Need assistance removing NTOSKRNL-HOOK

[rpaulie]

Hello there,

I appreciate the patience and the assistance.

I ran the thread like instructed. The program ran it's course and restarted, but nothing changed though

[forhockey]

Hi rpaulie,

Quote:

When I entered the option for the Microsoft Windows Recovery Console I received the Blue Screen of Doom when choosing that option. This happened 5 times in a row.

Do you remember the exact error message?


Do you have an XP CD which came with your computer?

[rpaulie]

Hello forhockey,

Unfortunately I no longer have the XP CD.

The blue screen states as follows:

"A problem has been detected and windows has been shut down to prevent damage to your computer.

If this is the first time you've seen this screen, restart your computer. If this screen appears again, follow these steps:

Check for viruses on your computer. Remove any installed hard drives or hard drive controllers. Check your hard drive to make sure it is properly configured and terminated. Run DHKDSK /F to check for hard drive corruption and then restart your computer.

Technology Information:

***Stop 0x0000007B (0xF78E2524, 0xc0000034, 0x00000000, 0x00000000)

I ran DHKDSK /F and the windows restarted stating the 3 stages were ok. Unfortunately it has not solved any issues.

[forhockey]

Hi rpaulie,

Can you please refrain from trying any fixes on the side, as it could make the problem worse, and I'm not sure exactly what stuff your trying while I'm waiting for your response.

-----------------------------------------------------------------

Open up Task Manager>File>New Task (Run..) Copy paste the following into the textbox:

C:\WINDOWS\ERDNT\Hiv-backup\erdnt.exe
Click OK

Let the program run. Restart after the program is done.

Please update me on the status of your system now.

[rpaulie]

Hello there,

The system appears the same.

Unfortunately the script could not backup everything. Here are the
errors I recorded:

"Unable to create a backup of the current registry file

C:\DOCUME~1\PAULJA~1ntuser.dat!

C:\DOCUME~1\PAULJA~1\LOCALS~1\APPLIC~1\MICROS~1\Windows\UsrClass.dat!

Error Restoring

C:\WINDOWS\ERDMT\Hiv-backup\Users\0000006\UserClass.dat
to
C:\DOCUME~1\PAULJA~1\LOCALS~1\APPLIC~1\MICROS~1\Windows\UserClass.dat!

Hope this helps

[forhockey]

Hello,


Open up Task Manager>File>New Task (Run..) Copy paste the following in bold into the textbox:

cmd /c PEV -l "%systemdrive%\explorer.exe" >Log.txt&Log.txt&del Log.txt
Click OK.

A log will open. Please reply back with the contents of Log.txt

[rpaulie]

Hello forhockey,

Enclosed is the log as requested.

----a-w- 1,036,288 2009-07-10 03:18:20 C:\WINDOWS\explorer.exe
----a-w- 1,033,216 2007-06-13 11:26:03 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
-c----w- 1,033,216 2007-06-13 10:23:07 C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
------w- 1,033,728 2008-04-14 00:12:19 C:\WINDOWS\ServicePackFiles\i386\explorer.exe
----a-w- 1,033,728 2008-04-14 00:12:19 C:\WINDOWS\system32\dllcache\cache\explorer.exe

Entries: 5 (5)
Directories: 0 Files: 5
Bytes: 5,170,176 Blocks: 10,098

[forhockey]

Hi rpaulie,

Download the following file to root of your C drive (C:\). Link

-----------------------------------------------------------------

Open up Task Manager>File>New Task (Run..) Copy paste the following in bold into the textbox:

cmd /c ren "%systemdrive%\copy.txt" copy.bat&"C:\copy.bat"
Click OK.

A black window shall appear for a few seconds and then close.

-----------------------------------------------------------------

Open up Task Manager>File>New Task (Run..) Copy paste the following in bold into the textbox:

C:\
Click OK.

Do you see ComboFix.txt anywhere?

If you do, then please open it and post the contents.

-----------------------------------------------------------------

Restart your computer and update me on the status of your computer.

[rpaulie]

I downloaded the text file to the C:\ and ran the script. The black window appeared for a second or two.

Unfortunately the Task Manager was unable to find the C:\ when I enter it into the task manager coming back stating it is an unspecified file.

However, I was able to view the contents of the C:\ by using the browse button. Unfortunately there was no ComboFix.txt File located in that folder when I view all files

[forhockey]

Hi rpaulie,

Quote:

Restart your computer and update me on the status of your computer.

After all is said and done. Are you able to see your desktop after you restarted your machine?

[rpaulie]

Hello rhockey,

I am sorry, but no success. No icons or any further changes

[forhockey]

Can you please re-run the following command.

Open up Task Manager>File>New Task (Run..) Copy paste the following in bold into the textbox:

cmd /c PEV -l "%systemdrive%\explorer.exe" >Log.txt&Log.txt&del Log.txt
Click OK.

A log will open. Please reply back with the contents of Log.txt

[rpaulie]

Enclosed is the log as requested:

----a-w- 1,036,288 2009-07-10 03:18:20 C:\WINDOWS\explorer.exe
----a-w- 1,033,216 2007-06-13 11:26:03 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
-c----w- 1,033,216 2007-06-13 10:23:07 C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
------w- 1,033,728 2008-04-14 00:12:19 C:\WINDOWS\ServicePackFiles\i386\explorer.exe
----a-w- 1,033,728 2008-04-14 00:12:19 C:\WINDOWS\system32\dllcache\cache\explorer.exe

Entries: 5 (5)
Directories: 0 Files: 5
Bytes: 5,170,176 Blocks: 10,098

[forhockey]

Hi rpaulie,

Seems like you're going to have to help me out manually. Please read through my instructions carefully, and if you have any questions please ask me before hand.

--------------------------------------------------------------

Please browse to the following file:

C:\WINDOWS\explorer.exe

Right-click on the file and rename explorer.exe to explorer.old

--------------------------------------------------------------

Next, browse to the following file:

C:\WINDOWS\system32\dllcache\cache\explorer.exe

Right-click on the file and click copy

Navigate back to last folder -> C:\WINDOWS\system32\dllcache

Right-click and paste.

Next, navigate back to the following folder -> C:\WINDOWS

Right-click and paste

If it asks you if you want to replace the existing file, then click "Yes"

--------------------------------------------------------------

Double click on explorer.exe
Click OK.

Does your desktop load now?

[rpaulie]

Hello there,

Success! To a degree

I was able to locate C:\WINDOWS\explorer.exe and changed it to explorer.old like you instructed.

I was unable to locate
C:\WINDOWS\system32\dllcache\cache\explorer.exe

For some reason, there was no dllcache folder.

I manually ran it as a new task. Spybot search and destroy kept flashing all over the place.

Uninstalled it and tried it again and my desktop is now back!

McAfee didn't pick up NTOSKRNL-HOOK but a few other cute Trojans but they appear to be minor when I looked them up.

Thank you very much for your instructions and patience.

If there is anything else you need me to do please let me know.

[forhockey]

Hi rpaulie,


Ya, Good job!!

However, there is still a few things to deal with. It doesn't sound like you were able to copy the files due to the fact you couldn't see the dllcache folder. I've added new instructions so you can see the folder, so please follow these new set of instructions.

--------------------------------------------------------------

Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab then select Show hidden files and folders in the Hidden files and folders section. Also make sure there is no checkmark beside Hide protected operating system files (recommended). Click OK.

--------------------------------------------------------------

Next, browse to the following file:

C:\WINDOWS\system32\dllcache\cache\explorer.exe

Right-click on the file and click copy

Navigate back to last folder -> C:\WINDOWS\system32\dllcache

Right-click and paste.

Next, navigate back to the following folder -> C:\WINDOWS

Right-click and paste

If it asks you if you want to replace the existing file, then click "Yes"

--------------------------------------------------------------

Quote:

McAfee didn't pick up NTOSKRNL-HOOK but a few other cute Trojans but they appear to be minor when I looked them up.

Can you list what locations McAfee found these files at? If you could please provide the full path with the file name.

--------------------------------------------------------------

** Disable any Anti-virus or Anti-spyware software

--------------------------------------------------------------

Please run Combo-Fix.exe by simply double clicking on the executable and post the resulting log

--------------------------------------------------------------

** Re-enable your Anti-virus or Anti-spyware software

[rpaulie]

Hello,

My apologies for the delay. I will post the update very soon, hopefully later today. The last two days have been crazy busy for me but I wanted to let you know.

Also, it looks like the little NTOSKRNL-HOOK bugger is back when I ran MaCafee. Ill run the antivirus one more time, record the findings, disable everything and follow your instructions and post an update soon

[rpaulie]

Hello Forhockey,

I was able to follow most of the instructions.

I was able to copy the explorer file from:

C:\WINDOWS\system32\dllcache\cache\explorer.exe

to

C:\WINDOWS\system32\dllcache

Unfortunately, I was unable to also copy it to

C:\WINDOWS

since I kept getting a message stating the program is already in use and I also tried to repeat it after a reboot as well but had no success.

Upon running combo fix, a screen prompted before rebooting providing this message:

ComboFix has detected the presence of rootkit activity and needs to rebooth the machine. Kindly note down on paper the name of each file:

C:\windows\system32\drivers\UACpsejapywkixmasrln.sys
C:\windows\system32\\UACclyyjppeyxqkjepyc.dll
C:\windows\system32\UACxpilmabdxurxofpq.dll
C:\windows\system32\UACoqaoyxuwccnvooqcj.dat
C:\windows\system32\UACjjcuelwyexyxhnonk.db
C:\windows\system32\UACqmwqiwyeodrhajbro.dll
C:\windows\system32\UACdwoewfjtnmigxjgmp.dll
C:\windows\system32\UACpwxditnspuosptoqj.dll

I am attaching the report from Combo Fix that was generated when my computer rebooted. I am also considering removing McAfee. It rarely gives me an accurate report, I was informed it can also get infected easily and for some reason it blocks access to certain programs I was not able to access until I disabled it such as Warcraft.

Hope this helps and feel free to let me know if you need anything else

ComboFix 09-07-14.08 - Paul Jacobsen 07/15/2009 22:23.5.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.705 [GMT -4:00]
Running from: c:\documents and settings\Paul Jacobsen\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\PAULJA~1\LOCALS~1\Temp\svchost.exe
c:\windows\Installer\19fb5.msp
c:\windows\Installer\1a831.msp
c:\windows\Installer\1b67a.msp
c:\windows\Installer\1d925.msp
c:\windows\Installer\21217.msp
c:\windows\Installer\21ec9.msp
c:\windows\system32\drivers\UACpsejapywkixmasrln.sys
c:\windows\system32\UACclyyjppeyxqkjepyc.dll
c:\windows\system32\UACdwoewfjtnmigxjgmp.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACjjcuelwyexyxhnonk.db
c:\windows\system32\UAClesijgsrtkdltgvuk.db
c:\windows\system32\UACoqaoyxuwccnvooqcj.dat
c:\windows\system32\UACpwxditnspuosptoqj.dll
c:\windows\system32\UACqmwqiwyeodrhajbro.dll
c:\windows\system32\UACxpilmabdjxurxofpq.dll

Infected copy of c:\windows\system32\lsass.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\lsass.exe

Infected copy of c:\windows\system32\services.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\cache\services.exe

Infected copy of c:\windows\system32\svchost.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\svchost.exe

Infected copy of c:\windows\system32\spoolsv.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\spoolsv.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-06-16 to 2009-07-16 )))))))))))))))))))))))))))))))
.

2009-07-13 23:24 . 2009-07-13 23:24 -------- d--h--w- c:\windows\PIF
2009-07-13 21:24 . 2009-07-13 21:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-13 21:24 . 2009-07-13 21:54 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2009-07-13 04:08 . 2006-03-03 12:07 143360 ----a-w- c:\windows\system32\dunzip32.dll
2009-07-13 04:06 . 2007-11-22 10:44 33832 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-07-13 04:06 . 2007-12-02 16:51 40488 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-07-13 04:06 . 2007-11-22 10:44 79304 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-07-13 04:06 . 2007-11-22 10:44 35240 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-07-13 04:06 . 2007-11-22 10:44 201320 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-07-13 04:06 . 2007-07-13 10:20 113952 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-07-13 04:05 . 2009-07-13 04:06 -------- d-----w- c:\program files\McAfee.com
2009-07-13 04:05 . 2009-07-13 04:06 -------- d-----w- c:\program files\Common Files\McAfee
2009-07-13 04:05 . 2009-07-13 04:08 -------- d-----w- c:\program files\McAfee
2009-07-12 15:25 . 2009-07-12 15:25 -------- d-----w- C:\AVGTemp
2009-07-11 20:17 . 2009-07-13 04:08 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\McAfee
2009-07-10 18:02 . 2009-07-10 18:02 -------- d-----w- c:\windows\system32\wbem\Repository
2009-07-10 18:02 . 2009-07-10 18:02 -------- d-----w- c:\documents and settings\Paul Jacobsen\Application Data\Azureus
2009-07-10 18:02 . 2009-07-10 18:02 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Azureus
2009-07-10 18:02 . 2009-07-10 18:02 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\93535306
2009-07-10 18:02 . 2009-07-10 18:02 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\13525314
2009-07-10 18:02 . 2009-07-10 18:02 -------- d-----w- C:\32788R22FWJFW(2)
2009-07-10 18:02 . 2009-07-10 18:02 -------- d-----w- C:\RECYCLER(2)
2009-07-10 03:16 . 2009-07-10 18:02 -------- d-----w- C:\Combo-Fix(2)
2009-07-06 04:32 . 2009-07-06 04:32 -------- d-----w- c:\documents and settings\Paul Jacobsen\Application Data\vlc
2009-07-05 20:37 . 2009-07-05 20:37 -------- d-----w- c:\documents and settings\Paul Jacobsen\Application Data\GARMIN
2009-07-05 20:37 . 2009-07-05 20:37 -------- d-----w- c:\program files\Garmin GPS Plugin
2009-07-05 20:35 . 2009-07-05 20:35 -------- d-----w- c:\program files\Garmin
2009-07-05 14:39 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-07-05 14:39 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\dllcache\grpconv.exe
2009-07-03 18:01 . 2009-07-03 18:21 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-07-03 18:01 . 2009-07-03 18:21 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\ParetoLogic
2009-06-25 23:46 . 2009-06-25 23:46 -------- d-----w- c:\documents and settings\Paul Jacobsen\Local Settings\Application Data\ATI
2009-06-25 23:46 . 2009-06-25 23:46 -------- d-----w- c:\documents and settings\Paul Jacobsen\Application Data\ATI
2009-06-25 23:46 . 2009-06-25 23:46 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\ATI
2009-06-25 23:45 . 2009-06-25 23:45 0 ----a-w- c:\windows\ativpsrm.bin
2009-06-25 23:41 . 2009-06-25 23:41 9158 ----a-r- c:\documents and settings\Paul Jacobsen\Application Data\Microsoft\Installer\{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}\ARPPRODUCTICON.exe
2009-06-25 23:41 . 2009-06-25 23:44 -------- d-----w- c:\program files\Common Files\ATI Technologies
2009-06-25 23:40 . 2009-07-05 20:35 -------- d-----w- c:\program files\DIFX
2009-06-25 23:40 . 2009-06-25 23:40 -------- d-----w- c:\program files\USB TV
2009-06-25 23:39 . 2008-07-04 01:05 593920 ------w- c:\windows\system32\ati2sgag.exe
2009-06-25 23:39 . 2009-06-25 23:44 -------- d-----w- c:\program files\ATI Technologies
2009-06-25 23:37 . 2009-06-25 23:37 -------- d-----w- C:\AMD
2009-06-25 23:31 . 2009-06-25 23:31 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-23 19:12 . 2009-06-23 19:12 -------- d-----w- c:\documents and settings\Paul Jacobsen\Application Data\Malwarebytes
2009-06-23 19:12 . 2009-06-23 19:12 -------- d-----w- c:\program files\Trend Micro
2009-06-23 19:12 . 2009-06-23 19:12 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-06-23 19:01 . 2009-06-23 19:01 3584 ----a-r- c:\documents and settings\Paul Jacobsen\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-06-23 19:01 . 2009-06-23 19:01 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-06-23 19:01 . 2009-06-23 19:01 -------- d-----w- c:\program files\MSECACHE
2009-06-21 15:30 . 2009-06-21 15:30 40960 --sh--r- c:\windows\system32\activedsp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-15 20:56 . 2006-12-30 00:29 -------- d-----w- c:\program files\World of Warcraft
2009-07-11 17:33 . 2007-11-16 01:27 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-11 17:31 . 2009-06-06 05:59 117760 ----a-w- c:\documents and settings\Paul Jacobsen\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-10 03:18 . 2005-08-16 09:18 1036288 ----a-w- c:\windows\explorer.old.exe
2009-07-07 00:24 . 2008-06-15 20:29 -------- d-----w- c:\documents and settings\Paul Jacobsen\Application Data\acccore
2009-07-07 00:24 . 2007-01-09 03:46 -------- d-----w- c:\documents and settings\Paul Jacobsen\Application Data\AdobeUM
2009-07-07 00:24 . 2007-01-04 21:09 -------- d-----w- c:\documents and settings\Paul Jacobsen\Application Data\Apple Computer
2009-07-07 00:18 . 2009-06-06 05:35 16141 ----a-w- c:\documents and settings\Paul Jacobsen\Application Data\Apple Computer\lego.exe
2009-07-07 00:18 . 2009-06-06 05:35 145131 ----a-w- c:\documents and settings\Paul Jacobsen\Application Data\AdobeUM\nomad.exe
2009-07-07 00:18 . 2009-06-06 05:35 11232 ----a-w- c:\documents and settings\Paul Jacobsen\Application Data\acccore\shalom.exe
2009-07-03 20:51 . 2009-04-24 03:42 -------- d-----w- c:\program files\Lavasoft
2009-07-02 22:12 . 2009-03-09 23:29 -------- d-----w- c:\program files\MONOGRAM AMR SplitterDecoder
2009-06-29 04:40 . 2009-01-30 17:28 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\28399
2009-06-25 23:41 . 2006-12-11 21:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-23 22:00 . 2008-07-08 02:36 -------- d-----w- c:\program files\AIM6
2009-06-23 22:00 . 2006-12-11 21:48 -------- d-----w- c:\program files\Viewpoint
2009-06-23 22:00 . 2006-12-11 21:48 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Viewpoint
2009-06-23 21:59 . 2007-01-14 22:09 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\AOL Downloads
2009-06-23 18:50 . 2006-12-11 21:53 -------- d-----w- c:\program files\Yahoo!
2009-06-23 18:47 . 2008-06-29 20:35 -------- d-----w- c:\program files\Windows Live Safety Center
2009-06-11 22:51 . 2006-12-11 22:01 72680 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-10 07:04 . 2006-12-11 21:53 -------- d-----w- c:\program files\Microsoft Works
2009-06-06 05:59 . 2009-06-06 05:59 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2009-06-06 05:58 . 2009-06-06 05:58 -------- d-----w- c:\documents and settings\Paul Jacobsen\Application Data\SUPERAntiSpyware.com
2009-06-06 05:35 . 2009-06-06 05:35 11410 ----a-w- c:\documents and settings\Paul Jacobsen\Application Data\ArcSoft\msgdi.dll
2009-06-06 05:35 . 2009-06-06 05:35 10121 ----a-w- c:\documents and settings\Paul Jacobsen\Application Data\AVS4YOU\kern.dll
2009-06-06 05:35 . 2007-12-06 22:20 -------- d-----w- c:\documents and settings\Paul Jacobsen\Application Data\ArcSoft
2009-06-06 05:35 . 2009-06-06 05:35 422 ----a-w- c:\documents and settings\Paul Jacobsen\Application Data\Adobe\socks1.exe
2009-06-06 05:35 . 2009-06-06 05:35 13221 ----a-w- c:\documents and settings\Paul Jacobsen\Application Data\acccore(2)\rengo.dll
2009-05-07 15:32 . 2005-08-16 09:18 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2005-08-16 09:18 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2005-08-16 09:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2005-08-16 09:18 1847168 ----a-w- c:\windows\system32\win32k.sys
2007-08-29 22:08 . 2007-08-29 22:08 20480 --sha-w- c:\program files\Thumbs.db
2004-03-11 20:55 . 2004-03-11 20:55 71964 ----a-w- c:\program files\sp698ent.inf
2004-03-11 20:55 . 2004-03-11 20:55 4709818 ----a-w- c:\program files\VS6sp64.cab
2004-03-11 20:54 . 2004-03-11 20:54 10010624 ----a-w- c:\program files\VS6sp63.cab
2004-03-11 20:51 . 2004-03-11 20:51 10010624 ----a-w- c:\program files\VS6sp62.cab
2004-03-11 20:47 . 2004-03-11 20:47 28712960 ----a-w- c:\program files\VS6sp61.cab
2004-03-11 20:40 . 2004-03-11 20:40 75871 ------w- c:\program files\sp698ent.stf
2004-03-11 20:40 . 2004-03-11 20:40 1636 ------w- c:\program files\setupsp6.lst
2004-03-11 19:01 . 2004-03-11 19:01 989512 ----a-w- c:\program files\vbrun60.cab
2004-03-11 02:39 . 2004-03-11 02:39 60699 ----a-w- c:\program files\msstdfmt.cab
2004-03-11 02:39 . 2004-03-11 02:39 37721 ----a-w- c:\program files\MSBind.CAB
2004-03-09 21:45 . 2004-03-09 21:45 397072 ----a-w- c:\program files\mswless.ocx
2004-03-09 21:45 . 2004-03-09 21:45 107008 ----a-w- c:\program files\msscript.ocx
2004-02-24 01:35 . 2004-02-24 01:35 3027068 ----a-w- c:\program files\msvbvm60.dbg
2004-02-18 01:56 . 2004-02-18 01:56 110080 ------w- c:\program files\sp698ent.dll
2004-02-18 01:34 . 2004-02-18 01:34 1821920 ----a-w- c:\program files\vcredist.exe
2004-02-17 10:11 . 2004-02-17 10:11 737329 ----a-w- c:\program files\msvcep.dll
2004-02-17 09:36 . 2004-02-17 09:36 708669 ----a-w- c:\program files\msse.dll
2004-02-11 22:36 . 2004-02-11 22:36 6308 ------w- c:\program files\readme.htm
2004-02-11 18:32 . 2004-02-11 18:32 2302 ------w- c:\program files\eula.txt
2003-01-14 19:58 . 2003-01-14 19:58 487481 ----a-w- c:\program files\jscript.dll
2003-01-14 19:58 . 2003-01-14 19:58 438330 ----a-w- c:\program files\vbscript.dll
2001-03-30 16:54 . 2001-03-30 16:54 149 ------w- c:\program files\setup.ini
2000-11-29 20:34 . 2000-11-29 20:34 4291 ------w- c:\program files\toc.htm
2000-07-15 19:43 . 2000-07-15 19:43 84 ------w- c:\program files\setup.tdf
2000-07-15 19:10 . 2000-07-15 19:10 26896 ----a-w- c:\program files\dispex.dll
2000-06-13 17:47 . 2000-06-13 17:47 2718 ------w- c:\program files\redist.txt
2000-06-13 16:08 . 2000-06-13 16:08 46189 ----a-w- c:\program files\ocdb.h
2000-06-13 15:56 . 2000-06-13 15:56 12972 ----a-w- c:\program files\sqloledb.h
2000-06-13 15:52 . 2000-06-13 15:52 3090 ----a-w- c:\program files\adc.h
2000-06-13 15:52 . 2000-06-13 15:52 2289 ----a-w- c:\program files\msremote.h
2000-06-13 15:52 . 2000-06-13 15:52 1387 ----a-w- c:\program files\persist.h
2000-06-13 15:52 . 2000-06-13 15:52 5904 ----a-w- c:\program files\simpdata.tlb
2000-06-13 15:52 . 2000-06-13 15:52 1710 ----a-w- c:\program files\osptk.lib
2000-06-13 15:52 . 2000-06-13 15:52 5797 ----a-w- c:\program files\msdaosp.h
2000-06-13 15:52 . 2000-06-13 15:52 27832 ----a-w- c:\program files\simpdata.h
2000-06-13 15:52 . 2000-06-13 15:52 1432 ----a-w- c:\program files\msdaora.h
2000-06-13 15:51 . 2000-06-13 15:51 31366 ----a-w- c:\program files\oledb.lib
2000-06-13 15:51 . 2000-06-13 15:51 2112 ----a-w- c:\program files\msdasc.lib
2000-06-13 15:51 . 2000-06-13 15:51 2492 ----a-w- c:\program files\msdatsrc.tlb
2000-06-13 15:51 . 2000-06-13 15:51 80300 ----a-w- c:\program files\oledbdep.h
2000-06-13 15:51 . 2000-06-13 15:51 592505 ----a-w- c:\program files\oledb.h
2000-06-13 15:51 . 2000-06-13 15:51 36515 ----a-w- c:\program files\oledberr.h
2000-06-13 15:51 . 2000-06-13 15:51 31675 ----a-w- c:\program files\cmdtree.h
2000-06-13 15:51 . 2000-06-13 15:51 31424 ----a-w- c:\program files\msdasc.h
2000-06-13 15:51 . 2000-06-13 15:51 17975 ----a-w- c:\program files\msdasql.h
2000-06-13 15:51 . 2000-06-13 15:51 1451 ----a-w- c:\program files\msdaguid.h
2000-06-13 15:51 . 2000-06-13 15:51 13176 ----a-w- c:\program files\msdadc.h
2000-06-13 15:51 . 2000-06-13 15:51 12676 ----a-w- c:\program files\msdatsrc.h
2000-06-13 15:47 . 2000-06-13 15:47 75418 ----a-w- c:\program files\odbccp32.lib
2000-06-13 15:47 . 2000-06-13 15:47 146332 ----a-w- c:\program files\odbc32.lib
2000-06-13 15:47 . 2000-06-13 15:47 80246 ----a-w- c:\program files\sqlext.h
2000-06-13 15:47 . 2000-06-13 15:47 6947 ----a-w- c:\program files\sqltypes.h
2000-06-13 15:47 . 2000-06-13 15:47 30383 ----a-w- c:\program files\sql.h
2000-06-13 15:47 . 2000-06-13 15:47 22825 ----a-w- c:\program files\sqlucode.h
2000-06-13 15:47 . 2000-06-13 15:47 15315 ----a-w- c:\program files\odbcinst.h
2000-06-13 15:45 . 2000-06-13 15:45 3066 ----a-w- c:\program files\jetoledb.idl
2000-06-13 15:45 . 2000-06-13 15:45 19199 ----a-w- c:\program files\jetoledb.h
2000-06-13 15:45 . 2000-06-13 15:45 1350 ----a-w- c:\program files\jetoledb.lib
2000-06-13 15:45 . 2000-06-13 15:45 11461 ----a-w- c:\program files\msjetodb.h
2000-06-13 15:33 . 2000-06-13 15:33 2482 ----a-w- c:\program files\mswless.dep
2000-06-13 15:31 . 2000-06-13 15:31 8521 ----a-w- c:\program files\adojet.idl
2000-06-13 15:31 . 2000-06-13 15:31 51135 ----a-w- c:\program files\msado15.idl
2000-06-13 15:31 . 2000-06-13 15:31 46620 ----a-w- c:\program files\adojet.h
2000-06-13 15:31 . 2000-06-13 15:31 4458 ----a-w- c:\program files\icrsint.h
2000-06-13 15:31 . 2000-06-13 15:31 384395 ----a-w- c:\program files\msado15.h
2000-06-13 15:31 . 2000-06-13 15:31 384395 ----a-w- c:\program files\adoint.h
2009-06-24 13:26 . 2009-07-02 22:16 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2008-03-24 21:19 . 2006-12-30 00:30 88 --sh--r- c:\windows\system32\756A3564C3.sys
2008-03-24 21:19 . 2006-12-30 00:30 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\$NtServicePackUninstall$\tcpip.sys
[-] 2008-04-13 19:20 361344 ACCF5A9A1FFAA490F33DBA1C632B95E1 c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2008-06-20 11:51 361600 9425B72F40257B45D45D24773273DAD0 c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 11:51 361600 9425B72F40257B45D45D24773273DAD0 c:\windows\system32\drivers\tcpip.sys

[-] 2004-08-10 10:00 502272 01C3346C241652F43AED8E2149881BFE c:\windows\$NtServicePackUninstall$\winlogon.exe
[7] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 00:12 512000 8A329309BA8429E7023E0DAB4D188CF7 c:\windows\system32\winlogon.exe
[7] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\system32\dllcache\winlogon.exe
[7] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\system32\dllcache\cache\winlogon.exe
.
((((((((((((((((((((((((((((( SnapShot_2009-07-05_14.39.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-08-16 09:18 . 2008-04-14 00:12 14336 c:\windows\system32\svchost.exe
+ 2005-08-16 09:18 . 2008-04-14 00:12 57856 c:\windows\system32\spoolsv.exe
+ 2007-05-19 00:49 . 2009-07-15 20:38 89102 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2005-08-16 09:18 . 2008-04-14 00:12 13312 c:\windows\system32\lsass.exe
+ 2009-07-05 20:35 . 2007-03-08 20:18 18432 c:\windows\system32\DRVSTORE\grmnusb_09F3E629557EBE4D2BA1A9469BDAE635AC0807AE\I386\grmngen.sys
+ 2005-08-16 09:18 . 2008-04-14 00:12 14336 c:\windows\system32\dllcache\svchost.exe
+ 2005-08-16 09:18 . 2008-04-14 00:12 57856 c:\windows\system32\dllcache\spoolsv.exe
+ 2005-08-16 09:18 . 2008-04-14 00:12 13312 c:\windows\system32\dllcache\lsass.exe
+ 2009-07-10 04:12 . 2009-07-16 02:00 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-12-29 18:33 . 2009-07-05 10:31 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-12-29 18:33 . 2009-07-16 02:00 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-12-29 18:33 . 2009-07-16 02:00 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-12-29 18:33 . 2009-07-05 10:31 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-07-05 20:35 . 2007-03-08 20:18 8320 c:\windows\system32\DRVSTORE\grmnusb_09F3E629557EBE4D2BA1A9469BDAE635AC0807AE\I386\grmnusb.sys
+ 2005-08-16 09:18 . 2009-02-06 11:11 110592 c:\windows\system32\services.exe
+ 2009-02-03 02:07 . 2009-02-03 02:07 240544 c:\windows\system32\Macromed\Flash\FlashUtil10b.exe
+ 2005-08-16 09:18 . 2009-02-06 11:11 110592 c:\windows\system32\dllcache\services.exe
+ 2009-07-05 20:35 . 2009-07-05 20:35 637952 c:\windows\Installer\14d5c0f.msi
+ 2007-06-30 01:57 . 2009-07-10 18:03 2789028 c:\windows\system32\Restore\rstrlog.dat
+ 2005-08-16 09:18 . 2008-04-14 00:12 1033728 c:\windows\system32\dllcache\explorer.exe
+ 2009-05-12 17:01 . 2009-05-12 17:01 6818816 c:\windows\Installer\28ae1.msp
+ 2009-07-05 20:35 . 2009-07-05 20:35 1091584 c:\windows\Installer\14d5c0a.msi
+ 2005-08-16 09:18 . 2008-04-14 00:12 1033728 c:\windows\explorer.exe
+ 2009-02-02 22:07 . 2009-02-02 22:07 1914440 c:\windows\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
BDARemote.lnk - c:\program files\USB TV\EM28XX\BDARemote.exe [2009-6-25 81997]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"XHZZicfwj"= {E8CE9841-4264-32EB-55BF-6752BDFD4EF2} - c:\windows\system32\ejqtsv.dll [2009-03-21 32768]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\beep.sys]
@="beep"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Black Isle\\BGII - SoA\\BGMain.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/23/2009 6:00 PM 24652]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [7/20/2007 6:40 PM 93696]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 0206301247457966mcinstcleanup;McAfee Application Installer Cleanup (0206301247457966);c:\docume~1\PAULJA~1\LOCALS~1\Temp\020630~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\PAULJA~1\LOCALS~1\Temp\020630~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [8/29/2006 12:54 AM 10664]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-HostManager - c:\program files\Common Files\AOL\1213561508\ee\AOLSoftware.exe
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\SUPERAntiSpyware\SASSEH.DLL
Notify-!SASWinLogon - c:\program files\SUPERAntiSpyware\SASWINLO.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\docume~1\PAULJA~1\APPLIC~1\Mozilla\Firefox\Profiles\gjw7b1wl.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-15 22:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1847528650-894552839-4089639203-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5CCCE6BC-0C86-6AB1-2C28-6C0E41335DF7}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"eaonjdjldh"=hex:66,61,6d,70,69,68,66,70,6d,69,64,6b,00,fc
"dajnkdke"=hex:64,62,65,70,63,68,64,6f,62,6e,67,70,64,70,6a,70,61,63,61,6d,63,
69,6b,6f,6c,66,61,6f,61,63,62,6c,69,65,6f,64,66,6f,61,63,00,00
"iagpmohajkinbgpion"=hex:6a,61,68,65,6a,64,65,63,66,6b,63,6d,6c,67,65,70,62,65,
65,6a,00,97
"haepcnochflkoopj"=hex:6a,61,68,65,6a,64,65,63,66,6b,63,6d,6c,67,65,70,62,65,
65,6a,00,1c

[HKEY_USERS\S-1-5-21-1847528650-894552839-4089639203-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6D29E5F7-1322-31FF-E9CD-12BE5B4F8016}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaodpfehacfnobbdkd"=hex:6a,61,6b,69,70,61,62,6d,65,65,6f,61,70,66,64,69,66,62,
64,63,00,00
"haidkpglakjancfe"=hex:6a,61,6b,69,70,61,62,6d,65,65,6f,61,70,66,64,69,66,62,
64,63,00,12

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(516)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\wscntfy.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\SoftwareDistribution\Download\a8f719597d97278e8d5205d44676da41\update\update.exe
c:\program files\McAfee\VirusScan\Mcshield.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\program files\McAfee\MPF\MpfSrv.exe
.
**************************************************************************
.
Completion time: 2009-07-16 22:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-16 02:37
ComboFix2.txt 2009-07-08 01:08
ComboFix3.txt 2009-07-07 00:31
ComboFix4.txt 2009-07-05 14:40
ComboFix5.txt 2009-07-10 03:16

Pre-Run: 105,558,282,240 bytes free
Post-Run: 105,613,283,328 bytes free

468 --- E O F --- 2009-07-16 02:35

[forhockey]

Hi rpaulie,

Infections are still coming into your system. Can you please try and keep this computer off the internet as much as possible while we try to clean your machine, or we'll be chasing our tails.

--------------------------------------------------------------

P2P Software

I see you have P2P software ( Azureus) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

--------------------------------------------------------------

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

KILLALL::

Rootkit::
C:\windows\system32\UACxpilmabdxurxofpq.dll
File::
c:\windows\system32\ejqtsv.dll
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"XHZZicfwj"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\beep.sys]
DirLook::
c:\docume~1\ALLUSE~1\Applic~1\93535306
c:\docume~1\ALLUSE~1\Applic~1\13525314
C:\RECYCLER(2)
RegNull::
[HKEY_USERS\S-1-5-21-1847528650-894552839-4089639203-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5CCCE6BC-0C86-6AB1-2C28-6C0E41335DF7}*]
[HKEY_USERS\S-1-5-21-1847528650-894552839-4089639203-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6D29E5F7-1322-31FF-E9CD-12BE5B4F8016}*]
RegLock::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

Save this as CFScript




Referring to the picture above, drag CFScript into Combo-Fix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------

Please reply back with the results from C:\ComboFix.txt

[rpaulie]

Hello forhockey,

I appreciate the help and effort.

Attached is the report. I had McAfee Enabled, but before combofix ran, I disabled it. It kept prompting me to disable McAfee even after I disabled it but I was able to generate a log with no issues.