ComboFix 10-04-30.03 - Owner 04/30/2010 22:43:20.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.123 [GMT -5:00]
Running from: e:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: e:\documents and settings\Owner\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active
FILE ::
"c:\documents and settings\Angel\My Documents\Downloads\ZwinkySetup2.3.50.45.ZJman000.exe"
"c:\downloads\TheGameOfLifeSetup-dm[1].exe"
"c:\program files\MSN Messenger\msimg32.dll"
"c:\program files\MSN Messenger\riched20.dll"
"c:\windows\system32\f3PSSavr.scr"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Angel\My Documents\Downloads\ZwinkySetup2.3.50.45.ZJman000.exe
c:\downloads\TheGameOfLifeSetup-dm[1].exe
c:\program files\AskSBar
c:\program files\AskSBar\bar\1.bin\A2FFXTBR.JAR
c:\program files\AskSBar\bar\1.bin\A2FFXTBR.MANIFEST
c:\program files\AskSBar\bar\1.bin\A2HIGHIN.EXE
c:\program files\AskSBar\bar\1.bin\A2NTSTBR.JAR
c:\program files\AskSBar\bar\1.bin\A2NTSTBR.MANIFEST
c:\program files\AskSBar\bar\1.bin\A2PLUGIN.DLL
c:\program files\AskSBar\bar\1.bin\NPASKSBR.DLL
c:\program files\AskSBar\bar\Cache\0009B569
c:\program files\AskSBar\bar\Cache\0009C6FD
c:\program files\AskSBar\bar\Cache\0009CA1A.bin
c:\program files\AskSBar\bar\Cache\0009CEBE.bin
c:\program files\AskSBar\bar\Cache\0009D620.bin
c:\program files\AskSBar\bar\Cache\0009D778.bin
c:\program files\AskSBar\bar\Cache\0009D891.bin
c:\program files\AskSBar\bar\Cache\0009D97C.bin
c:\program files\AskSBar\bar\Cache\files.ini
c:\program files\AskSBar\bar\History\search2
c:\program files\AskSBar\bar\Settings\prevcfg2.htm
c:\program files\MSN Messenger\msimg32.dll
c:\program files\MSN Messenger\riched20.dll
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\2.bin\F3BKGERR.JPG
c:\program files\MyWebSearch\bar\2.bin\F3CJPEG.DLL
c:\program files\MyWebSearch\bar\2.bin\F3DTACTL.DLL
c:\program files\MyWebSearch\bar\2.bin\F3HISTSW.DLL
c:\program files\MyWebSearch\bar\2.bin\F3HKSTUB.DLL
c:\program files\MyWebSearch\bar\2.bin\F3HTMLMU.DLL
c:\program files\MyWebSearch\bar\2.bin\F3HTTPCT.DLL
c:\program files\MyWebSearch\bar\2.bin\F3POPSWT.DLL
c:\program files\MyWebSearch\bar\2.bin\F3PSSAVR.SCR
c:\program files\MyWebSearch\bar\2.bin\F3REGHK.DLL
c:\program files\MyWebSearch\bar\2.bin\F3REPROX.DLL
c:\program files\MyWebSearch\bar\2.bin\F3RESTUB.DLL
c:\program files\MyWebSearch\bar\2.bin\F3SCHMON.EXE
c:\program files\MyWebSearch\bar\2.bin\F3SCRCTR.DLL
c:\program files\MyWebSearch\bar\2.bin\F3SPACER.WMV
c:\program files\MyWebSearch\bar\2.bin\F3WALLPP.DAT
c:\program files\MyWebSearch\bar\2.bin\F3WPHOOK.DLL
c:\program files\MyWebSearch\bar\2.bin\FWPBUDDY.PNG
c:\program files\MyWebSearch\bar\2.bin\M3FFXTBR.JAR
c:\program files\MyWebSearch\bar\2.bin\M3FFXTBR.MANIFEST
c:\program files\MyWebSearch\bar\2.bin\M3HIGHIN.EXE
c:\program files\MyWebSearch\bar\2.bin\M3HTML.DLL
c:\program files\MyWebSearch\bar\2.bin\M3IDLE.DLL
c:\program files\MyWebSearch\bar\2.bin\M3IMPIPE.EXE
c:\program files\MyWebSearch\bar\2.bin\M3MEDINT.EXE
c:\program files\MyWebSearch\bar\2.bin\M3MSG.DLL
c:\program files\MyWebSearch\bar\2.bin\M3NTSTBR.JAR
c:\program files\MyWebSearch\bar\2.bin\M3NTSTBR.MANIFEST
c:\program files\MyWebSearch\bar\2.bin\M3OUTLCN.DLL
c:\program files\MyWebSearch\bar\2.bin\M3PLUGIN.DLL
c:\program files\MyWebSearch\bar\2.bin\M3SKIN.DLL
c:\program files\MyWebSearch\bar\2.bin\M3SKPLAY.EXE
c:\program files\MyWebSearch\bar\2.bin\M3SLSRCH.EXE
c:\program files\MyWebSearch\bar\2.bin\M3SRCHMN.EXE
c:\program files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\2.bin\MWSOEPLG.DLL
c:\program files\MyWebSearch\bar\2.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\2.bin\MWSSVC.EXE
c:\program files\MyWebSearch\bar\2.bin\NPMYWEBS.DLL
c:\program files\MyWebSearch\bar\Avatar\COMMON.F3S
c:\program files\MyWebSearch\bar\Avatar\COMMON\avatar.htm
c:\program files\MyWebSearch\bar\Avatar\COMMON\bgfadel.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\bgfader.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\common-x.css
c:\program files\MyWebSearch\bar\Avatar\COMMON\common.css
c:\program files\MyWebSearch\bar\Avatar\COMMON\cornerbl.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\cornerbr.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\ext_def.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\ext_roll.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\include.js
c:\program files\MyWebSearch\bar\Avatar\COMMON\index.htm
c:\program files\MyWebSearch\bar\Avatar\COMMON\loader.htm
c:\program files\MyWebSearch\bar\Avatar\COMMON\loading.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\logo.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\max_def.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\max_roll.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\min_def.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\min_roll.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\noflash.htm
c:\program files\MyWebSearch\bar\Avatar\COMMON\res_def.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\res_roll.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\spacer.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\spacer.swf
c:\program files\MyWebSearch\bar\Avatar\COMMON\topgrad.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\window.ico
c:\program files\MyWebSearch\bar\Cache\0045B49A.bin
c:\program files\MyWebSearch\bar\Cache\0045B892.bin
c:\program files\MyWebSearch\bar\Cache\0045BA96.bin
c:\program files\MyWebSearch\bar\Cache\0045BCC8.bin
c:\program files\MyWebSearch\bar\Cache\008D92EB
c:\program files\MyWebSearch\bar\Cache\008DAEA1
c:\program files\MyWebSearch\bar\Cache\008DB8E2.bin
c:\program files\MyWebSearch\bar\Cache\008DCB51.bin
c:\program files\MyWebSearch\bar\Cache\008E2BA1.bin
c:\program files\MyWebSearch\bar\Cache\008E776F.bin
c:\program files\MyWebSearch\bar\Cache\008E7BE4.bin
c:\program files\MyWebSearch\bar\Cache\files.ini
c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S
c:\program files\MyWebSearch\bar\Game\CHESS.F3S
c:\program files\MyWebSearch\bar\Game\REVERSI.F3S
c:\program files\MyWebSearch\bar\History\search3
c:\program files\MyWebSearch\bar\icons\CM.ICO
c:\program files\MyWebSearch\bar\icons\MFC.ICO
c:\program files\MyWebSearch\bar\icons\PSS.ICO
c:\program files\MyWebSearch\bar\icons\SMILEY.ICO
c:\program files\MyWebSearch\bar\icons\WB.ICO
c:\program files\MyWebSearch\bar\icons\ZWINKY.ICO
c:\program files\MyWebSearch\bar\Message\COMMON.F3S
c:\program files\MyWebSearch\bar\Message\COMMON\ask_logo.gif
c:\program files\MyWebSearch\bar\Message\COMMON\autoup.gif
c:\program files\MyWebSearch\bar\Message\COMMON\autoup.htm
c:\program files\MyWebSearch\bar\Message\COMMON\center.htm
c:\program files\MyWebSearch\bar\Message\COMMON\index.htm
c:\program files\MyWebSearch\bar\Message\COMMON\mid_dots.gif
c:\program files\MyWebSearch\bar\Message\COMMON\mws_logo.gif
c:\program files\MyWebSearch\bar\Message\COMMON\protect.htm
c:\program files\MyWebSearch\bar\Message\COMMON\shocked.gif
c:\program files\MyWebSearch\bar\Message\COMMON\stop.gif
c:\program files\MyWebSearch\bar\Message\COMMON\systray.htm
c:\program files\MyWebSearch\bar\Message\COMMON\systrayp.htm
c:\program files\MyWebSearch\bar\Message\COMMON\tp_grad.gif
c:\program files\MyWebSearch\bar\Message\COMMON\warn.gif
c:\program files\MyWebSearch\bar\Notifier\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\DOG.F3S
c:\program files\MyWebSearch\bar\Notifier\FISH.F3S
c:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S
c:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
c:\program files\MyWebSearch\bar\Notifier\MAID.F3S
c:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S
c:\program files\MyWebSearch\bar\Notifier\OPERA.F3S
c:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S
c:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S
c:\program files\MyWebSearch\bar\Notifier\SURFER.F3S
c:\program files\MyWebSearch\bar\Settings\prevcfg2.htm
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\NoAdware4
c:\program files\NoAdware4\noadware4_122205.na
c:\program files\NoAdware4\noadwareutils.dll
c:\program files\OneStepSrch
c:\program files\OneStepSrch\home.js
c:\program files\OneStepSrch\osopt.exe
c:\program files\OneStepSrch\readme.html
c:\program files\OneStepSrch\uninstall.exe
c:\windows\system32\f3PSSavr.scr
e:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
e:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
e:\program files\WindowsUpdate
----- BITS: Possible infected sites -----
hxxp://download.yimg.com.
((((((((((((((((((((((((( Files Created from 2010-04-01 to 2010-05-01 )))))))))))))))))))))))))))))))
.
2010-04-28 23:38 . 2010-04-28 23:38 -------- d-----w- e:\program files\ESET
2010-04-25 16:35 . 2010-04-25 16:35 -------- d-----w- e:\documents and settings\Owner\Application Data\Malwarebytes
2010-04-25 14:57 . 2010-04-25 14:57 503808 ----a-w- e:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-50605279-n\msvcp71.dll
2010-04-25 14:57 . 2010-04-25 14:57 499712 ----a-w- e:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-50605279-n\jmc.dll
2010-04-25 14:57 . 2010-04-25 14:57 348160 ----a-w- e:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-50605279-n\msvcr71.dll
2010-04-25 14:57 . 2010-04-25 14:57 61440 ----a-w- e:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-15802882-n\decora-sse.dll
2010-04-25 14:57 . 2010-04-25 14:57 12800 ----a-w- e:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-15802882-n\decora-d3d.dll
2010-04-25 14:57 . 2010-04-12 22:29 411368 ----a-w- e:\windows\system32\deployJava1.dll
2010-04-25 14:56 . 2010-04-25 14:56 79488 ----a-w- e:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_20\gtapi.dll
2010-04-25 14:53 . 2010-04-25 14:53 -------- d-----w- e:\program files\Common Files\Java
2010-04-16 21:48 . 2010-04-16 21:48 -------- d-----w- E:\found.002
2010-04-07 03:50 . 2010-04-07 03:50 3693160 ----a-w- e:\documents and settings\All Users\Application Data\Yahoo!\yau\{EBE50007-C164-4F0B-BD0B-681F16023F02}\ytb_8.1.4.26_2.1.3_ysp_2.0.1.13_mail_bts_pub_us_setup_.exe
2010-04-05 23:25 . 2010-04-05 23:25 -------- d--h--w- e:\windows\PIF
2010-04-05 01:50 . 2010-04-05 01:50 -------- d-sh--w- e:\documents and settings\GISET\IECompatCache
2010-04-04 05:46 . 2010-04-04 05:46 52224 ----a-w- e:\documents and settings\GISET\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-04 05:46 . 2010-04-04 05:46 117760 ----a-w- e:\documents and settings\GISET\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-04 05:45 . 2010-04-04 05:45 -------- d-----w- e:\documents and settings\GISET\Application Data\SUPERAntiSpyware.com
2010-04-04 02:23 . 2010-04-04 02:23 52224 ----a-w- e:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-04 02:23 . 2010-04-04 02:23 117760 ----a-w- e:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-04 02:23 . 2010-04-04 02:23 -------- d-----w- e:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-04 02:23 . 2010-04-04 02:23 -------- d-----w- e:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-04-04 02:01 . 2010-03-30 05:46 38224 ----a-w- e:\windows\system32\drivers\mbamswissarmy.sys
2010-04-04 02:00 . 2010-04-04 02:00 -------- d-----w- e:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-04 02:00 . 2010-03-30 05:45 20824 ----a-w- e:\windows\system32\drivers\mbam.sys
2010-04-04 02:00 . 2010-04-25 16:35 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware
2010-04-04 00:52 . 2010-04-04 00:52 -------- d-sh--w- e:\documents and settings\Administrator\IETldCache
2010-04-04 00:01 . 2010-04-04 00:01 -------- d-----w- e:\documents and settings\GISET\Local Settings\Application Data\Yahoo
2010-04-03 23:54 . 2010-04-03 23:54 -------- d-sh--w- e:\documents and settings\NetworkService\IETldCache
2010-04-03 23:52 . 2010-04-03 23:54 -------- d--h--w- e:\documents and settings\GISET\Application Data\yahoo!
2010-04-02 20:28 . 2010-04-02 22:29 -------- d-----w- e:\documents and settings\Owner\Local Settings\Application Data\Yahoo
2010-04-02 20:26 . 2010-04-02 20:26 262144 ----a-w- E:\ntuser.dat
2010-04-02 20:25 . 2010-04-25 20:27 -------- d-----w- e:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-04-02 20:25 . 2010-04-02 20:28 -------- d-----w- e:\documents and settings\Owner\Application Data\Yahoo!
2010-04-02 20:23 . 2010-04-02 20:25 -------- d-----w- e:\documents and settings\All Users\Application Data\Yahoo!
2010-04-02 20:23 . 2009-12-14 22:52 607472 ----a-w- e:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2010-04-02 20:20 . 2010-04-02 20:26 -------- d-----w- e:\program files\Yahoo!
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-01 03:21 . 2009-08-22 14:37 256 ----a-w- e:\windows\system32\pool.bin
2010-04-25 20:27 . 2009-08-07 20:41 -------- d-----w- e:\documents and settings\All Users\Application Data\DVD Shrink
2010-04-25 14:57 . 2009-08-07 21:27 -------- d-----w- e:\program files\Java
2010-04-25 14:53 . 2009-08-16 18:36 -------- d-----w- e:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-22 02:31 . 2010-03-24 00:47 -------- d-----w- e:\documents and settings\GISET\Application Data\FrostWire
2010-04-22 00:53 . 2009-08-07 21:26 -------- d-----w- e:\program files\FrostWire
2010-04-04 00:12 . 2004-08-04 12:00 96512 ----a-w- e:\windows\system32\drivers\atapi.sys
2010-04-02 23:31 . 2009-08-07 18:46 -------- d-----w- e:\program files\McAfee
2010-04-01 05:50 . 2009-08-09 02:59 -------- d-----w- e:\documents and settings\Owner\Application Data\FrostWire
2010-03-24 18:17 . 2010-03-24 08:04 952768 ----a-w- e:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\10166\AdobeARM.exe
2010-03-24 18:17 . 2010-03-24 08:04 70584 ----a-w- e:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\10166\AdobeExtractFiles.dll
2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- e:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\10166\ReaderUpdater.exe
2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- e:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\10166\AcrobatUpdater.exe
2010-03-24 01:02 . 2010-03-24 01:02 0 ----a-w- e:\documents and settings\GISET\Application Data\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2010-03-23 03:26 . 2010-03-23 03:26 85088 ----a-w- e:\documents and settings\GISET\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-22 03:11 . 2010-03-22 03:11 -------- d-----w- e:\program files\TenchisTV
2010-03-22 03:11 . 2010-03-22 03:11 -------- d-----w- e:\program files\Conduit
2010-03-17 04:11 . 2009-07-31 23:25 85088 ----a-w- e:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-16 16:35 . 2010-03-20 02:20 52224 ----a-w- e:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\md9clpzm.default\extensions\{ece24dcf-8548-4655-b392-47a388721482}\components\FFExternalAlert.dll
2010-03-16 16:35 . 2010-03-20 02:20 101376 ----a-w- e:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\md9clpzm.default\extensions\{ece24dcf-8548-4655-b392-47a388721482}\components\RadioWMPCore.dll
2010-03-10 06:15 . 2004-08-04 12:00 420352 ------w- e:\windows\system32\vbscript.dll
2010-03-05 03:10 . 2010-03-05 03:09 -------- d-----w- e:\program files\Veetle
2010-03-05 03:05 . 2010-03-05 03:02 -------- d-----w- e:\documents and settings\GISET\Application Data\Move Networks
2010-03-05 03:03 . 2010-03-05 03:02 198650 ----a-w- e:\documents and settings\GISET\Application Data\Move Networks\MoveMediaPlayerWin_071802000001.exe
2010-02-25 06:24 . 2004-08-04 12:00 916480 ----a-w- e:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-04 12:00 455680 ----a-w- e:\windows\system32\drivers\mrxsmb.sys
2010-02-17 14:10 . 2004-08-04 12:00 2189952 ----a-w- e:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2066816 ----a-w- e:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-04 12:00 100864 ----a-w- e:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 12:00 226880 ----a-w- e:\windows\system32\drivers\tcpip6.sys
2004-03-11 20:27 . 2009-08-07 19:21 40960 ----a-w- e:\program files\Uninstall_CDS.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ece24dcf-8548-4655-b392-47a388721482}"= "e:\program files\TenchisTV\tbTenc.dll" [2010-03-09 2355224]
[HKEY_CLASSES_ROOT\clsid\{ece24dcf-8548-4655-b392-47a388721482}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ece24dcf-8548-4655-b392-47a388721482}"= "e:\program files\TenchisTV\tbTenc.dll" [2010-03-09 2355224]
[HKEY_CLASSES_ROOT\clsid\{ece24dcf-8548-4655-b392-47a388721482}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="e:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-03-19 5248312]
"Search Protection"="e:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="e:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"mcagent_exe"="e:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="e:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"RemoteControl"="e:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-09 32768]
"InCD"="e:\program files\Ahead\InCD\InCD.exe" [2004-04-06 1298542]
"NeroFilterCheck"="e:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"igfxtray"="e:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="e:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="e:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"FastTVSync"="e:\program files\Common Files\InterVideo\FastTVSync\FastTVSync.exe" [2004-03-11 245760]
"GrooveMonitor"="e:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"RoxWatchTray"="e:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"Adobe ARM"="e:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"lxczbmgr.exe"="e:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2007-02-08 74672]
"FaxCenterServer"="e:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-02-08 295856]
"snpstd3"="e:\windows\vsnpstd3.exe" [2006-09-19 827392]
"YSearchProtection"="e:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"SunJavaUpdateSched"="e:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
e:\documents and settings\GISET\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - e:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
e:\documents and settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - e:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2007-11-12 1447184]
InterVideo Scheduler server.lnk - e:\program files\InterVideo\DVD5R\SchSvr.exe [2009-8-8 147456]
InterVideo WinCinema Manager.lnk - e:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2009-8-8 184320]
Picture Package Menu.lnk - e:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2009-8-8 151552]
Picture Package VCD Maker.lnk - e:\program files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2009-8-8 106496]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Program Files\\FrostWire\\FrostWire.exe"=
"e:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"e:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"e:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"e:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"e:\\WINDOWS\\system32\\lxczcoms.exe"=
"e:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;e:\program files\McAfee\SiteAdvisor\McSACore.exe [8/7/2009 1:49 PM 93320]
S1 SASDIFSV;SASDIFSV;\??\g:\sasdifsv.sys --> g:\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\g:\saskutil.sys --> g:\SASKUTIL.SYS [?]
S3 SASENUM;SASENUM;\??\g:\sasenum.sys --> g:\SASENUM.SYS [?]
.
Contents of the 'Scheduled Tasks' folder
2009-10-16 e:\windows\Tasks\McDefragTask.job
- e:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-07 17:22]
2009-10-01 e:\windows\Tasks\McQcTask.job
- e:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-07 17:22]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.yahoo.commStart Page =
hxxp://www.yahoo.comuSearchURL,(Default) =
hxxp://toolbar.ask.com/toolbarv/askRedi ... t=&gc=1&q=%s
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - e:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\md9clpzm.default\
FF - prefs.js: browser.search.defaulturl -
hxxp://search.yahoo.com/search?fr=ffsp1&p=FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage -
hxxp://www.yahoo.comFF - component: e:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\md9clpzm.default\extensions\{ece24dcf-8548-4655-b392-47a388721482}\components\FFExternalAlert.dll
FF - component: e:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\md9clpzm.default\extensions\{ece24dcf-8548-4655-b392-47a388721482}\components\RadioWMPCore.dll
FF - component: e:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: e:\documents and settings\Owner\Application Data\Facebook\npfbplugin_1_0_0.dll
FF - plugin: e:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: e:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: e:\program files\Veetle\Player\npvlc.dll
FF - plugin: e:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: e:\program files\Veetle\VLCBroadcast\npvbp.dll
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truee:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
e:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
e:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-04-30 23:02
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(660)
e:\windows\system32\igfxdev.dll
.
Completion time: 2010-04-30 23:07:42
ComboFix-quarantined-files.txt 2010-05-01 04:07
ComboFix2.txt 2010-04-24 17:04
Pre-Run: 51,192,225,792 bytes free
Post-Run: 51,289,305,088 bytes free
- - End Of File - - 6C8C58E836DF2874E8E47429D04C882B