dll Microsoft Corporation 2001.12.4414.0258
crypt32.dll Crypto API32 Microsoft Corporation 5.131.2600.2180
cscdll.dll Offline Network Agent Microsoft Corporation 5.01.2600.2180
cscui.dll Client Side Caching UI Microsoft Corporation 5.01.2600.2180
ctype.nls
gdi32.dll GDI Client DLL Microsoft Corporation 5.01.2600.2180
imagehlp.dll Windows NT Image Helper Microsoft Corporation 5.01.2600.2180
iphlpapi.dll IP Helper API Microsoft Corporation 5.01.2600.2180
kernel32.dll Windows NT BASE API Client DLL Microsoft Corporation 5.01.2600.2180
locale.nls
midimap.dll Microsoft MIDI Mapper Microsoft Corporation 5.01.2600.2180
mpr.dll Multiple Provider Router DLL Microsoft Corporation 5.01.2600.2180
msacm32.dll Microsoft ACM Audio Filter Microsoft Corporation 5.01.2600.2180
msacm32.drv Microsoft Sound Mapper Microsoft Corporation 5.01.2600.0000
msasn1.dll ASN.1 Runtime APIs Microsoft Corporation 5.01.2600.2180
msgina.dll Windows NT Logon GINA DLL Microsoft Corporation 5.01.2600.2180
msv1_0.dll Microsoft Authentication Package v1.0 Microsoft Corporation 5.01.2600.2180
msvcrt.dll Windows NT CRT DLL Microsoft Corporation 7.00.2600.2180
nddeapi.dll Network DDE Share Management APIs Microsoft Corporation 5.01.2600.2180
netapi32.dll Net Win32 API DLL Microsoft Corporation 5.01.2600.2180
ntdll.dll NT Layer DLL Microsoft Corporation 5.01.2600.2180
ntmarta.dll Windows NT MARTA provider Microsoft Corporation 5.01.2600.2180
odbc32.dll Microsoft Data Access - ODBC Driver Manager Microsoft Corporation 3.525.1117.0000
odbcint.dll Microsoft Data Access - ODBC Resources Microsoft Corporation 3.525.1117.0000
ole32.dll Microsoft OLE for Windows Microsoft Corporation 5.01.2600.2180
oleaut32.dll Microsoft Corporation 5.01.2600.2180
profmap.dll Userenv Microsoft Corporation 5.01.2600.2180
psapi.dll Process Status Helper Microsoft Corporation 5.01.2600.2180
R000000000008.clb
regapi.dll Registry Configuration APIs Microsoft Corporation 5.01.2600.2180
rpcrt4.dll Remote Procedure Call Runtime Microsoft Corporation 5.01.2600.2180
rsaenh.dll Microsoft Enhanced Cryptographic Provider Microsoft Corporation 5.01.2600.2161
samlib.dll SAM Library DLL Microsoft Corporation 5.01.2600.2180
SASWINLO.dll SUPERAntiSpyware WinLogon Processor SUPERAntiSpyware.com 1.00.0000.1028
secur32.dll Security Support Provider Interface Microsoft Corporation 5.01.2600.2180
setupapi.dll Windows Setup API Microsoft Corporation 5.01.2600.2180
sfc.dll Windows File Protection Microsoft Corporation 5.01.2600.2180
sfc_os.dll Windows File Protection Microsoft Corporation 5.01.2600.2180
shell32.dll Windows Shell Common Dll Microsoft Corporation 6.00.2900.2180
shlwapi.dll Shell Light-weight Utility Library Microsoft Corporation 6.00.2900.2180
shsvcs.dll Windows Shell Services Dll Microsoft Corporation 6.00.2900.2180
sortkey.nls
sorttbls.nls
sxs.dll Fusion 2.5 Microsoft Corporation 5.01.2600.2180
unicode.nls
user32.dll Windows XP USER API Client DLL Microsoft Corporation 5.01.2600.2180
userenv.dll Userenv Microsoft Corporation 5.01.2600.2180
uxtheme.dll Microsoft UxTheme Library Microsoft Corporation 6.00.2900.2180
version.dll Version Checking and File Installation Libraries Microsoft Corporation 5.01.2600.2180
wdmaud.drv WDM Audio driver mapper Microsoft Corporation 5.01.2600.2180
wininet.dll Internet Extensions for Win32 Microsoft Corporation 6.00.2900.2518
winlogon.exe
winmm.dll MCI API DLL Microsoft Corporation 5.01.2600.2180
winscard.dll Microsoft Smart Card API Microsoft Corporation 5.01.2600.2180
winspool.drv Windows Spooler Driver Microsoft Corporation 5.01.2600.2180
winsta.dll Winstation Library Microsoft Corporation 5.01.2600.2180
wintrust.dll Microsoft Trust Verification APIs Microsoft Corporation 5.131.2600.2180
wldap32.dll Win32 LDAP API DLL Microsoft Corporation 5.01.2600.2180
wlnotify.dll Common DLL to receive Winlogon notifications Microsoft Corporation 5.01.2600.2180
ws2_32.dll Windows Socket 2.0 32-Bit DLL Microsoft Corporation 5.01.2600.2180
ws2help.dll Windows Socket 2.0 Helper for Windows NT Microsoft Corporation 5.01.2600.2180
wtsapi32.dll Windows Terminal Server SDK APIs Microsoft Corporation 5.01.2600.2180
xpsp2res.dll Service Pack 2 Messages Microsoft Corporation 5.01.2600.2180

======explorer.exe.txt======
Process PID CPU Description Company Name
System Idle Process 0 84.00
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 416 Windows NT Session Manager Microsoft Corporation
csrss.exe 464 1.33 Client Server Runtime Process Microsoft Corporation
winlogon.exe 488
explorer.exe 1348 1.33 Windows Explorer Microsoft Corporation
zHotkey.exe 1460 Chicony Multimedia Driver Chicony
mcvsshld.exe 1484 McAfee VirusScan ActiveShield Resource McAfee, Inc.
McVSEscn.exe 1524 McAfee VirusScan E-mail Scan Module McAfee, Inc.
oasclnt.exe 1492 McAfee VirusScan OAS Client McAfee, Inc.
jusched.exe 1528 Java(TM) Platform SE binary Sun Microsystems, Inc.
googletalk.exe 1552 Google Talk Google
iexplore.exe 3148 Internet Explorer Microsoft Corporation
procexp.exe 2772 10.67 Sysinternals Process Explorer Sysinternals

Process: explorer.exe Pid: 1348

Name Description Company Name Version
abg_plugin.dll 2.01.0000.0001
acgenral.dll Windows Compatibility DLL Microsoft Corporation 5.01.2600.2180
AcroIEHelper.dll Adobe Acrobat IE Helper Version 7.0 for ActiveX Adobe Systems Incorporated 7.00.0009.0050
AcroIEHelper.dll Adobe Acrobat IE Helper Version 7.0 for ActiveX Adobe Systems Incorporated 7.00.0009.0050
actxprxy.dll ActiveX Interface Marshaling Library Microsoft Corporation 6.00.2900.2180
advapi32.dll Advanced Windows 32 Base API Microsoft Corporation 5.01.2600.2180
AlbuDBps.dll Album Database Proxy/Stub DLL Logitech Inc. 8.02.0000.1192
apphelp.dll Application Compatibility Client Library Microsoft Corporation 5.01.2600.2180
atl.dll ATL Module for Windows XP (Unicode) Microsoft Corporation 3.05.2284.0000
batmeter.dll Battery Meter Helper DLL Microsoft Corporation 6.00.2900.2180
browselc.dll Shell Browser UI Library Microsoft Corporation 6.00.2900.2180
browseui.dll Shell Browser UI Library Microsoft Corporation 6.00.2900.2518
cfgmgr32.dll Configuration Manager Forwarder DLL Microsoft Corporation 5.01.2600.2180
clbcatq.dll Microsoft Corporation 2001.12.4414.0258
comctl32.dll User Experience Controls Library Microsoft Corporation 6.00.2900.2180
comctl32.dll Common Controls Library Microsoft Corporation 5.82.2900.2180
comdlg32.dll Common Dialogs DLL Microsoft Corporation 6.00.2900.2180
comres.dll Microsoft Corporation 2001.12.4414.0258
cp1041.nls
credui.dll Credential Manager User Interface Microsoft Corporation 5.01.2600.2180
crypt32.dll Crypto API32 Microsoft Corporation 5.131.2600.2180
cryptnet.dll Crypto Network Related API Microsoft Corporation 5.131.2600.2180
cryptui.dll Microsoft Trust UI Provider Microsoft Corporation 5.131.2600.2180
cscdll.dll Offline Network Agent Microsoft Corporation 5.01.2600.2180
cscui.dll Client Side Caching UI Microsoft Corporation 5.01.2600.2180
ctype.nls
davclnt.dll Web DAV Client DLL Microsoft Corporation 5.01.2600.2180
dnsapi.dll DNS Client API DLL Microsoft Corporation 5.01.2600.2180
drprov.dll Microsoft Terminal Server Network Provider Microsoft Corporation 5.01.2600.2180
explorer.exe Windows Explorer Microsoft Corporation 6.00.2900.2180
gdi32.dll GDI Client DLL Microsoft Corporation 5.01.2600.2180
GdiPlus.dll Microsoft GDI+ Microsoft Corporation 5.01.3102.2180
hccutils.dll hccutils Module Intel Corporation 3.00.0000.2104
HKNTDLL.dll
hnetcfg.dll Home Networking Configuration Manager Microsoft Corporation 5.01.2600.2180
igfxdev.dll igfxdev Module Intel Corporation 3.00.0000.2104
igfxpph.dll igfxpph Module Intel Corporation 3.00.0000.2104
igfxres.dll xxxxres Module Intel Corporation 3.00.0000.2104
igfxsrvc.dll igfxsrvc Module Intel Corporation 3.00.0000.2104
imagehlp.dll Windows NT Image Helper Microsoft Corporation 5.01.2600.2180
index.dat
index.dat
index.dat
index.dat
iphlpapi.dll IP Helper API Microsoft Corporation 5.01.2600.2180
kernel32.dll Windows NT BASE API Client DLL Microsoft Corporation 5.01.2600.2180
linkinfo.dll Windows Volume Tracking Microsoft Corporation 5.01.2600.2180
locale.nls
McVSSkt.Dll McAfee VirusScan Winsock Helper DLL McAfee, Inc. 10.00.0000.0026
midimap.dll Microsoft MIDI Mapper Microsoft Corporation 5.01.2600.2180
mpr.dll Multiple Provider Router DLL Microsoft Corporation 5.01.2600.2180
msacm32.dll Microsoft ACM Audio Filter Microsoft Corporation 5.01.2600.2180
msacm32.drv Microsoft Sound Mapper Microsoft Corporation 5.01.2600.0000
msasn1.dll ASN.1 Runtime APIs Microsoft Corporation 5.01.2600.2180
msgina.dll Windows NT Logon GINA DLL Microsoft Corporation 5.01.2600.2180
msi.dll Windows Installer Microsoft Corporation 3.00.3790.2180
msimg32.dll GDIEXT Client DLL Microsoft Corporation 5.01.2600.2180
msv1_0.dll Microsoft Authentication Package v1.0 Microsoft Corporation 5.01.2600.2180
Msvcr71.dll Microsoft® C Runtime Library Microsoft Corporation 7.10.3052.0004
msvcrt.dll Windows NT CRT DLL Microsoft Corporation 7.00.2600.2180
mswsock.dll Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation 5.01.2600.2180
netapi32.dll Net Win32 API DLL Microsoft Corporation 5.01.2600.2180
netrap.dll Net Remote Admin Protocol DLL Microsoft Corporation 5.01.2600.2180
netshell.dll Network Connections Shell Microsoft Corporation 5.01.2600.2180
netui0.dll NT LM UI Common Code - GUI Classes Microsoft Corporation 5.01.2600.2180
netui1.dll NT LM UI Common Code - Networking classes Microsoft Corporation 5.01.2600.2180
ntdll.dll NT Layer DLL Microsoft Corporation 5.01.2600.2180
ntlanman.dll Microsoft® Lan Manager Microsoft Corporation 5.01.2600.2180
ntshrui.dll Shell extensions for sharing Microsoft Corporation 5.01.2600.2180
odbc32.dll Microsoft Data Access - ODBC Driver Manager Microsoft Corporation 3.525.1117.0000
odbcint.dll Microsoft Data Access - ODBC Resources Microsoft Corporation 3.525.1117.0000
ole32.dll Microsoft OLE for Windows Microsoft Corporation 5.01.2600.2180
oleaut32.dll Microsoft Corporation 5.01.2600.2180
olepro32.dll Microsoft Corporation 5.01.2600.2180
pdfshell.dll PDF Shell Extension Adobe Systems, Inc. 7.00.0000.0000
powrprof.dll Power Profile Helper DLL Microsoft Corporation 6.00.2900.2180
R000000000008.clb
rasadhlp.dll Remote Access AutoDial Helper Microsoft Corporation 5.01.2600.2180
rasapi32.dll Remote Access API Microsoft Corporation 5.01.2600.2180
rasman.dll Remote Access Connection Manager Microsoft Corporation 5.01.2600.2180
rpcrt4.dll Remote Procedure Call Runtime Microsoft Corporation 5.01.2600.2180
rsaenh.dll Microsoft Enhanced Cryptographic Provider Microsoft Corporation 5.01.2600.2161
rtutils.dll Routing Utilities Microsoft Corporation 5.01.2600.2180
samlib.dll SAM Library DLL Microsoft Corporation 5.01.2600.2180
SASSEH.DLL ShellExecuteHook SuperAdBlocker.com 1.00.0000.1008
secur32.dll Security Support Provider Interface Microsoft Corporation 5.01.2600.2180
sensapi.dll SENS Connectivity API DLL Microsoft Corporation 5.01.2600.2180
setupapi.dll Windows Setup API Microsoft Corporation 5.01.2600.2180
sfc_os.dll Windows File Protection Microsoft Corporation 5.01.2600.2180
shdoclc.dll Shell Doc Object and Control Library Microsoft Corporation 6.00.2900.2180
shdocvw.dll Shell Doc Object and Control Library Microsoft Corporation 6.00.2900.2518
shell32.dll Windows Shell Common Dll Microsoft Corporation 6.00.2900.2180
shimeng.dll Shim Engine DLL Microsoft Corporation 5.01.2600.2180
shlwapi.dll Shell Light-weight Utility Library Microsoft Corporation 6.00.2900.2180
sortkey.nls
sorttbls.nls
ssdpapi.dll SSDP Client API DLL Microsoft Corporation 5.01.2600.2180
sti.dll Still Image Devices client DLL Microsoft Corporation 5.01.2600.2180
stobject.dll Systray shell service object Microsoft Corporation 5.01.2600.2180
sxs.dll Fusion 2.5 Microsoft Corporation 5.01.2600.2180
tapi32.dll Microsoft® Windows(TM) Telephony API Client DLL Microsoft Corporation 5.01.2600.2180
themeui.dll Windows Theme API Microsoft Corporation 6.00.2900.2180
unicode.nls
upnp.dll Universal Plug and Play API Microsoft Corporation 5.01.2600.2180
upnpui.dll UPNP Tray Monitor and Folder Microsoft Corporation 5.01.2600.2180
urlmon.dll OLE32 Extensions for Win32 Microsoft Corporation 6.00.2900.2518
user32.dll Windows XP USER API Client DLL Microsoft Corporation 5.01.2600.2180
userenv.dll Userenv Microsoft Corporation 5.01.2600.2180
uxtheme.dll Microsoft UxTheme Library Microsoft Corporation 6.00.2900.2180
version.dll Version Checking and File Installation Libraries Microsoft Corporation 5.01.2600.2180
wdmaud.drv WDM Audio driver mapper Microsoft Corporation 5.01.2600.2180
webcheck.dll Web Site Monitor Microsoft Corporation 6.00.2900.2180
winhttp.dll Windows HTTP Services Microsoft Corporation 5.01.2600.2180
wininet.dll Internet Extensions for Win32 Microsoft Corporation 6.00.2900.2518
winmm.dll MCI API DLL Microsoft Corporation 5.01.2600.2180
winrnr.dll LDAP RnR Provider DLL Microsoft Corporation 5.01.2600.2180
winspool.drv Windows Spooler Driver Microsoft Corporation 5.01.2600.2180
winsta.dll Winstation Library Microsoft Corporation 5.01.2600.2180
wintrust.dll Microsoft Trust Verification APIs Microsoft Corporation 5.131.2600.2180
wldap32.dll Win32 LDAP API DLL Microsoft Corporation 5.01.2600.2180
wmpband.dll Windows Media Player Microsoft Corporation 9.00.0000.3250
ws2_32.dll Windows Socket 2.0 32-Bit DLL Microsoft Corporation 5.01.2600.2180
ws2help.dll Windows Socket 2.0 Helper for Windows NT Microsoft Corporation 5.01.2600.2180
wshtcpip.dll Windows Sockets Helper DLL Microsoft Corporation 5.01.2600.2180
wsock32.dll Windows Socket 32-Bit DLL Microsoft Corporation 5.01.2600.2180
wtsapi32.dll Windows Terminal Server SDK APIs Microsoft Corporation 5.01.2600.2180
wuapi.dll Windows Update Client API Microsoft Corporation 5.04.3790.2182
wzcdlg.dll Wireless Zero Configuration Service UI Microsoft Corporation 5.01.2600.2180
wzcsapi.dll Wireless Zero Configuration service API Microsoft Corporation 5.01.2600.2180
xpsp2res.dll Service Pack 2 Messages Microsoft Corporation 5.01.2600.2180
zipfldr.dll Compressed (zipped) Folders Microsoft Corporation 6.00.2900.2180

=====notify.txt======

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon
DllName REG_SZ C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
Logon REG_SZ SABWINLOLogon
Logoff REG_SZ SABWINLOLogoff
Startup REG_SZ SABWINLOStartup
Shutdown REG_SZ SABWINLOShutdown
Asynchronous REG_DWORD 0x0
Impersonate REG_DWORD 0x0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
Asynchronous REG_DWORD 0x0
Impersonate REG_DWORD 0x0
DllName REG_EXPAND_SZ crypt32.dll
Logoff REG_SZ ChainWlxLogoffEvent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
Asynchronous REG_DWORD 0x0
Impersonate REG_DWORD 0x0
DllName REG_EXPAND_SZ cryptnet.dll
Logoff REG_SZ CryptnetWlxLogoffEvent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
DLLName REG_SZ cscdll.dll
Logon REG_SZ WinlogonLogonEvent
Logoff REG_SZ WinlogonLogoffEvent
ScreenSaver REG_SZ WinlogonScreenSaverEvent
Startup REG_SZ WinlogonStartupEvent
Shutdown REG_SZ WinlogonShutdownEvent
StartShell REG_SZ WinlogonStartShellEvent
Impersonate REG_DWORD 0x0
Asynchronous REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
<NO NAME> REG_SZ
DLLName REG_SZ igfxsrvc.dll
Asynchronous REG_DWORD 0x1
Impersonate REG_DWORD 0x1
Unlock REG_SZ WinlogonUnlockEvent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
DLLName REG_SZ wlnotify.dll
Logon REG_SZ SCardStartCertProp
Logoff REG_SZ SCardStopCertProp
Lock REG_SZ SCardSuspendCertProp
Unlock REG_SZ SCardResumeCertProp
Enabled REG_DWORD 0x1
Impersonate REG_DWORD 0x1
Asynchronous REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
Asynchronous REG_DWORD 0x0
DllName REG_EXPAND_SZ wlnotify.dll
Impersonate REG_DWORD 0x0
StartShell REG_SZ SchedStartShell
Logoff REG_SZ SchedEventLogOff

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
Logoff REG_SZ WLEventLogoff
Impersonate REG_DWORD 0x0
Asynchronous REG_DWORD 0x1
DllName REG_EXPAND_SZ sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
DLLName REG_SZ WlNotify.dll
Lock REG_SZ SensLockEvent
Logon REG_SZ SensLogonEvent
Logoff REG_SZ SensLogoffEvent
Safe REG_DWORD 0x1
MaxWait REG_DWORD 0x258
StartScreenSaver REG_SZ SensStartScreenSaverEvent
StopScreenSaver REG_SZ SensStopScreenSaverEvent
Startup REG_SZ SensStartupEvent
Shutdown REG_SZ SensShutdownEvent
StartShell REG_SZ SensStartShellEvent
PostShell REG_SZ SensPostShellEvent
Disconnect REG_SZ SensDisconnectEvent
Reconnect REG_SZ SensReconnectEvent
Unlock REG_SZ SensUnlockEvent
Impersonate REG_DWORD 0x1
Asynchronous REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
Asynchronous REG_DWORD 0x0
DllName REG_EXPAND_SZ wlnotify.dll
Impersonate REG_DWORD 0x0
Logoff REG_SZ TSEventLogoff
Logon REG_SZ TSEventLogon
PostShell REG_SZ TSEventPostShell
Shutdown REG_SZ TSEventShutdown
StartShell REG_SZ TSEventStartShell
Startup REG_SZ TSEventStartup
MaxWait REG_DWORD 0x258
Reconnect REG_SZ TSEventReconnect
Disconnect REG_SZ TSEventDisconnect

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
DLLName REG_SZ wlnotify.dll
Logon REG_SZ RegisterTicketExpiredNotificationEvent
Logoff REG_SZ UnregisterTicketExpiredNotificationEvent
Impersonate REG_DWORD 0x1
Asynchronous REG_DWORD 0x1

====awf.txt====

Find AWF report by noahdfear ©2006


21504 byte files found
~~~~~~~~~~~~~



21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



25600 byte files found
~~~~~~~~~~~~~

25600 "C:\_OTMoveIt\MovedFiles\Program Files\Java\jre1.6.0\bin\keytool.exe"
25600 "C:\_OTMoveIt\MovedFiles\Program Files\Java\jre1.6.0\bin\kinit.exe"
25600 "C:\_OTMoveIt\MovedFiles\Program Files\Java\jre1.6.0\bin\klist.exe"
25600 "C:\_OTMoveIt\MovedFiles\Program Files\Java\jre1.6.0\bin\ktab.exe"
25600 "C:\_OTMoveIt\MovedFiles\Program Files\Java\jre1.6.0\bin\orbd.exe"
25600 "C:\_OTMoveIt\MovedFiles\Program Files\Java\jre1.6.0\bin\pack200.exe"
25600 "C:\_OTMoveIt\MovedFiles\Program Files\Java\jre1.6.0\bin\policytool.exe"
25600 "C:\_OTMoveIt\MovedFiles\Program Files\Java\jre1.6.0\bin\rmid.exe"
25600 "C:\_OTMoveIt\MovedFiles\Program Files\Java\jre1.6.0\bin\rmiregistry.exe"
25600 "C:\_OTMoveIt\MovedFiles\Program Files\Java\jre1.6.0\bin\servertool.exe"


25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



26450 byte files found
~~~~~~~~~~~~~



26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ADOBE\ACROBA~2.0\READER\BAK

03/30/2006 04:45 PM 313,472 AdobeUpdateManager.exe
1 File(s) 313,472 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"


end of report

====HJt log======
Logfile of HijackThis v1.99.1
Scan saved at 5:18:25 PM, on 3/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\shared\mghtml.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {60D3AAEB-AA39-4AE0-B2F9-E4AF0613A2A3} - C:\PROGRA~1\Cosmi\SPYWAR~1\pop\ABG_PL~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Show All Original Images - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Show Original Image - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/c...cab?v=1,0,0,37
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} - http://www.snapfish.com/SnapfishUpload.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

[Sempurna]

Hi tsf1jay,

I’m sorry for the late reply. I’ve having some of our experts look over your thread.

You have a relatively new type of malware. So, here’s what we do first.

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK), and copy and paste the text present inside the code box below:

Code:

For /F "TOKENS=*" %%g IN ('dir /s/a-d/b %windir%\ndis.sys'
) Do @echo "$$~g" %%~zg %%~tg >>report.txt 2>nul
start notepad report.txt & exit

Save this as check.bat. Choose to save as "All files" and place it on your desktop.

It should look like this:

Go to the desktop and double-click on check.bat and post back with the text that will open.

In case you still are unsure on how to create a BAT file, please take a look HERE with screenshots.

[tsf1jay]

Well, I was not expecting a 24h weekend support here :) I hope this helps others who are seized by such new malware too. Anway, here is all I got from the log:

"$$~g" 167552 08/29/2002 07:00 AM
"$$~g" 182912 08/04/2004 01:14 AM
"$$~g" 182912 08/04/2004 01:14 AM
"$$~g" 277764 02/19/2007 09:14 AM

[Sempurna]

Hi tsf1jay,

OK, could you run this batch file? There was a typo in the previous one. My bad.

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK), and copy and paste the text present inside the code box below:

Code:

For /F "TOKENS=*" %%g IN ('dir /s/a-d/b %windir%\ndis.sys'
) Do @echo "%%~g" %%~zg %%~tg >>report.txt 2>nul
start notepad report.txt & exit

Save this as check2.bat. Choose to save as "All files" and place it on your desktop.

It should look like this:

Double-click check2.bat on your desktop.

Notepad should open with text in it. Please post the contents of that text here.

[tsf1jay]

here's the log..

"C:\WINDOWS\$NtServicePackUninstall$\ndis.sys" 167552 08/29/2002 07:00 AM
"C:\WINDOWS\ServicePackFiles\i386\ndis.sys" 182912 08/04/2004 01:14 AM
"C:\WINDOWS\SoftwareDistribution\Download\9ded4ee34a35fced0033d3e152a36e0e\ndis.sys" 182912 08/04/2004 01:14 AM
"C:\WINDOWS\system32\drivers\ndis.sys" 277764 02/19/2007 09:14 AM

[Sempurna]

OK, the fix is ready, but I'd like the experts look over the batch file log before we fix anything.

That ndis.sys file is the malware, but please do NOT do anything with it yet!

Be back in a jiff. Hang in there.

[Sempurna]

We're back!

OK, let's do this next.

Please download ComboFix by sUBs:

NOTE: In the event you already have ComboFix, this is a new version that I need you to download.

• Save it to your desktop.
• Double-click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:

1. The log from the ComboFix scan.
2. A new HijackThis log.

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.

[tsf1jay]

I ran combofix.exe and then took the HJT log (see below), but when I rebooted immediately after, my internet connection did not work. Something (not sure if combofix.exe) wiped out the LAN or High-Speed internet connection from Control Panel/Network Connections. Then I restored the system using TuneUp Utilities rescue center from a system checkpoint which was about 1hour before I ran combofix.exe. Not sure any repair done by combofix.exe is still valid or undone now. The logs below are before I did the system restore. I can connect to internet after the system restore.

FYI, while combofix.exe was running, it showed the message that it cannot find a valid substitute for ndis.sys.

=== ComboFix.txt ===
"Owner" - 07-03-05 19:47:49 Service Pack 2
ComboFix 07-03-05.2_PreRelease - Running from: "C:\Documents and Settings\Owner\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\KB95842.log
C:\Documents and Settings\All Users.\Documents\Settings\desktop.ini
C:\INSTALL.LOG
C:\Documents and Settings\All Users.\Documents\Settings
C:\Program Files\InetGet2
C:\WINDOWS\system32\msnetax.dll
C:\cp1041.nls
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\WINDOWS\system32\SSTEM3~1

C:\WINDOWS\system32\drivers\ndis.sys ... is infected!!


((((((((((((((((((((((((((((((( Files Created from 2007-02-05 to 2007-03-05 ))))))))))))))))))))))))))))))))))


2007-03-05 19:53 <DIR> d-------- C:\WINDOWS\ERDNT
2007-03-03 17:05 <DIR> d-------- C:\ERDNT
2007-03-03 05:25 406,016 --a------ C:\WINDOWS\system32\PSDrvCheck.exe
2007-03-03 05:25 221,184 --a------ C:\WINDOWS\system32\LVCOMSX.EXE
2007-03-02 20:42 <DIR> d-------- C:\WINDOWS\Sun
2007-03-01 23:38 <DIR> d-------- C:\Program Files\Java
2007-03-01 23:38 <DIR> d-------- C:\Program Files\Common Files\Java
2007-03-01 23:37 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Sun
2007-03-01 23:28 <DIR> d-------- C:\DOCUME~1\Owner\.java
2007-03-01 20:58 <DIR> d-------- C:\avenger
2007-02-28 19:37 2,120 --a------ C:\WINDOWS\system32\tmp.reg
2007-02-28 19:29 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-02-28 19:29 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\SUPERAntiSpyware.com
2007-02-28 19:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-02-25 19:47 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\TuneUp Software
2007-02-24 15:29 4,456,448 --a------ C:\DOCUME~1\Owner\ntuser.dat
2007-02-24 15:28 237,568 --a------ C:\DOCUME~1\LOCALS~1\ntuser.dat
2007-02-24 12:52 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-02-23 22:29 <DIR> d-------- C:\Program Files\CCleaner
2007-02-22 22:43 <DIR> d-------- C:\tools
2007-02-22 22:25 114,464 --a------ C:\WINDOWS\system32\drivers\naiavf5x.sys
2007-02-22 22:24 288,320 -ra------ C:\WINDOWS\system32\mcgdmgr.dll
2007-02-22 22:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee.com
2007-02-22 22:23 349,760 --a------ C:\WINDOWS\system32\mcinsctl.dll
2007-02-22 22:23 <DIR> d-------- C:\Program Files\McAfee.com
2007-02-22 20:15 <DIR> d-------- C:\DOCUME~1\Owner\DoctorWeb
2007-02-22 19:27 <DIR> d-------- C:\VundoFix Backups
2007-02-21 15:31 <DIR> d-------- C:\spoolerlogs
2007-02-21 07:29 24,072 --a------ C:\WINDOWS\system32\uxtuneup.dll
2007-02-21 07:28 <DIR> d-------- C:\Program Files\TuneUp Utilities 2007
2007-02-21 07:28 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\TuneUp Software
2007-02-21 07:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TuneUp Software
2007-02-20 21:27 <DIR> d-------- C:\SDAT
2007-02-19 22:36 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-02-19 18:06 1,048,576 --ah----- C:\DOCUME~1\ADMINI~1\ntuser.dat
2007-02-19 18:06 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-02-19 18:06 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-02-19 18:06 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\InterTrust
2007-02-19 18:06 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Adobe
2007-02-19 00:14 <DIR> d-------- C:\Program Files\Ofb1
2007-02-16 10:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MCA1C.tmp
2007-02-14 14:18 <DIR> d-------- C:\Practicum
2007-02-05 21:49 <DIR> d-------- C:\PMBOK Guide


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-03 20:30 -------- d-------- C:\DOCUME~1\Owner\APPLIC~1\adobeum
2007-03-03 20:28 -------- d-------- C:\Program Files\Common Files\adobe
2007-03-03 16:49 -------- d-------- C:\Program Files\messenger
2007-03-03 05:25 -------- d-------- C:\Program Files\quicktime
2007-03-03 05:25 -------- d-------- C:\Program Files\nzsearch
2007-03-03 05:25 -------- d-------- C:\Program Files\netzero
2007-03-03 05:25 -------- d-------- C:\Program Files\microsoft works
2007-02-28 19:28 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-02-20 21:13 502272 --------- C:\WINDOWS\system32\winlogon.exe
2007-02-20 21:09 1993270 --a------ C:\DOCUME~1\Owner\APPLIC~1\cleanup!.log
2007-02-20 07:51 -------- d-------- C:\Program Files\7-zip
2007-01-09 08:55 -------- d-------- C:\Program Files\microsoft


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"googletalk"="\"C:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"CHotkey"="zHotkey.exe"
"googletalk"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe /autostart"
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Logitech Desktop Messenger.lnk"
"backup"="C:\\WINDOWS\\pss\\Logitech Desktop Messenger.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Logitech\\DESKTO~1\\8876480\\Program\\LDMConf.exe /start"
"item"="Logitech Desktop Messenger"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
"path"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\PowerReg Scheduler V3.exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler V3.exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\PowerReg Scheduler V3.exe"
"item"="PowerReg Scheduler V3"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WkDetect"
"hkey"="HKCU"
"command"="c:\\Program Files\\Microsoft Works\\WkDetect.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetZero_uoltray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="exec"
"hkey"="HKCU"
"command"="C:\\Program Files\\NetZero\\bak\\exec.exe regrun"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spc_w]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nzspc"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\NZSearch\\nzspc.exe\" -w"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SUPERAntiSpyware"
"hkey"="HKCU"
"command"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeUpdateManager"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_9 -reboot 1"
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

HKLM\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
UxTuneUp




~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070228-204833-400
O2 - BHO: (no name) - {B632296A-CCF4-B65E-F9DA-C3DEBFC15CE2} - C:\WINDOWS\system32\hzjs.dll (file missing)
backup-20070228-075557-999
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
backup-20070228-075557-848
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll (file missing)
backup-20070228-075556-427
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\Owner\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
backup-20070228-075556-510
O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
backup-20070222-195238-509
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
backup-20070222-195238-262
O23 - Service: WINS Client (RpcPatch) - Unknown owner - C:\WINDOWS\System32\wins\DLLHOST.EXE (file missing)
backup-20070222-195238-675
O23 - Service: Network Connections Sharing (RpcTftpd) - Unknown owner - C:\WINDOWS\System32\wins\svchost.exe (file missing)
backup-20070222-195238-261
O20 - Winlogon Notify: ideoept - C:\WINDOWS\SYSTEM32\ideoept.dll
backup-20070222-195237-182
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll
backup-20070222-195237-447
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download...reeInstall.cab
backup-20070222-195237-260
O15 - Trusted Zone: *.matcash.com (HKLM)
backup-20070222-195237-440
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
backup-20070222-195237-333
O15 - Trusted Zone: *.winfixer.com (HKLM)
backup-20070222-195237-874
O15 - Trusted Zone: *.media-motor.net (HKLM)
backup-20070222-195237-860
O15 - Trusted Zone: *.winantivirus.com (HKLM)
backup-20070222-195237-824
O15 - Trusted Zone: *.mediatickets.net (HKLM)
backup-20070222-195237-707
O15 - Trusted Zone: *.snipernet.biz (HKLM)
backup-20070222-195237-102
O15 - Trusted Zone: *.media-motor.com (HKLM)
backup-20070222-195237-181
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
backup-20070222-195237-450
O15 - Trusted Zone: *.systemdoctor.com
backup-20070222-195237-117
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
backup-20070222-195237-527
O15 - Trusted Zone: *.winfixer.com
backup-20070222-195237-452
O15 - Trusted Zone: *.errorsafe.com (HKLM)
backup-20070222-195237-474
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
backup-20070222-195237-957
O15 - Trusted Zone: *.adgate.info (HKLM)
backup-20070222-195237-267
O15 - Trusted Zone: *.winantivirus.com
backup-20070222-195237-499
O15 - Trusted Zone: *.imagesrvr.com
backup-20070222-195237-788
O15 - Trusted Zone: *.mediatickets.net
backup-20070222-195237-322
O15 - Trusted Zone: *.matcash.com
backup-20070222-195237-457
O15 - Trusted Zone: *.snipernet.biz
backup-20070222-195237-978
O15 - Trusted Zone: *.dollarrevenue.com
backup-20070222-195237-589
O15 - Trusted Zone: *.media-motor.com
backup-20070222-195237-685
O15 - Trusted Zone: *.errorsafe.com
backup-20070222-195237-812
O2 - BHO: (no name) - {5ccaab50-41e0-4574-a1c6-5a4847a9ce57} - C:\WINDOWS\system32\ideoept.dll
backup-20070222-195237-198
O15 - Trusted Zone: *.adgate.info

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job


********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-05 19:59:04

== HJT log ===
Logfile of HijackThis v1.99.1
Scan saved at 8:05:09 PM, on 3/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\PROGRA~1\mcafee.com\shared\mghtml.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\tools\HijackThis.exe

R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {60D3AAEB-AA39-4AE0-B2F9-E4AF0613A2A3} - C:\PROGRA~1\Cosmi\SPYWAR~1\pop\ABG_PL~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Show All Original Images - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Show Original Image - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/c...cab?v=1,0,0,37
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} - http://www.snapfish.com/SnapfishUpload.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

[Sempurna]

Hi tsf1jay,

Quote:

Not sure any repair done by combofix.exe is still valid or undone now.

No worries, the system restore would have undone the fix. This is what happened, according to the developer of ComboFix:

Quote:

Originally by sUBs

CF must have found an alternate copy of ndis.sys (before authentication) & unhooked the locked malware copy. Scanners must have jumped on it. The copy found didnt pass authentication & CF did not copy it over.

You need to get the user to find a good copy of ndis.sys; from the XP cd or somewhere else. When that's done, there's 2 options.

1. Reboot to safe mode without networking & replace the files

2. Place good copy anywhere on machine (e.g. system32\dllcache) & rerun CF so that it may do the replacement automatically

OK, so the first thing you have to do is to get you original Windows XP installation CD. There will be a clean copy of ndis.sys in that CD. Copy it over to your C:\WINDOWS\System32\dllcache folder. Replace the existing copy that is in the dllcache folder.

Then rerun ComboFix and let me see the log that it generates. If you lose Internet connection this time, just copy over the clean copy of ndis.sys file from your XP CD and place it in your C:\WINDOWS\System32\drivers folder.

Let me know how things go.

[tsf1jay]

Could not find dllcache folder in system32, so just replaced ndis.sys in safe mode. Did not run combofix. Macafee still shows winlogon.exe is infected with
spy-agent.bv!inf.

Here is the latest HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 9:51:35 PM, on 3/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\shared\mghtml.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {60D3AAEB-AA39-4AE0-B2F9-E4AF0613A2A3} - C:\PROGRA~1\Cosmi\SPYWAR~1\pop\ABG_PL~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Show All Original Images - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Show Original Image - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/c...cab?v=1,0,0,37
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} - http://www.snapfish.com/SnapfishUpload.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

[Sempurna]

Do the same with winlogon.exe as you did with ndis.sys. The legit file has been also hijacked by malware. The file will be residing in the C:\WINDOWS\system32 folder.

OR

You can rename winlogon.exe to winlogon.exe.ren. Wait a few seconds, then refresh the page. Windows File Protection (WFP) should replace the file for you from either the dllcache or i386 folders.

If it doesn't happen, then do the change manually by copying a clean copy from your Windows XP CD or from the i386 folder.


NEXT:

There is another infector file that hijacked a core Windows file. I need you to do this for me, please.

Please go to Start -> Search -> All files and folders.

In the More advanced options section, please place a check next to:

• Search system folders.
• Search hidden files and folders.
• Search subfolders.

Then please search for this file:

system.ini

Once found, please open the file, copy everything in it and paste the contents here for me to see, please.

[tsf1jay]

Replaced winlogen.exe and here is what I have in system.ini

; for 16-bit app support
[drivers]
wave=mmdrv.dll
timer=timer.drv
[mci]
[driver32]
[386enh]
woafont=dosapp.FON
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON

[Sempurna]

OK, we have a hidden dropper somewhere in your system that is regenerating the msnetax.dll LSP hijacker file. It is usually indicated in the system.ini file, but this time it's not. We'll have to look for it with some other scans.

OK, please do this next.

Let’s run a few deep diagnostic scans to make sure nothing else is lurking in your system.

Please download SilentRunners and save it to your desktop:

• Unzip it (extract) to the desktop and double-click on it.
• If you get any kind of warning message about scripts, please choose to allow the script to run.
• When the scan is finished, a message will pop up and a logfile will have been created on the desktop. Please post the entire contents of this logfile for me to see.

NEXT:

Please download and save F-Secure BlackLight to your desktop.

• Double-click blbeta.exe then accept the agreement.
• Click Scan -> Next.
• After the scan you'll see a list of all items found. Please click Next and then Exit. Do NOT choose rename for any items yet! I need to see the log first, because legitimate items can also be present there...
• A log will be created on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx are numbers)
• Please post the contents of the log in your next reply.

NEXT:

Please download GMER and save it to your desktop:

• Unzip (extract) it to your desktop.
• Disconnect from Internet and close all running programs.
• There is a small chance this application may crash your computer so save any work you have open.
• Double-click gmer.exe to run it.
• Let the gmer.sys driver to load if asked.
• If it gives you a warning at program start about rootkit activity and asks if you want to run a scan... click NO.
• Click the Rootkit tab.
• Make sure all the boxes on the right of the screen are checked, EXCEPT for "Show All".
• Then click the Scan button. Wait for the scan to finish.
• Once done, click the Copy button.
• This will copy the results to the clipboard. Open Notepad and press CTRL + V to paste the log, and save it to your desktop. Paste the results in your next reply.

If you're having problems with running gmer.exe, try it in Safe Mode.
This tool works in Safe Mode… other rootkit revealers don't.


NEXT:

Please download ComboFix by sUBs:

• Save it to your desktop.
• Double-click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT:

Please download System Repair Engineer by Smallfrogs and save it to your desktop:

• Right-click sreng2.zip, select Extract All, and extract it to its own folder.
• Double-click SREng.exe to run it.
  
  
  
  
  
  
• Select Smart Scan and check (tick) Verify the digital signatures of process modules.
• Click on the Scan button.
• When the scan is complete, click on the Save Reports button and save the log to your desktop.
• Please attach the log in your next reply. Don’t post it.

Note : You would have to rename SREngLog.log to SREngLog.txt before attaching it.


NEXT:

Please download the Registry Search Tool and save it to your desktop:

• Unzip (extract) it to your desktop and double-click on regsrch.vbs
  (if you have script protection, please allow this to run).
• In the dialog that opens enter the following:
  
  msnetax
  
  
• Press OK
• The search will run for a while, then alert you when it is finished.
• Press OK and copy the contents of the WordPad window and post in this thread.

NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:

1. The log from the SilentRunners scan.
2. The log from the BlackLight scan.
3. The log from the GMER scan.
4. The log from the ComboFix scan.
5. The log from the SREng scan.
6. The report from the Registry Search Tool scan.
7. A new HijackThis log.

(You might have to paste the logs in multiple posts in the event they are too long and breach the post length of the forum software).

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.

[tsf1jay]

All scans went off well, except combofix which suddenly restarted the PC and I could not get the log of combofix run. Other logs are below:

===== silentRunners===
"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"googletalk" = ""C:\Program Files\Google\Google Talk\googletalk.exe" /autostart" ["Google"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CHotkey" = "zHotkey.exe" ["Chicony"]
"googletalk" = "C:\Program Files\Google\Google Talk\googletalk.exe /autostart" ["Google"]
"VSOCheckTask" = ""C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask" ["McAfee, Inc."]
"VirusScan Online" = "C:\Program Files\McAfee.com\VSO\mcvsshld.exe" ["McAfee, Inc."]
"OASClnt" = "C:\Program Files\McAfee.com\VSO\oasclnt.exe" ["McAfee, Inc."]
"MCAgentExe" = "c:\PROGRA~1\mcafee.com\agent\mcagent.exe" ["McAfee, Inc"]
"MCUpdateExe" = "c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" ["McAfee, Inc"]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0\bin\jusched.exe"" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! IE Services Button"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo! Inc."]
{60D3AAEB-AA39-4AE0-B2F9-E4AF0613A2A3}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\Cosmi\SPYWAR~1\pop\ABG_PL~1.DLL" [empty string]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0\bin\ssv.dll" ["Sun Microsystems, Inc."]
{9394EDE7-C8B5-483E-8773-474BF36AF6E4}\(Default) = (no title provided)
-> {HKLM...CLSID} = "ST"
\InProcServer32\(Default) = "C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll" [MS]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = (no title provided)
-> {HKLM...CLSID} = "MSNToolBandBHO"
\InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {HKLM...CLSID} = "Universal Plug and Play Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}" = "My Logitech Pictures"
-> {HKLM...CLSID} = "My Logitech Pictures"
\InProcServer32\(Default) = "C:\Program Files\Logitech\Video\Namespc2.dll" ["Logitech Inc."]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
"{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}" = "TuneUp Shredder Shell Extension"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
"{44440D00-FF19-4AFC-B765-9A0970567D97}" = "TuneUp Theme Extension"
-> {HKLM...CLSID} = "TuneUp Theme Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\uxtuneup.dll" ["TuneUp Software GmbH"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> !SASWinLogon\DLLName = "C:\Program Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zipn.dll" ["Igor Pavlov"]
TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zipn.dll" ["Igor Pavlov"]
TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zipn.dll" ["Igor Pavlov"]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\

"NoSplash" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssstars.scr" [MS]


Enabled Scheduled Tasks:
------------------------

"1-Click Maintenance" -> launches: "C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\WINDOWS\system32\msnetax.dll [null data], 01 - 18, 37
%SystemRoot%\system32\mswsock.dll [MS], 19 - 21, 24 - 36
%SystemRoot%\system32\rsvpsp.dll [MS], 22 - 23


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{F5735C15-1FB2-41FE-BA12-242757E69DDE}"
-> {HKLM...CLSID} = "ZeroBar"
\InProcServer32\(Default) = "C:\Program Files\NetZero\Toolbar.dll" [empty string]
"{F0F8ECBE-D460-4B34-B007-56A92E8F84A7}"
-> {HKLM...CLSID} = "ZeroBar"
\InProcServer32\(Default) = "C:\Program Files\NetZero\toolbar.dll" [empty string]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"
-> {HKLM...CLSID} = "MSN"
\InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll" [MS]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{F5735C15-1FB2-41FE-BA12-242757E69DDE}" = (no title provided)
-> {HKLM...CLSID} = "ZeroBar"
\InProcServer32\(Default) = "C:\Program Files\NetZero\Toolbar.dll" [empty string]
"{F0F8ECBE-D460-4B34-B007-56A92E8F84A7}" = (no title provided)
-> {HKLM...CLSID} = "ZeroBar"
\InProcServer32\(Default) = "C:\Program Files\NetZero\toolbar.dll" [empty string]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = "0"
-> {HKLM...CLSID} = "MSN"
\InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll" [MS]
"{BA52B914-B692-46C4-B683-905236F6F655}" = "McAfee VirusScan"
-> {HKLM...CLSID} = "McAfee VirusScan"
\InProcServer32\(Default) = "c:\progra~1\mcafee.com\vso\mcvsshl.dll" ["McAfee, Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll" ["Sun Microsystems, Inc."]

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\
"ButtonText" = "Yahoo! Services"
"CLSIDExtension" = "{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}"
-> {HKLM...CLSID} = "Yahoo! IE Services Button"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo! Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}\
"ButtonText" = "Yahoo! Messenger"
"MenuText" = "Yahoo! Messenger"
"Exec" = "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" ["Yahoo! Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.emachines.com

Missing lines (compared with English-language version):
[Strings]: 1 line

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8}" = (no title provided)
-> {HKLM...CLSID} = "URLSearchHook Class"
\InProcServer32\(Default) = "C:\Program Files\NZSearch\SearchEnh1.dll" ["United Online, Inc."]

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
<<H>> "TuneUp" = "file://C|/Documents and Settings/All Users/Application Data/TuneUp Software/Common/base.css" [file not found]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

McAfee Task Scheduler, McTskshd.exe, "c:\PROGRA~1\mcafee.com\agent\mctskshd.exe" ["McAfee, Inc"]
McAfee WSC Integration, McDetect.exe, "c:\program files\mcafee.com\agent\mcdetect.exe" ["McAfee, Inc"]
McAfee.com McShield, McShield, "c:\PROGRA~1\mcafee.com\vso\mcshield.exe" ["McAfee Inc."]
TuneUp Design Expansion, UxTuneUp, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\uxtuneup.dll" ["TuneUp Software GmbH"] }


----------
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 98 seconds)

===BlackLight=======
03/08/07 22:34:09 [Info]: BlackLight Engine 1.0.55 initialized
03/08/07 22:34:09 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/08/07 22:34:09 [Note]: 7019 4
03/08/07 22:34:09 [Note]: 7005 0
03/08/07 22:34:14 [Note]: 7006 0
03/08/07 22:34:14 [Note]: 7011 1104
03/08/07 22:34:14 [Note]: 7026 0
03/08/07 22:34:14 [Note]: 7026 0
03/08/07 22:34:41 [Note]: FSRAW library version 1.7.1021
03/08/07 22:43:45 [Note]: 2000 1012
03/08/07 22:43:45 [Note]: 2000 1012
03/08/07 22:43:45 [Note]: 2000 1012
03/08/07 22:43:45 [Note]: 2000 1012
03/08/07 22:44:12 [Note]: 7007 0

=====GMER====
GMER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-03-08 23:04:59
Windows 5.1.2600 Service Pack 2


---- User code sections - GMER 1.0.12 ----

.text C:\WINDOWS\explorer.exe[1104] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10003E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll
.text C:\WINDOWS\zHotkey.exe[1204] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10003E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll
.text C:\Program Files\McAfee.com\VSO\mcvsshld.exe[1228] WS2_32.dll!connect 71AB406A 5 Bytes JMP 013C3E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll
.text C:\Program Files\McAfee.com\VSO\oasclnt.exe[1236] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00C03E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll
.text C:\PROGRA~1\McAfee.com\Agent\mcagent.exe[1244] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00FF3E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll
.text C:\tools\gmer\gmer.exe[3412] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10003E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll

---- Registry - GMER 1.0.12 ----

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0xFF 0x7C 0x85 0xE0 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xCD 0x44 0xCD 0xB9 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x05 0x73 0x21 0xDD ...
Reg \Registry\USER\S-1-5-21-2105242733-1762407506-2985652280-1003\Software\CyberspaceHQ\AdBeGone\OtherList@http://by104fd.bay104.hotmail.msn.com/cgi-bin/getmsg?msg=7AB04E29-1D0A-456E-A80E-CB49CA163D53&start=0&len=2746&imgsafe=n&curmbox=00000000%2d0000%2d0000%2d0000%2d000000000001&a=3d6956fa3a086b371765e1490b102a12&curmbox=00000000%2d0000%2d0000%2d0000%2d000000000001&a=3d6956fa3a086b371765e1490b102a12 8

---- EOF - GMER 1.0.12 ----

=======SREng======

Code:

2007-03-08,23:27:25

System Repair Engineer 2.3.13.690
Smallfrogs (http://www.KZTechs.com)

Windows XP Home Edition Service Pack 2 (Build 2600)
 - Administrative User - Completed Functions Allowed

Follow item(s) have been choosed:
    All Boot Items (Including Registry, Startup Folders, Services and so on)
    Browser Add-ons
    Runing Processes (Including process model information)
    File Associations
    Winsock Provider
    Autorun.Inf
    HOSTS File


Boot Items
Registry
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <googletalk><"C:\Program Files\Google\Google Talk\googletalk.exe" /autostart>  [Google]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <CHotkey><zHotkey.exe>  [Chicony]
    <googletalk><C:\Program Files\Google\Google Talk\googletalk.exe /autostart>  [Google]
    <VSOCheckTask><"C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask>  [McAfee, Inc.]
    <VirusScan Online><C:\Program Files\McAfee.com\VSO\mcvsshld.exe>  [McAfee, Inc.]
    <OASClnt><C:\Program Files\McAfee.com\VSO\oasclnt.exe>  [McAfee, Inc.]
    <MCAgentExe><c:\PROGRA~1\mcafee.com\agent\mcagent.exe>  [McAfee, Inc]
    <MCUpdateExe><C:\PROGRA~1\mcafee.com\agent\McUpdate.exe>  [McAfee, Inc]
    <SunJavaUpdateSched><"C:\Program Files\Java\jre1.6.0\bin\jusched.exe">  [Sun Microsystems, Inc.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Corporation]
    <Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{55667788-ABCD-1234-5678-00C04FD8DBD8}><>  [N/A]
    <{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}><C:\Program Files\SUPERAntiSpyware\SASSEH.DLL>  [SuperAdBlocker.com]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
    <WinlogonNotify: !SASWinLogon><C:\Program Files\SUPERAntiSpyware\SASWINLO.dll>  [SUPERAntiSpyware.com]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    <Microsoft Works Update Detection><; c:\Program Files\Microsoft Works\WkDetect.exe>  [Microsoft® Corporation]
    <MSMSGS><; "C:\Program Files\Messenger\msmsgs.exe" /background>  [(Verified)Microsoft Corporation]
    <NetZero_uoltray><; C:\Program Files\NetZero\bak\exec.exe regrun>  [N/A]
    <spc_w><; "C:\Program Files\NZSearch\nzspc.exe" -w>  [United Online, Inc.]
    <SUPERAntiSpyware><; C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe>  [SUPERAntiSpyware.com]
    <updateMgr><; "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1>  [N/A]

==================================
Startup Folders
N/A

==================================
Services
[Application Management / AppMgmt][Stopped/Manual Start]
  <C:\WINDOWS\system32\svchost.exe -k netsvcs-->%SystemRoot%\System32\appmgmts.dll><N/A>
[Google Updater Service / gusvc][Stopped/Manual Start]
  <"C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"><Google>
[McAfee WSC Integration / McDetect.exe][Running/Auto Start]
  <c:\program files\mcafee.com\agent\mcdetect.exe><McAfee, Inc>
[McAfee.com McShield / McShield][Running/Auto Start]
  <c:\PROGRA~1\mcafee.com\vso\mcshield.exe><McAfee Inc.>
[McAfee Task Scheduler / McTskshd.exe][Running/Auto Start]
  <c:\PROGRA~1\mcafee.com\agent\mctskshd.exe><McAfee, Inc>
[McAfee SecurityCenter Update Manager / mcupdmgr.exe][Stopped/Manual Start]
  <C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe><McAfee, Inc>

==================================
Drivers
[Service for Realtek AC97 Audio (WDM) / ALCXWDM][Running/Manual Start]
  <system32\drivers\ALCXWDM.SYS><Realtek Semiconductor Corp.>
[ASAPIW2k / ASAPIW2k][Running/Manual Start]
  <system32\drivers\ASAPIW2k.sys><Pinnacle Systems GmbH>
[gmer / gmer][Stopped/Manual Start]
  <System32\DRIVERS\gmer.sys><GMER>
[HSFHWBS2 / HSFHWBS2][Running/Manual Start]
  <System32\DRIVERS\HSFHWBS2.sys><Conexant Systems>
[HSF_DP / HSF_DP][Running/Manual Start]
  <System32\DRIVERS\HSF_DP.sys><Conexant Systems>
[ialm / ialm][Running/Manual Start]
  <System32\DRIVERS\ialmnt5.sys><Intel Corporation>
[mdmxsdk / mdmxsdk][Running/Auto Start]
  <System32\DRIVERS\mdmxsdk.sys><Conexant>
[NaiAvFilter1 / NaiAvFilter1][Running/Manual Start]
  <system32\drivers\naiavf5x.sys><McAfee Inc.>
[ONSIO / ONSIO][Stopped/Auto Start]
  <\??\C:\WINDOWS\SYSTEM32\DRIVERS\ONSIO.SYS><N/A>
[PCANDIS5 Protocol Driver / PCANDIS5][Stopped/Manual Start]
  <\??\C:\PROGRA~1\NETGEAR\MA111C~1\PCANDIS5.SYS><N/A>
[PCLEPCI / PCLEPCI][Running/System Start]
  <\??\C:\WINDOWS\system32\drivers\pclepci.sys><Pinnacle Systems GmbH>
[D-Link Air DWL-122 Wireless USB Adapter Driver / PRISM_USB][Stopped/Manual Start]
  <System32\DRIVERS\PRISMUSB.sys><Intersil Americas Inc.>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[PxHelp20 / PxHelp20][Running/Boot Start]
  <\SystemRoot\System32\Drivers\PxHelp20.sys><Sonic Solutions>
[Logitech QuickCam Communicate / QCMerced][Stopped/Manual Start]
  <system32\DRIVERS\LVCM.sys><N/A>
[Realtek RTL8139/810X Family PCI Fast Ethernet NIC NT Driver / rtl8139][Running/Manual Start]
  <System32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>
[SASDIFSV / SASDIFSV][Running/System Start]
  <\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS><N/A>
[SASENUM / SASENUM][Stopped/Manual Start]
  <\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS><SuperAdBlocker, Inc.>
[SASKUTIL / SASKUTIL][Running/System Start]
  <\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys><N/A>
[Secdrv / Secdrv][Stopped/Manual Start]
  <System32\DRIVERS\secdrv.sys><N/A>
[SMPLSCSI / SMPLSCSI][Stopped/Boot Start]
  <\SystemRoot\System32\drivers\SMPLSCSI.SYS><OnSpec Electronic, Inc.>
[WAN Miniport (ATW) / wanatw][Stopped/Manual Start]
  <System32\DRIVERS\wanatw4.sys><N/A>
[winachsf / winachsf][Running/Manual Start]
  <System32\DRIVERS\HSF_CNXT.sys><Conexant Systems>
[Wireless LAN USB Driver / WLAN_USB][Stopped/Manual Start]
  <System32\DRIVERS\MA111nd5.sys><NETGEAR, Inc.>
[World Standard Teletext Codec / WSTCODEC][Stopped/Manual Start]
  <System32\DRIVERS\WSTCODEC.SYS><Microsoft Corporation>
[Intel(R) Graphics Platform (SoftBIOS) Driver / {6080A529-897E-4629-A488-ABA0C29B635E}][Running/Manual Start]
  <system32\drivers\ialmsbw.sys><Intel Corporation>
[Intel(R) Graphics Chipset (KCH) Driver / {D31A0762-0CEB-444e-ACFF-B049A1F6FE91}][Running/Manual Start]
  <system32\drivers\ialmkchw.sys><Intel Corporation>

==================================
Browser Add-ons
[Adobe PDF Reader Link Helper]
  {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll, Adobe Systems Incorporated>
[Yahoo! IE Services Button]
  {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} <C:\Program Files\Yahoo!\Common\yiesrvc.dll, Yahoo! Inc.>
[]
  {60D3AAEB-AA39-4AE0-B2F9-E4AF0613A2A3} <C:\PROGRA~1\Cosmi\SPYWAR~1\pop\ABG_PL~1.DLL, >
[SSVHelper Class]
  {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} <C:\Program Files\Java\jre1.6.0\bin\ssv.dll, Sun Microsystems, Inc.>
[ST]
  {9394EDE7-C8B5-483E-8773-474BF36AF6E4} <C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll, Microsoft Corporation>
[MSNToolBandBHO]
  {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} <C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll, Microsoft Corporation>
[Java Plug-in 1.6.0]
  {08B0E5C0-4FCB-11CF-AAA5-00401C608501} <C:\Program Files\Java\jre1.6.0\bin\ssv.dll, Sun Microsystems, Inc.>
[Yahoo! IE Services Button]
  {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} <C:\Program Files\Yahoo!\Common\yiesrvc.dll, Yahoo! Inc.>
[Real.com]
  {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} <C:\WINDOWS\System32\Shdocvw.dll, Microsoft Corporation>
[Yahoo! Messenger]
  {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} <C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe, Yahoo! Inc.>
[Messenger]
  {FB5F1910-F110-11d2-BB9E-00C04F795683} <C:\Program Files\Messenger\msmsgs.exe, Microsoft Corporation>
[ZeroBar]
  {F5735C15-1FB2-41FE-BA12-242757E69DDE} <C:\Program Files\NetZero\Toolbar.dll, >
[ZeroBar]
  {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} <C:\Program Files\NetZero\toolbar.dll, >
[MSN]
  {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} <C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll, Microsoft Corporation>
[McAfee VirusScan]
  {BA52B914-B692-46c4-B683-905236F6F655} <c:\progra~1\mcafee.com\vso\mcvsshl.dll, McAfee, Inc.>
[CKAVWebScan Object]
  {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} <C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll, Kaspersky Lab>
[Shockwave ActiveX Control]
  {166B1BCA-3F9C-11CF-8075-444553540000} <C:\WINDOWS\system32\macromed\Director\SwDir.dll, Adobe Systems, Inc.>
[YInstStarter Class]
  {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} <C:\Program Files\Yahoo!\Common\yinsthelper.dll, Yahoo! Inc.>
[McAfee.com Operating System Class]
  {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} <C:\WINDOWS\system32\mcinsctl.dll, McAfee, Inc>
[Java Plug-in 1.6.0]
  {8AD9C840-044E-11D1-B3E9-00805F499D93} <C:\Program Files\Java\jre1.6.0\bin\ssv.dll, Sun Microsystems, Inc.>
[ActiveScan Installer Class]
  {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} <, N/A>
[MsnMessengerSetupDownloadControl Class]
  {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} <, N/A>
[LycosMail Upload Control]
  {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} <, N/A>
[Java Plug-in 1.6.0]
  {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} <C:\Program Files\Java\jre1.6.0\bin\ssv.dll, Sun Microsystems, Inc.>
[Java Plug-in 1.6.0]
  {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} <C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll, Sun Microsystems, Inc.>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.>
[AxRUploadControl Object]
  {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} <, N/A>
[QuickTime Object]
  {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} <C:\Program Files\QuickTime\QTPlugin.ocx, Apple Computer, Inc.>
[ActiveMovieControl Object]
  {05589FA1-C356-11CE-BF01-00AA0055595A} <C:\WINDOWS\system32\wmpdxm.dll, Microsoft Corporation>
[Adobe PDF Reader Link Helper]
  {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll, Adobe Systems Incorporated>
[Web Browser Applet Control]
  {08B0E5C0-4FCB-11CF-AAA5-00401C608501} <C:\WINDOWS\System32\msjava.dll, Microsoft Corporation>
[CKAVWebScan Object]
  {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} <C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll, Kaspersky Lab>
[Shockwave ActiveX Control]
  {166B1BCA-3F9C-11CF-8075-444553540000} <C:\WINDOWS\system32\macromed\Director\SwDir.dll, Adobe Systems, Inc.>
[Windows Media Player]
  {22D6F312-B0F6-11D0-94AB-0080C74C7E95} <C:\WINDOWS\system32\wmpdxm.dll, Microsoft Corporation>
[Shockwave ActiveX Control]
  {233C1507-6A77-46A4-9443-F871F945D258} <C:\WINDOWS\system32\Macromed\Director\SwDir.dll, Adobe Systems, Inc.>
[HTML Document]
  {25336920-03F9-11CF-8FD0-00AA00686F13} <%SystemRoot%\System32\mshtml.dll, N/A>
[DHTML Edit Control Safe for Scripting for IE5]
  {2D360201-FFF5-11D1-8D03-00A0C959BC0A} <C:\Program Files\Common Files\Microsoft Shared\Triedit\dhtmled.ocx, Microsoft Corporation>
[HtmlDlgSafeHelper Class]
  {3050F819-98B5-11CF-BB82-00AA00BDCE0B} <C:\WINDOWS\System32\mshtmled.dll, Microsoft Corporation>
[McAfee.com Download+Installer Class]
  {36C417C6-13C6-448B-9784-DD73A93B0582} <C:\WINDOWS\system32\mcinsctl.dll, McAfee, Inc>
[XML Document]
  {48123BC4-99D9-11D1-A6B3-00C04FD91555} <%SystemRoot%\System32\msxml3.dll, N/A>
[Reporte Class]
  {4A2A4430-3967-4461-94C7-BD95C419F3CF} <C:\WINDOWS\system32\ActiveScan\ascontrol.dll, Panda Software>
[McAfee.com Registry Class]
  {4C29D864-C55A-46DD-865C-17A1B7CC1A1A} <C:\WINDOWS\system32\mcinsctl.dll, McAfee, Inc>
[McAfee.com Operating System Class]
  {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} <C:\WINDOWS\system32\mcinsctl.dll, McAfee, Inc>
[Microsoft Licensed Class Manager 1.0]
  {5220CB21-C88D-11CF-B347-00AA00A28331} <C:\WINDOWS\System32\licmgr10.dll, Microsoft Corporation>
[Shell Name Space]
  {55136805-B2DE-11D1-B9F2-00A0C98BC547} <%SystemRoot%\System32\shdocvw.dll, N/A>
[McAfee.com File System Class]
  {5940894F-4BA9-4FAC-ACFD-2F56F7CE0E3B} <C:\WINDOWS\system32\mcinsctl.dll, McAfee, Inc>
[Yahoo! IE Services Button]
  {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} <C:\Program Files\Yahoo!\Common\yiesrvc.dll, Yahoo! Inc.>
[]
  {60D3AAEB-AA39-4AE0-B2F9-E4AF0613A2A3} <C:\PROGRA~1\Cosmi\SPYWAR~1\pop\ABG_PL~1.DLL, >
[CKAVReportCtrl Object]
  {6117669B-8C2D-41FA-A6D9-9E484B999CF0} <C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll, Kaspersky Lab>
[Windows Media Player]
  {6BF52A52-394A-11D3-B153-00C04F79FAA6} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[Seleccion Class]
  {6CEC0297-FAFB-41FB-97EA-77E3081B1DFE} <C:\WINDOWS\system32\ActiveScan\ascontrol.dll, Panda Software>
[ControlConexion Class]
  {6FDCDD41-6C97-4A3B-9E6D-0144B66A1CE4} <C:\WINDOWS\system32\ActiveScan\ascontrol.dll, Panda Software>
[Windows Media Services DRM Storage object]
  {760C4B83-E211-11D2-BF3E-00805FBE84A6} <C:\WINDOWS\system32\drmstor.dll, Microsoft Corporation>
[SSVHelper Class]
  {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} <C:\Program Files\Java\jre1.6.0\bin\ssv.dll, Sun Microsystems, Inc.>
[Microsoft Web Browser]
  {8856F961-340A-11D0-A96B-00C04FD705A2} <C:\WINDOWS\System32\shdocvw.dll, Microsoft Corporation>
[ST]
  {9394EDE7-C8B5-483E-8773-474BF36AF6E4} <C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll, Microsoft Corporation>
[Panda ActiveScan]
  {96567F65-E04C-4611-AF29-7CDEA6FA6A84} <C:\WINDOWS\system32\ACTIVE~1\as.dll, Panda Software>
[ActiveScan Installer Class]
  {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} <, N/A>
[McSubMgr Class]
  {9BE8D7B2-329C-442A-A4AC-ABA9D7572602} <c:\program files\mcafee.com\agent\submgr\6,0,0,16\mcsubmgr.dll, McAfee, Inc>
[Microsoft Scriptlet Component]
  {AE24FDAE-03C6-11D1-8B76-0080C744F389} <C:\WINDOWS\System32\mshtml.dll, Microsoft Corporation>
[SearchAssistantOC]
  {B45FF030-4447-11D2-85DE-00C04FA35C89} <%SystemRoot%\System32\shdocvw.dll, N/A>
[McAfee VirusScan]
  {BA52B914-B692-46C4-B683-905236F6F655} <c:\progra~1\mcafee.com\vso\mcvsshl.dll, McAfee, Inc.>
[DwnldGroupMgr Class]
  {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} <C:\WINDOWS\system32\mcgdmgr.dll, McAfee, Inc>
[RDS.DataSpace]
  {BD96C556-65A3-11D0-983A-00C04FC29E36} <C:\Program Files\Common Files\System\msadc\msadco.dll, Microsoft Corporation>
[MSN]
  {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} <C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll, Microsoft Corporation>
[MSNToolBandBHO]
  {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} <C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll, Microsoft Corporation>
[LycosMail Upload Control]
  {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} <, N/A>
[McAfee.com Shell Helper Class]
  {CA145D71-4BCB-461D-BCBE-C01C42867380} <C:\WINDOWS\system32\mcinsctl.dll, McAfee, Inc>
[Adobe PDF Reader]
  {CA8A9780-280D-11CF-A24D-444553540000} <C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroPDF.dll, Adobe Systems, Inc.>
[AUDIO__MID Moniker Class]
  {CD3AFA74-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[VIDEO__X_MS_ASF Moniker Class]
  {CD3AFA8F-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[VIDEO__X_MS_WMV Moniker Class]
  {CD3AFA94-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[RealPlayer G2 Control]
  {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} <C:\WINDOWS\system32\rmoc3260.dll, RealNetworks, Inc.>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.>
[OfficeObj Class]
  {D2BD7935-05FC-11D2-9059-00C04FD7A1BD} <, N/A>
[McAfee.com Application Helper Class]
  {D2D8D3C0-C750-4703-A6AD-75D6B578FFE6} <C:\WINDOWS\system32\mcinsctl.dll, McAfee, Inc>
[GetInfo Class]
  {D5184A39-CBDF-4A4F-AC1A-7A45A852C883} <C:\Program Files\Yahoo!\Common\YVerInfo.dll, Yahoo! Inc.>
[MessengerChecker Class]
  {DA4F543C-C8A9-4E88-9A79-548CBB46F18F} <C:\Program Files\Yahoo!\Messenger\YPagerChecker.dll, TODO: <Company name>>
[Messenger Class]
  {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} <, N/A>
[AxRUploadControl Object]
  {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} <, N/A>
[ZeroBar]
  {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} <C:\Program Files\NetZero\toolbar.dll, >
[ZeroBar]
  {F5735C15-1FB2-41FE-BA12-242757E69DDE} <C:\Program Files\NetZero\Toolbar.dll, >
[IERPCtl Class]
  {FDC7A535-4070-4B92-A0EA-D9994BCC0DC5} <C:\Program Files\Real\RealPlayer\rpplugins\ierpplug.dll, RealNetworks, Inc.>
[&Yahoo! Search]
  <file:///C:\Program Files\Yahoo!\Common/ycsrch.htm, N/A>
[Show All Original Images]
  <"res://C:\Program Files\NetZero\qsacc\appres.dll/228", N/A>
[Show Original Image]
  <"res://C:\Program Files\NetZero\qsacc\appres.dll/227", N/A>
[Yahoo! &Dictionary]
  <file:///C:\Program Files\Yahoo!\Common/ycdict.htm, N/A>
[Yahoo! &Maps]
  <file:///C:\Program Files\Yahoo!\Common/ycmap.htm, N/A>
[Yahoo! &SMS]
  <file:///C:\Program Files\Yahoo!\Common/ycsms.htm, N/A>

==================================
Running Processes
[PID: 284][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 332][\??\C:\WINDOWS\system32\csrss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 356][\??\C:\WINDOWS\system32\winlogon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\Program Files\SUPERAntiSpyware\SASWINLO.dll]  [SUPERAntiSpyware.com, 1, 0, 0, 1028]
[PID: 400][C:\WINDOWS\system32\services.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 412][C:\WINDOWS\system32\lsass.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 556][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 612][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 648][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [c:\windows\system32\uxtuneup.dll]  [TuneUp Software GmbH, 1.0.0.2]
[PID: 704][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 820][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 948][C:\WINDOWS\Explorer.EXE]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
    [C:\WINDOWS\HKNTDLL.dll]  [N/A, N/A]
    [C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL]  [SUPERAntiSpyware.com, 1, 0, 0, 1002]
    [C:\PROGRA~1\Yahoo!\Common\ymmapi.dll]  [Yahoo! Inc., 2004, 11, 23, 1]
    [C:\Program Files\TuneUp Utilities 2007\SDShelEx-win32.dll]  [TuneUp Software GmbH, 2.0.0.2]
    [c:\progra~1\mcafee.com\vso\mcvsshl.dll]  [McAfee, Inc., 10, 0, 0, 19]
    [c:\progra~1\mcafee.com\vso\ShlRes.dll]  [McAfee, Inc., 10, 0, 0, 19]
    [C:\Program Files\7-Zip\7-zipn.dll]  [Igor Pavlov, 4, 10, 0, 0]
    [C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll]  [Adobe Systems, Inc., 7.0.0.0]
    [C:\Program Files\Logitech\Video\AlbuDBps.dll]  [Logitech Inc., 8.2.0.1192]
    [C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll]  [Adobe Systems Incorporated, 7.0.9.2006121800]
    [C:\PROGRA~1\Cosmi\SPYWAR~1\pop\ABG_PL~1.DLL]  [, 2.1.0.1]
    [C:\Program Files\SUPERAntiSpyware\SASSEH.DLL]  [SuperAdBlocker.com, 1, 0, 0, 1008]
[PID: 1028][C:\WINDOWS\system32\spoolsv.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1160][c:\program files\mcafee.com\agent\mcdetect.exe]  [McAfee, Inc, 6, 0, 0, 19]
[PID: 1184][c:\PROGRA~1\mcafee.com\vso\mcshield.exe]  [McAfee Inc., 11.0.0.151]
    [c:\PROGRA~1\mcafee.com\vso\RES00\McShield.DLL]  [McAfee Inc., 11.0.0.141]
    [c:\PROGRA~1\mcafee.com\vso\FTL.Dll]  [McAfee Inc., 11.0.0.151]
    [c:\PROGRA~1\mcafee.com\vso\naiann.dll]  [McAfee, Inc., 10, 0, 0, 21]
    [c:\PROGRA~1\mcafee.com\vso\mytilus.dll]  [McAfee Inc., 11.0.0.151]
    [C:\Program Files\McAfee.com\VSO\MCSCAN32.DLL]  [McAfee, Inc., 5.1.00]
    [c:\program files\mcafee.com\agent\mcagntps.dll]  [McAfee, Inc, 5, 0, 0, 0]
    [c:\progra~1\mcafee.com\vso\naiannps.dll]  [McAfee, Inc, 10, 0, 0, 0]
[PID: 1220][c:\PROGRA~1\mcafee.com\agent\mctskshd.exe]  [McAfee, Inc, 6, 0, 0, 13]
[PID: 1252][c:\PROGRA~1\mcafee.com\vso\OasClnt.exe]  [McAfee, Inc., 10, 0, 0, 24]
    [c:\program files\mcafee.com\agent\mcagntps.dll]  [McAfee, Inc, 5, 0, 0, 0]
    [c:\progra~1\mcafee.com\vso\naiannps.dll]  [McAfee, Inc, 10, 0, 0, 0]
    [c:\progra~1\mcafee.com\vso\mcvsps.dll]  [McAfee, Inc, 10, 0, 0, 17]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
[PID: 1304][C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe]  [McAfee, Inc., 10, 0, 0, 22]
    [C:\Program Files\McAfee.com\VSO\VsCfgW32.dll]  [McAfee, Inc., 10, 0, 0, 26]
    [C:\PROGRA~1\mcafee.com\vso\ashldres.dll]  [McAfee, Inc., 10, 0, 0, 26]
    [c:\program files\mcafee.com\agent\submgr\6,0,0,16\mcsubmgr.dll]  [McAfee, Inc, 6, 0, 0, 16]
    [c:\program files\mcafee.com\agent\mcagntps.dll]  [McAfee, Inc, 5, 0, 0, 0]
    [c:\progra~1\mcafee.com\vso\mcvsps.dll]  [McAfee, Inc, 10, 0, 0, 17]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
[PID: 1472][c:\program files\mcafee.com\agent\mcagent.exe]  [McAfee, Inc, 6, 0, 0, 16]
    [c:\program files\mcafee.com\agent\SCRes.dll]  [McAfee, Inc, 6, 0, 0, 7]
    [c:\program files\mcafee.com\agent\mcagntps.dll]  [McAfee, Inc, 5, 0, 0, 0]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
[PID: 1476][c:\progra~1\mcafee.com\vso\mcvsescn.exe]  [McAfee, Inc., 10, 0, 0, 20]
    [c:\progra~1\mcafee.com\vso\ashldres.dll]  [McAfee, Inc., 10, 0, 0, 26]
    [c:\progra~1\mcafee.com\vso\EmScnRes.dll]  [McAfee, Inc., 10, 0, 0, 26]
    [c:\PROGRA~1\mcafee.com\vso\vsoupd.dll]  [McAfee, Inc., 10, 0, 0, 26]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
    [c:\progra~1\mcafee.com\vso\McVsWorm.dll]  [McAfee, Inc., 10, 0, 0, 19]
    [C:\Program Files\McAfee.com\VSO\VsCfgW32.dll]  [McAfee, Inc., 10, 0, 0, 26]
    [c:\progra~1\mcafee.com\vso\WormRes.dll]  [McAfee, Inc., 10, 0, 0, 19]
    [c:\program files\mcafee.com\agent\mcagntps.dll]  [McAfee, Inc, 5, 0, 0, 0]
[PID: 1516][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1928][C:\WINDOWS\zHotkey.exe]  [Chicony, 3, 0, 0, 1]
    [C:\WINDOWS\HKNTDLL.dll]  [N/A, N/A]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
[PID: 304][C:\Program Files\Java\jre1.6.0\bin\jusched.exe]  [Sun Microsystems, Inc., 6.0.0.105]
[PID: 324][C:\Program Files\Google\Google Talk\googletalk.exe]  [Google, 1,0,0,104]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
[PID: 784][C:\WINDOWS\System32\alg.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1504][C:\tools\sreng2\SREng.EXE]  [Smallfrogs Studio, 2.3.13.690]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]

==================================
File Associations
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]                                        
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  Error. [notepad.exe "%1" %*]
.JS   Error. [notepad.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock Provider
N/A

==================================
Autorun.Inf
N/A

==================================
HOSTS File
127.0.0.1       localhost

==================================
API HOOK
N/A

==================================

=======RegSrch====
REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "msnetax" 07-03-08 23:30:49

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File2"="C:\\WINDOWS\\SYSTEM32\\MSNETAX.DLL"

[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File3"="C:\\_OTMOVEIT\\MOVEDFILES\\WINDOWS\\SYSTEM32\\MSNETAX.DLL"

== HJT log====
Logfile of HijackThis v1.99.1
Scan saved at 23:37, on 07-03-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {60D3AAEB-AA39-4AE0-B2F9-E4AF0613A2A3} - C:\PROGRA~1\Cosmi\SPYWAR~1\pop\ABG_PL~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Microsoft Works Update Detection] ; c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MSMSGS] ; "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NetZero_uoltray] ; C:\Program Files\NetZero\bak\exec.exe regrun
O4 - HKCU\..\Run: [spc_w] ; "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [SUPERAntiSpyware] ; C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [updateMgr] ; "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Show All Original Images - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Show Original Image - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/c...cab?v=1,0,0,37
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} - http://www.snapfish.com/SnapfishUpload.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

[Sempurna]

Hi tsf1jay,

This is one nasty triumvirate of malware.

OK, this is what we do next. You need to print out these directions, or save it to Notepad (or some other word processor like MS Word), for easier reference.

First of all, please delete your current copy of ComboFix.

Download a new copy of ComboFix from here and save it to your desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Rename ComboFix.exe to something like sahara.exe (any random name will do because the malware is targeting the string "ComboFix").

Please do NOT run a scan with ComboFix just yet!


NEXT:

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

O4 - HKCU\..\Run: [NetZero_uoltray] ; C:\Program Files\NetZero\bak\exec.exe regrun
O4 - HKCU\..\Run: [updateMgr] ; "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1


Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.


NEXT:

Please copy over the *clean* copies of winlogon.exe and ndis.sys that you found, and place them on your desktop.

Then run sahara.exe (which is actually ComboFix.exe) and let it run to completion. It should take care of all three malware files at the same and time replace them with the *legit* copies.


NEXT:

Please run FindAWF one more time and let me see the log it generates.


NEXT:

Please reboot your computer normally into Windows, and then please post the ComboFix log, the FindAWF log, and a new HijackThis log.

How are things running now?

[tsf1jay]

Things are running fine now, however I do not know if there are still malwares lurking. Also, I had reinstalled JRE 6 couple days back. Here are the scan logs:

===ComboFix====
"Owner" - 07-03-10 17:52:32 Service Pack 2
ComboFix 07-03-09.3 - Running from: "C:\tools"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Owner\Desktop\Internet.lnk
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\WINDOWS\system32\SSTEM3~1


((((((((((((((((((((((((((((((( Files Created from 2007-02-10 to 2007-03-10 ))))))))))))))))))))))))))))))))))


2007-03-07 23:13 <DIR> d-------- C:\Program Files\Java
2007-03-07 23:13 <DIR> d-------- C:\Program Files\Common Files\Java
2007-03-05 19:53 <DIR> d-------- C:\WINDOWS\ERDNT
2007-03-05 18:38 237,568 --a------ C:\DOCUME~1\LOCALS~1\ntuser.dat
2007-03-03 17:05 <DIR> d-------- C:\ERDNT
2007-03-03 05:25 406,016 --a------ C:\WINDOWS\system32\PSDrvCheck.exe
2007-03-03 05:25 221,184 --a------ C:\WINDOWS\system32\LVCOMSX.EXE
2007-03-02 20:42 <DIR> d-------- C:\WINDOWS\Sun
2007-03-01 23:37 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Sun
2007-03-01 23:28 <DIR> d-------- C:\DOCUME~1\Owner\.java
2007-03-01 20:58 <DIR> d-------- C:\avenger
2007-02-28 19:37 2,120 --a------ C:\WINDOWS\system32\tmp.reg
2007-02-28 19:29 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-02-28 19:29 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\SUPERAntiSpyware.com
2007-02-28 19:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-02-25 19:47 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\TuneUp Software
2007-02-24 15:29 4,718,592 --a------ C:\DOCUME~1\Owner\ntuser.dat
2007-02-24 12:52 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-02-23 22:29 <DIR> d-------- C:\Program Files\CCleaner
2007-02-22 22:43 <DIR> d-------- C:\tools
2007-02-22 22:25 114,464 --a------ C:\WINDOWS\system32\drivers\naiavf5x.sys
2007-02-22 22:24 288,320 -ra------ C:\WINDOWS\system32\mcgdmgr.dll
2007-02-22 22:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee.com
2007-02-22 22:23 349,760 --a------ C:\WINDOWS\system32\mcinsctl.dll
2007-02-22 22:23 <DIR> d-------- C:\Program Files\McAfee.com
2007-02-22 20:15 <DIR> d-------- C:\DOCUME~1\Owner\DoctorWeb
2007-02-22 19:27 <DIR> d-------- C:\VundoFix Backups
2007-02-21 15:31 <DIR> d-------- C:\spoolerlogs
2007-02-21 07:29 24,072 --a------ C:\WINDOWS\system32\uxtuneup.dll
2007-02-21 07:28 <DIR> d-------- C:\Program Files\TuneUp Utilities 2007
2007-02-21 07:28 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\TuneUp Software
2007-02-21 07:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TuneUp Software
2007-02-20 21:27 <DIR> d-------- C:\SDAT
2007-02-19 22:36 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-02-19 18:06 1,048,576 --ah----- C:\DOCUME~1\ADMINI~1\ntuser.dat
2007-02-19 18:06 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-02-19 18:06 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-02-19 18:06 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\InterTrust
2007-02-19 18:06 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Adobe
2007-02-19 00:14 <DIR> d-------- C:\Program Files\Ofb1
2007-02-16 10:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MCA1C.tmp
2007-02-14 14:18 <DIR> d-------- C:\Practicum


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-03 20:30 -------- d-------- C:\DOCUME~1\Owner\APPLIC~1\adobeum
2007-03-03 20:28 -------- d-------- C:\Program Files\Common Files\adobe
2007-03-03 16:49 -------- d-------- C:\Program Files\messenger
2007-03-03 05:25 -------- d-------- C:\Program Files\quicktime
2007-03-03 05:25 -------- d-------- C:\Program Files\nzsearch
2007-03-03 05:25 -------- d-------- C:\Program Files\netzero
2007-03-03 05:25 -------- d-------- C:\Program Files\microsoft works
2007-02-28 19:28 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-02-20 21:09 1993270 --a------ C:\DOCUME~1\Owner\APPLIC~1\cleanup!.log
2007-02-20 07:51 -------- d-------- C:\Program Files\7-zip


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"googletalk"="\"C:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"CHotkey"="zHotkey.exe"
"googletalk"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe /autostart"
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Logitech Desktop Messenger.lnk"
"backup"="C:\\WINDOWS\\pss\\Logitech Desktop Messenger.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Logitech\\DESKTO~1\\8876480\\Program\\LDMConf.exe /start"
"item"="Logitech Desktop Messenger"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
"path"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\PowerReg Scheduler V3.exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler V3.exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\PowerReg Scheduler V3.exe"
"item"="PowerReg Scheduler V3"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

HKLM\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
UxTuneUp




~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070228-204833-400
O2 - BHO: (no name) - {B632296A-CCF4-B65E-F9DA-C3DEBFC15CE2} - C:\WINDOWS\system32\hzjs.dll (file missing)
backup-20070228-075557-999
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
backup-20070228-075557-848
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll (file missing)
backup-20070228-075556-427
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\Owner\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
backup-20070228-075556-510
O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
backup-20070222-195238-509
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
backup-20070222-195238-262
O23 - Service: WINS Client (RpcPatch) - Unknown owner - C:\WINDOWS\System32\wins\DLLHOST.EXE (file missing)
backup-20070222-195238-675
O23 - Service: Network Connections Sharing (RpcTftpd) - Unknown owner - C:\WINDOWS\System32\wins\svchost.exe (file missing)
backup-20070222-195238-261
O20 - Winlogon Notify: ideoept - C:\WINDOWS\SYSTEM32\ideoept.dll
backup-20070222-195237-182
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll
backup-20070222-195237-447
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download...reeInstall.cab
backup-20070222-195237-260
O15 - Trusted Zone: *.matcash.com (HKLM)
backup-20070222-195237-440
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
backup-20070222-195237-333
O15 - Trusted Zone: *.winfixer.com (HKLM)
backup-20070222-195237-874
O15 - Trusted Zone: *.media-motor.net (HKLM)
backup-20070222-195237-860
O15 - Trusted Zone: *.winantivirus.com (HKLM)
backup-20070222-195237-824
O15 - Trusted Zone: *.mediatickets.net (HKLM)
backup-20070222-195237-707
O15 - Trusted Zone: *.snipernet.biz (HKLM)
backup-20070222-195237-102
O15 - Trusted Zone: *.media-motor.com (HKLM)
backup-20070222-195237-181
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
backup-20070222-195237-450
O15 - Trusted Zone: *.systemdoctor.com
backup-20070222-195237-117
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
backup-20070222-195237-527
O15 - Trusted Zone: *.winfixer.com
backup-20070222-195237-452
O15 - Trusted Zone: *.errorsafe.com (HKLM)
backup-20070222-195237-474
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
backup-20070222-195237-957
O15 - Trusted Zone: *.adgate.info (HKLM)
backup-20070222-195237-267
O15 - Trusted Zone: *.winantivirus.com
backup-20070222-195237-499
O15 - Trusted Zone: *.imagesrvr.com
backup-20070222-195237-788
O15 - Trusted Zone: *.mediatickets.net
backup-20070222-195237-322
O15 - Trusted Zone: *.matcash.com
backup-20070222-195237-457
O15 - Trusted Zone: *.snipernet.biz
backup-20070222-195237-978
O15 - Trusted Zone: *.dollarrevenue.com
backup-20070222-195237-589
O15 - Trusted Zone: *.media-motor.com
backup-20070222-195237-685
O15 - Trusted Zone: *.errorsafe.com
backup-20070222-195237-812
O2 - BHO: (no name) - {5ccaab50-41e0-4574-a1c6-5a4847a9ce57} - C:\WINDOWS\system32\ideoept.dll
backup-20070222-195237-198
O15 - Trusted Zone: *.adgate.info

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-10 17:59:49

====AWF report ====

Find AWF report by noahdfear ©2006


21504 byte files found
~~~~~~~~~~~~~



21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



25600 byte files found
~~~~~~~~~~~~~

25600 "C:\Program Files\Java\jre1.6.0\bin\keytool.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\kinit.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\klist.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\ktab.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\orbd.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\pack200.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\policytool.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\rmid.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\rmiregistry.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\servertool.exe"
25600 "C:\_OTMoveIt\MovedFiles\Program Files\Java\jre1.6.0\bin\keytool.exe"
25600 "C:\_OTMoveIt\MovedFiles\Program Files\Java\jre1.6.0\bin\kinit.exe"
25600 "C:\_OTMoveIt\MovedFiles\Program Files\Java\jre1.6.0\bin\klist.exe"
25600 "C:\_OTMoveIt\MovedFiles\Program Files\Java\jre1.6.0\bin\ktab.exe"
25600 "C:\_OTMoveIt\MovedFiles\Program Files\Java\jre1.6.0\bin\orbd.exe"
25600 "C:\_OTMoveIt\MovedFiles\Program Files\Java\jre1.6.0\bin\pack200.exe"
25600 "C:\_OTMoveIt\MovedFiles\Program Files\Java\jre1.6.0\bin\policytool.exe"
25600 "C:\_OTMoveIt\MovedFiles\Program Files\Java\jre1.6.0\bin\rmid.exe"
25600 "C:\_OTMoveIt\MovedFiles\Program Files\Java\jre1.6.0\bin\rmiregistry.exe"
25600 "C:\_OTMoveIt\MovedFiles\Program Files\Java\jre1.6.0\bin\servertool.exe"


25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



26450 byte files found
~~~~~~~~~~~~~



26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ADOBE\ACROBA~2.0\READER\BAK

03/30/2006 04:45 PM 313,472 AdobeUpdateManager.exe
1 File(s) 313,472 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"


end of report

====HJT log====
Logfile of HijackThis v1.99.1
Scan saved at 6:15:00 PM, on 3/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {60D3AAEB-AA39-4AE0-B2F9-E4AF0613A2A3} - C:\PROGRA~1\Cosmi\SPYWAR~1\pop\ABG_PL~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Show All Original Images - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Show Original Image - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/c...cab?v=1,0,0,37
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} - http://www.snapfish.com/SnapfishUpload.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

[Sempurna]

Hi tsf1jay,

I’m glad to hear that things are running better now.

There’s still one stubborn malware file, which you might have to replace manually as well. But, first let’s do this next.

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below (don't forget to copy and paste REGEDIT4 as well):

Code:

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]

Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop.

It should look like this:

Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful.

In case you still are unsure on how to create a REG file, please take a look HERE with screenshots.


NEXT:

You will find these two files in your computer, but in different folders:

C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe


The first one is the hijacked legit file, while the second is the legit hidden file. So, this is what you need to do.

Delete the file in the first line. Then copy the file in the second line and paste it into the C:\Program Files\Adobe\Acrobat 7.0\Reader folder.

Once that has been successfully done, you may delete the C:\Program Files\Adobe\Acrobat 7.0\Reader\bak folder.


Let me know how things went.


NEXT:

Reconfigure Windows XP to show hidden files:

• Click Start -> My Computer.
• Select the Tools menu and click Folder Options. Select the View tab.
• Under the Hidden files and folders heading check "Show hidden files and folders".
• Uncheck the "Hide protected operating system files (recommended)" option.
• Uncheck the "Hide file extensions for known file types" option.
• Click Yes to confirm. Click OK.

CAUTION: You will see many folders and files which you may not recognize. Most of these folders and files are LEGITIMATE. Please do NOT delete anything you deem suspicious unless you are specifically instructed to do so. To do otherwise may irreparably damage your system.


NEXT:

Please delete these FILES (if found):

C:\Documents and Settings\All Users\Application Data\MCA1C.tmp
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe


NEXT:

Please reboot your computer normally into Windows, and then please post a new FindAWF log and a new HijackThis log.

[tsf1jay]

Things went just fine. The logs are below. Let me know if there is still something left that looks suspicious. Do I need _OTMoveIt\MovedFiles\ or I can delete those?

==

Find AWF report by noahdfear ©2006


21504 byte files found
~~~~~~~~~~~~~



21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



25600 byte files found
~~~~~~~~~~~~~

25600 "C:\Program Files\Java\jre1.6.0\bin\keytool.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\kinit.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\klist.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\ktab.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\orbd.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\pack200.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\policytool.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\rmid.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\rmiregistry.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\servertool.exe"
25600 "C:\_OTMoveIt\MovedFiles\Program Files\Java\jre1.6.0\bin\keytool.exe"
25600 "C:\_OTMoveIt\MovedFiles\Program Files\Java\jre1.6.0\bin\kinit.exe"
25600 "C:\_OTMoveIt\MovedFiles\Program Files\Java\jre1.6.0\bin\klist.exe"
25600 "C:\_OTMoveIt\MovedFiles\Program Files\Java\jre1.6.0\bin\ktab.exe"
25600 "C:\_OTMoveIt\MovedFiles\Program Files\Java\jre1.6.0\bin\orbd.exe"
25600 "C:\_OTMoveIt\MovedFiles\Program Files\Java\jre1.6.0\bin\pack200.exe"
25600 "C:\_OTMoveIt\MovedFiles\Program Files\Java\jre1.6.0\bin\policytool.exe"
25600 "C:\_OTMoveIt\MovedFiles\Program Files\Java\jre1.6.0\bin\rmid.exe"
25600 "C:\_OTMoveIt\MovedFiles\Program Files\Java\jre1.6.0\bin\rmiregistry.exe"
25600 "C:\_OTMoveIt\MovedFiles\Program Files\Java\jre1.6.0\bin\servertool.exe"


25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



26450 byte files found
~~~~~~~~~~~~~



26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report
===

Logfile of HijackThis v1.99.1
Scan saved at 9:16:43 AM, on 3/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {60D3AAEB-AA39-4AE0-B2F9-E4AF0613A2A3} - C:\PROGRA~1\Cosmi\SPYWAR~1\pop\ABG_PL~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Show All Original Images - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Show Original Image - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/c...cab?v=1,0,0,37
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} - http://www.snapfish.com/SnapfishUpload.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe