Free Malware Removal Forum

by **alfie** » April 12th, 2009, 10:24 am

Hi
I am infected with a rootkit that I am not able to remove.Mcafee's quickscan detects and removes the trojan and then quarantines the dll file which I then remove only to find it returns.I cannot run a full scan as it locks up every time.Malwarebytes will not run.Panda rootkit runs but does not find any bad files.I have viewed the forum and find that I am not alone.I would appreciate some help from you guys as I am stuck!!!
I have enclosed the file from hijack this.
Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:18:47, on 12/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Napster\napster.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\documents and settings\home\local settings\application data\eawwi.exe
C:\Program Files\Java\jre1.6.0_04\bin\jucheck.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer Provided by Wanadoo
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: UrlHelper Class - {74322BF9-DF26-493f-B0DA-6D2FC5E6429E} - C:\Program Files\BearShare Applications\BearShare MediaBar\BearShareIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\WINDOWS\system32\WSBar.dll
O3 - Toolbar: (no name) - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - (no file)
O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare Applications\BearShare MediaBar\BearShareMediaBar.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Bar] C:\WINDOWS\TEMP\7rUfGeSw.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [eawwi] "c:\documents and settings\home\local settings\application data\eawwi.exe" eawwi
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Search with Wanadoo - res://C:\WINDOWS\system32\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Casino-on-Net - {3015DB92-158E-4b77-9020-85C8E311FBB5} - C:\PROGRA~1\CASINO~1\Casino.exe
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://mvt.mcafee.com/mvt/bin/2,4,1,0/mvt.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2B791E6-E135-46B4-B4B9-21DFC75773DD}: NameServer = 195.92.195.91 195.92.195.90
O17 - HKLM\System\CCS\Services\Tcpip\..\{D65371DD-0118-40E1-BBF7-7FDADF553A8F}: NameServer = 85.255.112.81,85.255.112.148
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.112.81,85.255.112.148
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.112.81,85.255.112.148
O17 - HKLM\System\CS6\Services\Tcpip\Parameters: NameServer = 85.255.112.81,85.255.112.148
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.81,85.255.112.148
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 13609 bytes

by **jmw3** » April 12th, 2009, 5:27 pm

Hello & Welcome to Malware Removal
Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this ensure Notify me when a reply is posted is ticked on the POST A REPLY page.

In the meantime please note the following:

Any recommendations made are for your computer problems only and should NOT be used on any other computer.
Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
If you get stuck or are unsure of something please ask for a further explanation, do not guess.
It will require more than one round to properly clean your system. Continue to respond to this thread until I give you the All Clean! even if symptoms seemingly abate.

Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave & if there is no contact for that amount of time I will have to assume you have abandoned your topic.

Thanks

DDS
Download DDS.scr by sUBs from one of the following links & save it to your desktop.
http://www.techsupportforum.com/sectools/sUBs/dds
http://download.bleepingcomputer.com/sUBs/dds.scr
http://www.forospyware.com/sUBs/dds

Double-Click on dds.scr and a command window will appear. This is normal
Shortly after two logs will appear, DDS.txt & Attach.txt
A window will open instructing you save & post the logs
Save the logs to a convenient place such as your desktop
Copy the contents of both logs & post in your next reply

RootRepeal
Download RootRepeal.zip from here & unzip it to your Desktop.

Double click RootRepeal.exe to start the program
Click the Report tab at the bottom of the program window
Click the Scan button
In the Select Scan dialog, check:
Click the OK button
In the next dialog, select all drives showing
Click OK to start the scan

Note: The scan can take some time. DO NOT run any other programs while the scan is running

When the scan is complete, the Save Report button will become available
Click this and save the report to your Desktop as RootRepeal.txt
Go to File then Exit to close the program

To post in next reply:
Contents of DDS log
Contents of Attach.txt
Contents of RootRepeal log

by **alfie** » April 14th, 2009, 2:58 pm

Hi jmw
Thanks for responding to my problem your help is much appreciated.
Please see the following from the logs that you requested.

DDS (Ver_09-03-16.01) - NTFSx86
Run by HOME at 19:19:32.87 on 14/04/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.482 [GMT 1:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Napster\napster.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\documents and settings\home\local settings\application data\eawwi.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Java\jre1.6.0_04\bin\jucheck.exe
C:\WINDOWS\system32\dwwin.exe
C:\Documents and Settings\HOME\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://mysearch.myway.com/jsp/dellsidebar.jsp?p=DK
uDefault_Page_URL = hxxp://www.dell.co.uk/myway
uWindow Title = Microsoft Internet Explorer Provided by Wanadoo
uSearchMigratedDefaultURL = hxxp://search.orange.co.uk/all?brand=ou ... &p=_adr&q={searchTerms}
mWindow Title = Microsoft Internet Explorer Provided by Wanadoo
uURLSearchHooks: N/A: {4d25f926-b9fe-4682-bf72-8ab8210d6d75} - c:\program files\mywaysa\srchasde\deSrcAs.dll
mURLSearchHooks: N/A: {4d25f926-b9fe-4682-bf72-8ab8210d6d75} - c:\program files\mywaysa\srchasde\deSrcAs.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: : {4d25f921-b9fe-4682-bf72-8ab8210d6d75} - c:\program files\mywaysa\srchasde\deSrcAs.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: UrlHelper Class: {74322bf9-df26-493f-b0da-6d2fc5e6429e} - c:\program files\bearshare applications\bearshare mediabar\BearShareIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Wanadoo: {8b68564d-53fd-4293-b80c-993a9f3988ee} - c:\windows\system32\WSBar.dll
TB: {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - No File
TB: BearShare MediaBar: {d3dee18f-db64-4beb-9ff1-e1f0a5033e4a} - c:\program files\bearshare applications\bearshare mediabar\BearShareMediaBar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [eawwi] "c:\documents and settings\home\local settings\application data\eawwi.exe" eawwi
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_04\bin\jusched.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
mRun: [Easy-PrintToolBox] c:\program files\canon\easy-printtoolbox\BJPSMAIN.EXE /logon
mRun: [PinnacleDriverCheck] c:\windows\system32\PSDrvCheck.exe -CheckReg
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SpeedTouch USB Diagnostics] "c:\program files\thomson\speedtouch usb\Dragdiag.exe" /icon
mRun: [SsAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [NapsterShell] c:\program files\napster\napster.exe /systray
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Bar] c:\windows\temp\7rUfGeSw.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Search with Wanadoo - c:\windows\system32\WSBar.dll/VSearch.htm
IE: {3015DB92-158E-4b77-9020-85C8E311FBB5} - c:\progra~1\casino~1\Casino.exe
IE: {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - c:\progra~1\pacifi~1\pacificpoker.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shoc ... tor/sw.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/share ... insctl.cab
DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} - hxxp://mvt.mcafee.com/mvt/bin/2,4,1,0/mvt.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/fl ... rashim.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMe ... loader.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/aut ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
TCP: NameServer = 85.255.112.81,85.255.112.148
TCP: {D65371DD-0118-40E1-BBF7-7FDADF553A8F} = 85.255.112.81,85.255.112.148
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-2-17 213640]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-2-2 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-2-17 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-2-17 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-2-17 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-2-17 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-2-17 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-2-17 34216]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-2-17 40552]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\21.tmp --> c:\windows\system32\21.tmp [?]

=============== Created Last 30 ================

2009-04-12 11:47 92,208 a------- c:\windows\system\WING.DLL
2009-04-12 11:47 12,800 a------- c:\windows\system\WING32.DLL
2009-04-01 19:58 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-01 19:58 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-01 19:58 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-01 19:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-01 18:44 <DIR> --d----- c:\program files\SpywareBlaster
2009-03-31 20:36 <DIR> --d----- c:\windows\system32\scripting
2009-03-31 20:36 <DIR> --d----- c:\windows\system32\en
2009-03-31 20:36 <DIR> --d----- c:\windows\system32\bits
2009-03-31 20:36 <DIR> --d----- c:\windows\l2schemas
2009-03-31 20:34 <DIR> --d----- c:\windows\ServicePackFiles
2009-03-30 19:13 <DIR> --d----- c:\program files\Sophos
2009-03-28 18:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Citrix
2009-03-28 17:50 61,224 a------- c:\documents and settings\home\GoToAssistDownloadHelper.exe
2009-03-26 21:55 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-03-26 15:27 <DIR> --d----- c:\program files\WebMediaPlayer
2009-03-26 15:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\wmp
2009-03-26 15:26 74,240 a------- c:\windows\system32\O1t6f2r2.exe
2009-03-26 15:26 0 a------- c:\windows\system32\O1t6f2r2.exe.a_a

==================== Find3M ====================

2009-04-01 19:49 5,956 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-03-31 20:39 88,499 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-09 12:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 12:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-01-16 22:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2006-10-29 18:29 49,600 a------- c:\docume~1\home\applic~1\GDIPFONTCACHEV1.DAT
2006-07-11 19:54 56 ---shr-- c:\windows\system32\E48057C54E.sys

============= FINISH: 19:20:13.90 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 1/22/2006 5:59:38 PM
System Uptime: 4/14/2009 7:03:37 PM (0 hours ago)

Motherboard: Dell Inc. | | 0WG261
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | Microprocessor | 2992/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 71 GiB total, 25.913 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable
I: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Shockwave Player
Alan Titchmarsh's Barleywood Garden Designer
ALOT Toolbar
Apple Mobile Device Support
Apple Software Update
ARTEuro
BearShare
BearShare MediaBar
Bonjour
Camera Window
Canon Camera Window for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon PhotoRecord
Canon PIXMA iP4000
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PrintToolBox
Canon Utilities File Viewer Utility 1.2
Canon Utilities PhotoStitch 3.1
Canon Utilities RemoteCapture 2.7
Canon Utilities ZoomBrowser EX
Casino-on-Net
CD-LabelPrint
CIG
CinepPlayer 30 Update
Conexant D850 56K V.9x DFVc Modem
Corel Photo Album 6
Dell CinePlayer
Dell Driver Reset Tool
Dell Media Experience
Dell System Restore
DellSupport
Digital Line Detect
Disc2Phone
Easy-WebPrint
Favorit
File Viewer Utility 1.2.2
Google Toolbar for Internet Explorer
Google Updater
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hollywood FX 5.5 Additional Effects
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB952287)
ImageMixer VCD/DVD2 for OLYMPUS
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
iPod for Windows 2005-03-23
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 4
Learn2 Player (Uninstall Only)
LimeWire 4.16.7
Macromedia Flash Player 8
Malwarebytes' Anti-Malware
McAfee SecurityCenter
McAfee Uninstaller
MCU
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Standard
Microsoft Works 7.0
Modem Helper
Mozilla Firefox (3.0.1)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MySpaceIM
MyWay Search Assistant
Napster
Napster Burn Engine
NetWaiting
OLYMPUS Master
OpenMG Limited Patch 4.4-06-13-19-01
OpenMG Secure Module 4.4.00
Pacific Poker
PDF Manual NW-A10003000
PhotoStitch
Pinnacle Hollywood FX
PKR
PowerISO
QuickTime
RealPlayer
RemoteCapture 2.7.2
Roxio DLA
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
SolidWorks 2006 SP0
Sonic Activation Module
Sonic Update Manager
SonicStage 3.4
Sophos Anti-Rootkit 1.3.1
SpeedTouch USB Software
SpywareBlaster 4.1
Studio 9
Studio 9 Content CD/DVD
Superscape 3D Control
Universal Media Player
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Viewpoint Media Player
Wanadoo Europe Installer
Wanadoo UK
WebFldrs XP
WebMediaPlayer
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format Runtime
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

4/12/2009 10:46:19 AM, error: Service Control Manager [7034] - The McAfee Scanner service terminated unexpectedly. It has done this 1 time(s).
4/12/2009 11:41:44 AM, error: Service Control Manager [7034] - The McAfee Scanner service terminated unexpectedly. It has done this 2 time(s).

==== End Of File ===========================

ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time: 2009/04/14 19:24
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA40B000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A3C000 Size: 8192 File Visible: No
Status: -

Name: gaopdxwboeteppptmovrorutobwrqxdugtbrpl.sys
Image Path: C:\WINDOWS\system32\drivers\gaopdxwboeteppptmovrorutobwrqxdugtbrpl.sys
Address: 0xAA6BC000 Size: 86016 File Visible: -
Status: Hidden from Windows API!

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA9CA8000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\gaopdxcounter
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gaopdxglavldqsnsdfuiuwyowlfdyidhhbgiwd.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\sqlite_0GNFaBdaCf3qcq4
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_iEUL7htc22VKoJa
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_2BpM3Vud6nRXVcw
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_n7P61SgXfJp2L6J
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_nb1TYw01rbD2zlB
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_tWF0lykf3bGHKK0
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_ZDhgLjvxrJfdn4O
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_E28TrTutISF6pSV
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_lOJsnKbq9eE0jfm
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_uIfNEZsTFgjvzU1
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_Ywwe7xLUxap0jEF
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_HCSpXvN40MUUcRu
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_820FrwoSSBtzDZD
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_MPmU1aVIo4evagD
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_vB6CyBBIaAHHTHd
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_2Wh01ddgcXFvWh7
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_RZ9EOIAkc2ST8o2
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_p4K2GBJdLQOjqal
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\mcafee_2DmjEnI4cKZJbH0
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_8w68DvX5Hpp906K
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_baWx7NncEvEpHxx
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_1hXnzZUIJ1D2ZPj
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_6IW9omdr0mgjF8r
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_V1zSioQQVOVgEkh
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_XjAPYl7Cd1L3fVe
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_Zm9jKdxI8KXvm2T
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\mcafee_FGTkaWCYFOkCKoU
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\mcafee_mbSEYEbXGFmwZVu
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_MeVij0SFv0ANfBE
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_D0OGX7qMg4WfYBs
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_toeT96ZWuD2FaF5
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_Y1WlEX3adQ27p3n
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_y35bDVicPggSy9Q
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_zaa25tTCjvDF2EV
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_AHZYdipSXBbhPLJ
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_aiuu6TERi3nNntx
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\mcmsc_qW4hThsjLZCJIdZ
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_FATel1aB6QLpAE5
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_IYwyP8NmWnToGsC
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_KEmuF4xsqBMGJD1
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_zhnLyclgVbnhXmI
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\mcmsc_nqwPfPOmm08Xmt5
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\system32\drivers\gaopdxwboeteppptmovrorutobwrqxdugtbrpl.sys
Status: Invisible to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: gaopdxglavldqsnsdfuiuwyowlfdyidhhbgiwd.dll]
Process: svchost.exe (PID: 1024) Address: 0x10000000 Size: 24576

Object: Hidden Module [Name: gaopdxglavldqsnsdfuiuwyowlfdyidhhbgiwd.dll]
Process: svchost.exe (PID: 1120) Address: 0x10000000 Size: 24576

Object: Hidden Module [Name: gaopdxglavldqsnsdfuiuwyowlfdyidhhbgiwd.dll]
Process: svchost.exe (PID: 1184) Address: 0x10000000 Size: 24576

Object: Hidden Module [Name: gaopdxglavldqsnsdfuiuwyowlfdyidhhbgiwd.dll]
Process: svchost.exe (PID: 1260) Address: 0x10000000 Size: 24576

Object: Hidden Module [Name: gaopdxglavldqsnsdfuiuwyowlfdyidhhbgiwd.dll]
Process: svchost.exe (PID: 1372) Address: 0x10000000 Size: 24576

Object: Hidden Module [Name: gaopdxglavldqsnsdfuiuwyowlfdyidhhbgiwd.dll]
Process: svchost.exe (PID: 620) Address: 0x10000000 Size: 24576

Object: Hidden Module [Name: gaopdxglavldqsnsdfuiuwyowlfdyidhhbgiwd.dll]
Process: svchost.exe (PID: 964) Address: 0x10000000 Size: 24576

Hidden Services
-------------------
Service Name: gaopdxserv.sys
Image Path: C:\WINDOWS\system32\drivers\gaopdxwboeteppptmovrorutobwrqxdugtbrpl.sys

Hope this gives you what you need
Thanks again for your help.

by **jmw3** » April 15th, 2009, 5:34 am

Hi
MRU P2P Policy
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

BearShare | BearShare MediaBar | LimeWire 4.16.7

I'd like you to read the MRU policy for P2P Programs.
Go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red) & any other P2P programs.
Run a new DDS scan when finished and post both logs back here.

by **alfie** » April 15th, 2009, 5:27 pm

Hi jmw
I have removed the P2P programs and re-run DDS
Here are the logs

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 1/22/2006 5:59:38 PM
System Uptime: 4/15/2009 10:16:51 PM (0 hours ago)

Motherboard: Dell Inc. | | 0WG261
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | Microprocessor | 2992/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 71 GiB total, 26.298 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable
I: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Shockwave Player
ALOT Toolbar
Apple Mobile Device Support
Apple Software Update
ARTEuro
Bonjour
Camera Window
Canon Camera Window for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon PhotoRecord
Canon PIXMA iP4000
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PrintToolBox
Canon Utilities File Viewer Utility 1.2
Canon Utilities PhotoStitch 3.1
Canon Utilities RemoteCapture 2.7
Canon Utilities ZoomBrowser EX
Casino-on-Net
CD-LabelPrint
CIG
CinepPlayer 30 Update
Conexant D850 56K V.9x DFVc Modem
Corel Photo Album 6
Dell CinePlayer
Dell Driver Reset Tool
Dell Media Experience
Dell System Restore
DellSupport
Digital Line Detect
Disc2Phone
Easy-WebPrint
Favorit
File Viewer Utility 1.2.2
Google Toolbar for Internet Explorer
Google Updater
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hollywood FX 5.5 Additional Effects
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB952287)
ImageMixer VCD/DVD2 for OLYMPUS
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
iPod for Windows 2005-03-23
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 4
Learn2 Player (Uninstall Only)
Macromedia Flash Player 8
Malwarebytes' Anti-Malware
McAfee SecurityCenter
McAfee Uninstaller
MCU
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Standard
Microsoft Works 7.0
Modem Helper
Mozilla Firefox (3.0.1)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MySpaceIM
MyWay Search Assistant
NetWaiting
OLYMPUS Master
OpenMG Limited Patch 4.4-06-13-19-01
OpenMG Secure Module 4.4.00
Pacific Poker
PDF Manual NW-A10003000
PhotoStitch
Pinnacle Hollywood FX
PKR
PowerISO
QuickTime
RealPlayer
RemoteCapture 2.7.2
Roxio DLA
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
SolidWorks 2006 SP0
Sonic Activation Module
Sonic Update Manager
SonicStage 3.4
Sophos Anti-Rootkit 1.3.1
SpeedTouch USB Software
SpywareBlaster 4.1
Studio 9
Studio 9 Content CD/DVD
Superscape 3D Control
Universal Media Player
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Viewpoint Media Player
Wanadoo Europe Installer
Wanadoo UK
WebFldrs XP
WebMediaPlayer
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format Runtime
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

4/12/2009 11:41:44 AM, error: Service Control Manager [7034] - The McAfee Scanner service terminated unexpectedly. It has done this 2 time(s).
4/12/2009 11:35:18 AM, error: Service Control Manager [7034] - The McAfee Scanner service terminated unexpectedly. It has done this 1 time(s).
4/15/2009 10:12:36 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
4/15/2009 10:12:45 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
4/15/2009 10:13:06 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
4/15/2009 10:13:06 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
4/15/2009 10:13:06 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
4/15/2009 10:13:06 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
4/15/2009 10:13:06 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
4/15/2009 10:13:06 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
4/15/2009 10:13:06 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec mfehidk MPFP MRxSmb NetBIOS NetBT PCLEPCI RasAcd Rdbss SCDEmu Tcpip
4/15/2009 10:13:20 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
4/15/2009 10:14:09 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNASvc with arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}

==== End Of File ===========================

DDS (Ver_09-03-16.01) - NTFSx86
Run by HOME at 22:19:17.51 on 15/04/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.621 [GMT 1:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\documents and settings\home\local settings\application data\eawwi.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\HOME\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://mysearch.myway.com/jsp/dellsidebar.jsp?p=DK
uDefault_Page_URL = hxxp://www.dell.co.uk/myway
uWindow Title = Microsoft Internet Explorer Provided by Wanadoo
uSearchMigratedDefaultURL = hxxp://search.orange.co.uk/all?brand=ou ... &p=_adr&q={searchTerms}
mWindow Title = Microsoft Internet Explorer Provided by Wanadoo
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: N/A: {4d25f926-b9fe-4682-bf72-8ab8210d6d75} - c:\program files\mywaysa\srchasde\deSrcAs.dll
mURLSearchHooks: N/A: {4d25f926-b9fe-4682-bf72-8ab8210d6d75} - c:\program files\mywaysa\srchasde\deSrcAs.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: : {4d25f921-b9fe-4682-bf72-8ab8210d6d75} - c:\program files\mywaysa\srchasde\deSrcAs.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Wanadoo: {8b68564d-53fd-4293-b80c-993a9f3988ee} - c:\windows\system32\WSBar.dll
TB: {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [eawwi] "c:\documents and settings\home\local settings\application data\eawwi.exe" eawwi
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_04\bin\jusched.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
mRun: [Easy-PrintToolBox] c:\program files\canon\easy-printtoolbox\BJPSMAIN.EXE /logon
mRun: [PinnacleDriverCheck] c:\windows\system32\PSDrvCheck.exe -CheckReg
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SpeedTouch USB Diagnostics] "c:\program files\thomson\speedtouch usb\Dragdiag.exe" /icon
mRun: [SsAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [NapsterShell] c:\program files\napster\napster.exe /systray
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Bar] c:\windows\temp\7rUfGeSw.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Search with Wanadoo - c:\windows\system32\WSBar.dll/VSearch.htm
IE: {3015DB92-158E-4b77-9020-85C8E311FBB5} - c:\progra~1\casino~1\Casino.exe
IE: {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - c:\progra~1\pacifi~1\pacificpoker.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shoc ... tor/sw.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/share ... insctl.cab
DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} - hxxp://mvt.mcafee.com/mvt/bin/2,4,1,0/mvt.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/fl ... rashim.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMe ... loader.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/aut ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
TCP: NameServer = 85.255.112.81,85.255.112.148
TCP: {D65371DD-0118-40E1-BBF7-7FDADF553A8F} = 85.255.112.81,85.255.112.148
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-2-17 213640]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-2-2 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-2-17 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-2-17 144704]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-2-17 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-2-17 35272]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-2-17 606736]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\21.tmp --> c:\windows\system32\21.tmp [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-2-17 34216]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-2-17 40552]

=============== Created Last 30 ================

2009-04-14 19:24 0 a------- c:\documents and settings\home\settings.dat
2009-04-12 11:47 92,208 a------- c:\windows\system\WING.DLL
2009-04-12 11:47 12,800 a------- c:\windows\system\WING32.DLL
2009-04-01 19:58 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-01 19:58 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-01 19:58 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-01 19:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-01 18:44 <DIR> --d----- c:\program files\SpywareBlaster
2009-03-31 20:36 <DIR> --d----- c:\windows\system32\scripting
2009-03-31 20:36 <DIR> --d----- c:\windows\system32\en
2009-03-31 20:36 <DIR> --d----- c:\windows\system32\bits
2009-03-31 20:36 <DIR> --d----- c:\windows\l2schemas
2009-03-31 20:34 <DIR> --d----- c:\windows\ServicePackFiles
2009-03-30 19:13 <DIR> --d----- c:\program files\Sophos
2009-03-28 18:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Citrix
2009-03-28 17:50 61,224 a------- c:\documents and settings\home\GoToAssistDownloadHelper.exe
2009-03-26 21:55 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-03-26 15:27 <DIR> --d----- c:\program files\WebMediaPlayer
2009-03-26 15:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\wmp
2009-03-26 15:26 74,240 a------- c:\windows\system32\O1t6f2r2.exe
2009-03-26 15:26 0 a------- c:\windows\system32\O1t6f2r2.exe.a_a

==================== Find3M ====================

2009-04-01 19:49 5,956 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-03-31 20:39 88,499 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-09 12:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 12:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-01-16 22:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2006-10-29 18:29 49,600 a------- c:\docume~1\home\applic~1\GDIPFONTCACHEV1.DAT
2006-07-11 19:54 56 ---shr-- c:\windows\system32\E48057C54E.sys

============= FINISH: 22:20:33.54 ===============
Hope this is ok
Thanks

by **jmw3** » April 15th, 2009, 9:44 pm

Hi

I notice you don't have any System Restore Points. Do you have System Restore tuned off? If so I would like you to turn it back on & create a new System Restore Point. The restore point will be infected but it is better to have an infected restore point we can fall back if things go pear shaped than none at all. We'll get rid of any infected restore points later on:
Click Start->All Programs->Accessories->System Tools->System Restore
Select Create a restore point, then Next, type a name like Before Cleaning, click the Create button then Close

Remove Programs
Click Start > Control Panel > Add/Remove Programs
Remove these programs by clicking Remove

ALOT Toolbar
MyWay Search Assistant
Universal Media Player
WebMediaPlayer

If some programs listed are not present, please do not panic

Note about poker games:
Casino-on-Net
Pacific Poker
You appear to be a fan of games. but I think it's important to note that often these kind of programs are installed with other unwanted software, namely spyware or adware. If you did not install these programs yourself, or you do not use them any more, I would definitely recommend that you uninstall them from your computer, even if it is simply a precautionary measure. The amount of different poker software which arises on the internet means it is impossible to keep track of which ones are infected and which ones are not. If you do use the software, and wish to continue doing so, please ignore this. If you do decide to go ahead and remove the poker software, you should be able uninstall them via add/remove which can be found in the control panel. Let me know if you have any problems whilst doing so.
Here are links to some poker sites regarded as safe for your reference.
http://www.pokerstars.net/ - This is a free to use/play site.
http://www.pokerstars.com - This is the paid for version.

ATF Cleaner
Download ATF Cleaner here by Atribune.

ATF-Cleaner.exe

Main

Select All

Empty Selected

If you use Firefox browser

Firefox

Select All

Empty Selected

NOTE:

No

If you use Opera browser

Opera

Select All

Empty Selected

NOTE:

No

Click Exit on the Main menu to close the program.

Combofix
Download ComboFix from one of these locations:
Link 1
Link 2
Link 3

**IMPORTANT !!! Rename ComboFix.exe to Commy.exe BEFORE you save it to your Desktop**

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
A guide to do this can be found here
Double click on ComboFix.exe & follow the prompts
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

To post in next reply:
Combofix log
Update on how the computer is running

by **alfie** » April 16th, 2009, 2:16 pm

Hi jmw
I had turned off system restore as I read in the forum that this can store the virus and the AV will not delete it but that obviously did not work.
I have removed all the programs including the poker games and dowloaded the files as instructed.
I cannot however create a restore point.I receive a message that it cannot be created and to restart the pc.This does not work so at the moment I have not created a restore point and will wait to hear from you as to how to proceed from here.
Thanks for your patience

PS The music and poker programs were installed courtesy of my two sons (one has now left home and the other is heading your way later in the year!!)

by **jmw3** » April 16th, 2009, 7:37 pm

OK... if you can't create a resore point right now, just leave that part & continue on with the ATF-Cleaner & Conbofix instructions.

by **alfie** » April 18th, 2009, 1:33 pm

Hi jmw
I have run the ATF cleaner and combofix programs
The pc seems to be running ok but I have only been using it for a short time but it would have certainly locked up before now prior to running the above.
Here is the combofix log as requested

ComboFix 09-04-17.01 - HOME 18/04/2009 16:35.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.681 [GMT 1:00]
Running from: c:\documents and settings\HOME\Desktop\commy.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HOME\Local Settings\Application Data\eawwi.dat
c:\documents and settings\HOME\Local Settings\Application Data\eawwi.exe
c:\documents and settings\HOME\Local Settings\Application Data\eawwi_nav.dat
c:\documents and settings\HOME\Local Settings\Application Data\eawwi_navps.dat
c:\documents and settings\HOME\Start Menu\Programs\PlayMe
c:\recycler\S-7-2-64-100029178-100027982-100019647-9135.com
c:\windows\system32\drivers\gaopdxwboeteppptmovrorutobwrqxdugtbrpl.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxglavldqsnsdfuiuwyowlfdyidhhbgiwd.dll
c:\windows\system32\O1t6f2r2.exe.a_a

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys

((((((((((((((((((((((((( Files Created from 2009-03-18 to 2009-04-18 )))))))))))))))))))))))))))))))
.

2009-04-14 18:24 . 2009-04-14 18:24 0 ----a-w c:\documents and settings\HOME\settings.dat
2009-04-12 10:47 . 1994-09-21 00:00 92208 ----a-w c:\windows\system\WING.DLL
2009-04-12 10:47 . 1994-09-21 00:00 12800 ----a-w c:\windows\system\WING32.DLL
2009-04-01 18:58 . 2009-02-11 09:19 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-01 18:58 . 2009-02-11 09:19 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-01 18:58 . 2009-04-01 18:58 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-01 18:58 . 2009-04-01 18:58 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-01 17:45 . 2009-04-18 15:23 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-01 17:44 . 2009-04-01 17:44 -------- d-----w c:\program files\SpywareBlaster
2009-03-31 19:36 . 2009-03-31 19:36 -------- d-----w c:\windows\system32\scripting
2009-03-31 19:36 . 2009-03-31 19:36 -------- d-----w c:\windows\l2schemas
2009-03-31 19:36 . 2009-03-31 19:36 -------- d-----w c:\windows\system32\en
2009-03-31 19:36 . 2009-03-31 19:36 -------- d-----w c:\windows\system32\bits
2009-03-31 19:34 . 2009-03-31 19:34 -------- d-----w c:\windows\ServicePackFiles
2009-03-30 18:13 . 2009-03-30 18:13 -------- d-----w c:\program files\Sophos
2009-03-28 17:27 . 2009-03-28 17:27 -------- d-----w c:\documents and settings\All Users\Application Data\Citrix
2009-03-28 16:50 . 2009-03-28 16:50 -------- d-----w c:\documents and settings\HOME\Local Settings\Application Data\Citrix
2009-03-28 16:50 . 2009-03-28 16:50 61224 ----a-w c:\documents and settings\HOME\GoToAssistDownloadHelper.exe
2009-03-28 15:01 . 2009-03-28 15:01 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-03-26 20:55 . 2009-03-26 20:55 -------- d--h--w c:\windows\system32\GroupPolicy
2009-03-26 14:26 . 2009-03-26 14:26 74240 ----a-w c:\windows\system32\O1t6f2r2.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-18 15:19 . 2008-03-13 15:55 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-17 06:56 . 2006-01-18 11:23 -------- d-----w c:\program files\McAfee
2009-04-15 20:51 . 2008-02-03 19:33 -------- d-----w c:\documents and settings\All Users\Application Data\Napster
2009-04-15 20:49 . 2008-03-31 11:17 -------- d-----w c:\program files\LimeWire
2009-04-15 20:47 . 2008-01-15 21:11 -------- d-----w c:\program files\BearShare Applications
2009-04-01 18:49 . 2006-02-04 13:02 5956 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-04-01 18:49 . 2006-02-04 13:02 50376 ----a-w c:\documents and settings\HOME\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-31 19:39 . 2004-08-11 17:14 88499 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-31 19:32 . 2004-08-11 17:00 250048 --sha-r C:\ntldr
2009-03-28 15:49 . 2008-07-28 14:37 -------- d-----w c:\program files\Bonjour
2009-03-26 20:33 . 2009-02-03 14:31 -------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-03-26 14:39 . 2007-12-04 21:33 268 ---ha-w C:\sqmdata16.sqm
2009-03-26 14:39 . 2007-12-04 21:33 244 ---ha-w C:\sqmnoopt16.sqm
2009-03-25 10:06 . 2007-02-17 11:09 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 10:06 . 2007-02-17 11:09 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-03-25 10:06 . 2007-02-17 11:09 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-25 10:06 . 2007-02-17 11:09 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 10:05 . 2007-02-17 11:09 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-03-24 18:38 . 2007-12-03 19:49 268 ---ha-w C:\sqmdata15.sqm
2009-03-24 18:38 . 2007-12-03 19:49 244 ---ha-w C:\sqmnoopt15.sqm
2009-03-24 07:53 . 2007-12-03 15:57 268 ---ha-w C:\sqmdata14.sqm
2009-03-24 07:53 . 2007-12-03 15:57 244 ---ha-w C:\sqmnoopt14.sqm
2009-03-24 07:50 . 2007-11-18 22:41 268 ---ha-w C:\sqmdata13.sqm
2009-03-24 07:50 . 2007-11-18 22:41 244 ---ha-w C:\sqmnoopt13.sqm
2009-03-23 23:08 . 2007-11-17 20:50 268 ---ha-w C:\sqmdata12.sqm
2009-03-23 23:08 . 2007-11-17 20:50 244 ---ha-w C:\sqmnoopt12.sqm
2009-03-22 10:58 . 2007-11-17 16:49 268 ---ha-w C:\sqmdata11.sqm
2009-03-22 10:58 . 2007-11-17 16:49 244 ---ha-w C:\sqmnoopt11.sqm
2009-03-19 21:41 . 2007-11-14 19:06 268 ---ha-w C:\sqmdata10.sqm
2009-03-19 21:41 . 2007-11-14 19:06 244 ---ha-w C:\sqmnoopt10.sqm
2009-03-19 14:06 . 2007-11-13 23:03 268 ---ha-w C:\sqmdata09.sqm
2009-03-19 14:06 . 2007-11-13 23:03 244 ---ha-w C:\sqmnoopt09.sqm
2009-03-19 13:47 . 2009-03-19 13:47 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\SACore
2009-03-18 22:49 . 2007-11-13 16:48 268 ---ha-w C:\sqmdata08.sqm
2009-03-18 22:49 . 2007-11-13 16:48 244 ---ha-w C:\sqmnoopt08.sqm
2009-03-17 19:24 . 2007-10-15 06:33 268 ---ha-w C:\sqmdata07.sqm
2009-03-17 19:24 . 2007-10-15 06:33 244 ---ha-w C:\sqmnoopt07.sqm
2009-03-16 23:36 . 2007-10-14 10:26 268 ---ha-w C:\sqmdata06.sqm
2009-03-16 23:36 . 2007-10-14 10:26 244 ---ha-w C:\sqmnoopt06.sqm
2009-03-15 14:09 . 2007-09-29 11:36 268 ---ha-w C:\sqmdata05.sqm
2009-03-15 14:09 . 2007-09-29 11:36 244 ---ha-w C:\sqmnoopt05.sqm
2009-03-15 12:03 . 2007-09-28 17:47 268 ---ha-w C:\sqmdata04.sqm
2009-03-15 12:03 . 2007-09-28 17:47 244 ---ha-w C:\sqmnoopt04.sqm
2009-03-14 08:59 . 2007-09-28 13:09 268 ---ha-w C:\sqmdata03.sqm
2009-03-14 08:59 . 2007-09-28 13:09 244 ---ha-w C:\sqmnoopt03.sqm
2009-03-10 20:09 . 2007-09-27 20:16 268 ---ha-w C:\sqmdata02.sqm
2009-03-10 20:09 . 2007-09-27 20:16 244 ---ha-w C:\sqmnoopt02.sqm
2009-03-10 18:33 . 2007-09-26 18:46 268 ---ha-w C:\sqmdata01.sqm
2009-03-10 18:33 . 2007-09-26 18:46 244 ---ha-w C:\sqmnoopt01.sqm
2009-03-10 08:15 . 2007-09-26 17:23 268 ---ha-w C:\sqmdata00.sqm
2009-03-10 08:15 . 2007-09-26 17:23 244 ---ha-w C:\sqmnoopt00.sqm
2009-03-09 20:34 . 2007-12-06 21:51 268 ---ha-w C:\sqmdata19.sqm
2009-03-09 20:34 . 2007-12-06 21:51 244 ---ha-w C:\sqmnoopt19.sqm
2009-03-08 22:54 . 2007-12-06 14:11 268 ---ha-w C:\sqmdata18.sqm
2009-03-08 22:54 . 2007-12-06 14:11 244 ---ha-w C:\sqmnoopt18.sqm
2009-03-08 09:41 . 2007-12-06 12:48 268 ---ha-w C:\sqmdata17.sqm
2009-03-08 09:41 . 2007-12-06 12:48 244 ---ha-w C:\sqmnoopt17.sqm
2009-03-07 19:39 . 2006-01-18 11:23 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-02-17 19:12 . 2008-03-02 12:19 -------- d-----w c:\program files\Google
2009-02-09 11:13 . 2008-10-16 11:27 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 11:13 . 2004-08-11 17:00 1846784 ----a-w c:\windows\system32\win32k.sys
2006-10-29 17:29 . 2006-10-29 17:29 49600 ----a-w c:\documents and settings\HOME\Application Data\GDIPFONTCACHEV1.DAT
2006-04-06 06:59 . 2006-04-06 06:59 127 ----a-w c:\documents and settings\HOME\Local Settings\Application Data\fusioncache.dat
2006-07-11 18:54 . 2006-07-11 18:54 56 --sh--r c:\windows\system32\E48057C54E.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-01-12 4898816]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-13 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 144784]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 94208]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 106496]
"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2006-01-07 81920]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-01-20 200704]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-13 185896]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-01-12 4898816]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-1-18 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\William Hill Poker\\UA.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R3 MEMSWEEP2;MEMSWEEP2; [x]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]

.
Contents of the 'Scheduled Tasks' folder

2008-07-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2009-03-26 c:\windows\Tasks\At1.job
- c:\windows\system32\O1t6f2r2.exe [2009-03-26 14:26]

2009-03-26 c:\windows\Tasks\At10.job
- c:\windows\system32\O1t6f2r2.exe [2009-03-26 14:26]

2009-04-12 c:\windows\Tasks\At11.job
- c:\windows\system32\O1t6f2r2.exe [2009-03-26 14:26]

2009-04-12 c:\windows\Tasks\At12.job
- c:\windows\system32\O1t6f2r2.exe [2009-03-26 14:26]

2009-04-12 c:\windows\Tasks\At13.job
- c:\windows\system32\O1t6f2r2.exe [2009-03-26 14:26]

2009-03-26 c:\windows\Tasks\At14.job
- c:\windows\system32\O1t6f2r2.exe [2009-03-26 14:26]

2009-04-12 c:\windows\Tasks\At15.job
- c:\windows\system32\O1t6f2r2.exe [2009-03-26 14:26]

2009-04-12 c:\windows\Tasks\At16.job
- c:\windows\system32\O1t6f2r2.exe [2009-03-26 14:26]

2009-03-26 c:\windows\Tasks\At17.job
- c:\windows\system32\O1t6f2r2.exe [2009-03-26 14:26]

2009-03-28 c:\windows\Tasks\At18.job
- c:\windows\system32\O1t6f2r2.exe [2009-03-26 14:26]

2009-03-28 c:\windows\Tasks\At19.job
- c:\windows\system32\O1t6f2r2.exe [2009-03-26 14:26]

2009-03-26 c:\windows\Tasks\At2.job
- c:\windows\system32\O1t6f2r2.exe [2009-03-26 14:26]

2009-04-16 c:\windows\Tasks\At20.job
- c:\windows\system32\O1t6f2r2.exe [2009-03-26 14:26]

2009-04-14 c:\windows\Tasks\At21.job
- c:\windows\system32\O1t6f2r2.exe [2009-03-26 14:26]

2009-04-01 c:\windows\Tasks\At22.job
- c:\windows\system32\O1t6f2r2.exe [2009-03-26 14:26]

2009-04-15 c:\windows\Tasks\At23.job
- c:\windows\system32\O1t6f2r2.exe [2009-03-26 14:26]

2009-03-26 c:\windows\Tasks\At24.job
- c:\windows\system32\O1t6f2r2.exe [2009-03-26 14:26]

2009-03-26 c:\windows\Tasks\At3.job
- c:\windows\system32\O1t6f2r2.exe [2009-03-26 14:26]

2009-03-26 c:\windows\Tasks\At4.job
- c:\windows\system32\O1t6f2r2.exe [2009-03-26 14:26]

2009-03-26 c:\windows\Tasks\At5.job
- c:\windows\system32\O1t6f2r2.exe [2009-03-26 14:26]

2009-03-26 c:\windows\Tasks\At6.job
- c:\windows\system32\O1t6f2r2.exe [2009-03-26 14:26]

2009-03-26 c:\windows\Tasks\At7.job
- c:\windows\system32\O1t6f2r2.exe [2009-03-26 14:26]

2009-03-26 c:\windows\Tasks\At8.job
- c:\windows\system32\O1t6f2r2.exe [2009-03-26 14:26]

2009-04-17 c:\windows\Tasks\At9.job
- c:\windows\system32\O1t6f2r2.exe [2009-03-26 14:26]

2009-04-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-03-02 14:23]

2007-02-17 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-17 10:53]

2007-09-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-17 10:53]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-BigBitmap - (no file)
Toolbar-SmallBitmap - (no file)
Toolbar-{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - (no file)
HKCU-Run-eawwi - c:\documents and settings\home\local settings\application data\eawwi.exe
HKLM-Run-NapsterShell - c:\program files\Napster\napster.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.orange.co.uk/all?brand=ou ... &p=_adr&q={searchTerms}
mWindow Title = Microsoft Internet Explorer Provided by Wanadoo
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Search with Wanadoo - c:\windows\system32\WSBar.dll/VSearch.htm
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-18 16:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\21.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,c4,d2,e1,bc,1d,
a5,01,21,c8,28,51,af,b0,29,a3,98,64,51,e1,45,6a,9d,f1,89,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,5a,a7,c5,ae,89,
b0,6c,30,71,3b,04,66,8b,46,0d,96,79,f9,b9,e8,2f,bb,cf,51,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,a8,cb,6b,43,0f,
ff,34,2a,25,da,ec,7e,55,20,c9,26,71,18,49,a9,9b,cb,85,84,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,68,f9,d1,c5,97,
30,c6,0a,3e,1e,9e,e0,57,5a,93,61,60,6f,e2,43,5b,5e,e4,4b,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,54,a3,77,ac,f0,
11,7c,a8,cd,44,cd,b9,a6,33,6c,cd,9f,3f,e3,21,c9,52,13,70,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,b4,ad,82,16,af,
96,02,5c,b0,18,ed,a7,3f,8d,37,a4,d8,3c,8e,23,f7,dc,45,98,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,54,95,03,58,ee,
d0,65,22,31,77,e1,ba,b1,f8,68,02,7d,7f,2d,19,6e,27,80,ad,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,82,4b,7e,d0,4a,
84,d3,4e,83,6c,56,8b,a0,85,96,ab,d4,88,24,f0,90,55,ab,16,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,25,b4,0f,40,6b,
ec,e4,0e,51,fa,6e,91,28,9e,14,cc,38,c0,71,f6,69,27,aa,a8,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,71,cc,60,51,72,
17,2d,a7,b1,cd,45,5a,a8,c4,f8,b9,48,f2,fa,2d,66,e3,5c,82,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,35,a0,e3,ee,f9,
b8,cc,d2,e3,0e,66,d5,eb,bc,2f,6b,8f,06,d4,89,b7,be,74,02,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:05,73,21,dd,54,d8,4a,c5,d2,42,58,d1,5d,
be,5a,1a,fa,ea,66,7f,d4,3b,6b,70,08,d8,e8,a9,8c,4a,03,5f,6c,43,2d,1e,aa,22,\
.
Completion time: 2009-04-18 16:42
ComboFix-quarantined-files.txt 2009-04-18 15:41

Pre-Run: 28,589,010,944 bytes free
Post-Run: 30,538,694,656 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
336 --- E O F --- 2009-04-01 17:50

I will wait to hear from you before I run a full scan.
I have installed now on my pc malwarebytes,spyware blaster,panda anti rootkit and the Macfee security centre.
What would you recommend for future protection?

Thanks again

by **jmw3** » April 19th, 2009, 1:12 am

Hi
If I could ask you to hold off on running any scans with those new programs. A little more to do

CFScript
Close any open browsers.
Open notepad and copy/paste the text in the code box below into it:

Code: Select all

http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=41818
Collect::
c:\windows\system32\O1t6f2r2.exe
Folder::
c:\program files\LimeWire
c:\program files\BearShare Applications
File::
C:\sqmdata16.sqm
C:\sqmnoopt16.sqm
C:\sqmnoopt15.sqm
C:\sqmdata14.sqm
C:\sqmnoopt14.sqm
C:\sqmdata13.sqm
C:\sqmnoopt13.sqm
C:\sqmdata12.sqm
C:\sqmnoopt12.sqm
C:\sqmdata11.sqm
C:\sqmnoopt11.sqm
C:\sqmdata10.sqm
C:\sqmnoopt10.sqm
C:\sqmdata09.sqm
C:\sqmnoopt09.sqm
C:\sqmdata08.sqm
C:\sqmnoopt08.sqm
C:\sqmdata07.sqm
C:\sqmnoopt07.sqm
C:\sqmdata06.sqm
C:\sqmnoopt06.sqm
C:\sqmdata05.sqm
C:\sqmnoopt05.sqm
C:\sqmdata04.sqm
C:\sqmnoopt04.sqm
C:\sqmdata03.sqm
C:\sqmnoopt03.sqm
C:\sqmdata02.sqm
C:\sqmnoopt02.sqm
C:\sqmdata01.sqm
C:\sqmnoopt01.sqm
C:\sqmdata00.sqm
C:\sqmnoopt00.sqm
C:\sqmdata19.sqm
C:\sqmnoopt19.sqm
C:\sqmdata18.sqm
C:\sqmnoopt18.sqm
C:\sqmdata17.sqm
C:\sqmnoopt17.sqm
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\William Hill Poker\\UA.exe"=-
AtJob::
DDS::
uSearch Bar = hxxp://mysearch.myway.com/jsp/dellsidebar.jsp?p=DK
uDefault_Page_URL = hxxp://www.dell.co.uk/myway
uURLSearchHooks: N/A: {4d25f926-b9fe-4682-bf72-8ab8210d6d75} - c:\program files\mywaysa\srchasde\deSrcAs.dll
mURLSearchHooks: N/A: {4d25f926-b9fe-4682-bf72-8ab8210d6d75} - c:\program files\mywaysa\srchasde\deSrcAs.dll
BHO: : {4d25f921-b9fe-4682-bf72-8ab8210d6d75} - c:\program files\mywaysa\srchasde\deSrcAs.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
TB: {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - No File
TB: {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - No File
uRun: [eawwi] "c:\documents and settings\home\local settings\application data\eawwi.exe" eawwi
mRun: [Bar] c:\windows\temp\7rUfGeSw.exe
IE: {3015DB92-158E-4b77-9020-85C8E311FBB5} - c:\progra~1\casino~1\Casino.exe
IE: {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - c:\progra~1\pacifi~1\pacificpoker.exe
TCP: NameServer = 85.255.112.81,85.255.112.148
TCP: {D65371DD-0118-40E1-BBF7-7FDADF553A8F} = 85.255.112.81,85.255.112.148

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.

A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Update Java Runtime
You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, & also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 13.

Download the latest version of Java Runtime Environment (JRE) 6 Here
Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 13. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the Download button to the right
Select the Windows platform from the dropdown menu
Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh
Click on the link to download Windows Offline Installation & save the file to your desktop
Close any programs you may have running - especially your web browser
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs & remove all older versions of Java
Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
- Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
- Click OK to leave the Temporary Files Window
- Click OK to leave the Java Control Panel

Kaspersky Online Scan
Do an online scan with >Kaspersky Online Scanner<

Read through the requirements and privacy statement and click on Accept button
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
When the downloads have finished, click on Settings
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Click on My Computer under Scan
Once the scan is complete, it will display the results. Click on View Scan Report
You will see a list of infected items there. Click on Save Report As...
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button
Please post this log in your next reply

I might get you to run RootRepeal again following the instructions previousl posted.

To post in next reply:
Combofix log
Kaspersky Scan log
New RootRepeal log

by **alfie** » April 20th, 2009, 6:14 pm

Hi jmw
Please find the following as requested
Combofix log
Kaspersky Scan log
New RootRepeal log

ComboFix 09-04-17.01 - HOME 20/04/2009 19:43.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.426 [GMT 1:00]
Running from: c:\documents and settings\HOME\Desktop\commy.exe
Command switches used :: c:\documents and settings\HOME\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point

FILE ::
C:\sqmdata00.sqm
C:\sqmdata01.sqm
C:\sqmdata02.sqm
C:\sqmdata03.sqm
C:\sqmdata04.sqm
C:\sqmdata05.sqm
C:\sqmdata06.sqm
C:\sqmdata07.sqm
C:\sqmdata08.sqm
C:\sqmdata09.sqm
C:\sqmdata10.sqm
C:\sqmdata11.sqm
C:\sqmdata12.sqm
C:\sqmdata13.sqm
C:\sqmdata14.sqm
C:\sqmdata16.sqm
C:\sqmdata17.sqm
C:\sqmdata18.sqm
C:\sqmdata19.sqm
C:\sqmnoopt00.sqm
C:\sqmnoopt01.sqm
C:\sqmnoopt02.sqm
C:\sqmnoopt03.sqm
C:\sqmnoopt04.sqm
C:\sqmnoopt05.sqm
C:\sqmnoopt06.sqm
C:\sqmnoopt07.sqm
C:\sqmnoopt08.sqm
C:\sqmnoopt09.sqm
C:\sqmnoopt10.sqm
C:\sqmnoopt11.sqm
C:\sqmnoopt12.sqm
C:\sqmnoopt13.sqm
C:\sqmnoopt14.sqm
C:\sqmnoopt15.sqm
C:\sqmnoopt16.sqm
C:\sqmnoopt17.sqm
C:\sqmnoopt18.sqm
C:\sqmnoopt19.sqm
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\BearShare Applications
c:\program files\BearShare Applications\BearShare\WMHelper.log
c:\program files\LimeWire
c:\program files\LimeWire\aopalliance.jar.tmp
c:\program files\LimeWire\aopalliance.pack
c:\program files\LimeWire\clink.jar.tmp
c:\program files\LimeWire\clink.pack
c:\program files\LimeWire\commons-httpclient.jar.tmp
c:\program files\LimeWire\commons-httpclient.pack
c:\program files\LimeWire\commons-logging.jar.tmp
c:\program files\LimeWire\commons-logging.pack
c:\program files\LimeWire\commons-net.jar.tmp
c:\program files\LimeWire\commons-net.pack
c:\program files\LimeWire\commons-pool.jar.tmp
c:\program files\LimeWire\commons-pool.pack
c:\program files\LimeWire\daap.jar.tmp
c:\program files\LimeWire\daap.pack
c:\program files\LimeWire\forms.jar.tmp
c:\program files\LimeWire\forms.pack
c:\program files\LimeWire\foxtrot.jar.tmp
c:\program files\LimeWire\foxtrot.pack
c:\program files\LimeWire\gettext-commons.jar.tmp
c:\program files\LimeWire\gettext-commons.pack
c:\program files\LimeWire\guice-1.0.jar.tmp
c:\program files\LimeWire\guice-1.0.pack
c:\program files\LimeWire\httpcore-nio.jar.tmp
c:\program files\LimeWire\httpcore-nio.pack
c:\program files\LimeWire\httpcore.jar.tmp
c:\program files\LimeWire\httpcore.pack
c:\program files\LimeWire\icu4j.jar.tmp
c:\program files\LimeWire\icu4j.pack
c:\program files\LimeWire\id3v2.jar.tmp
c:\program files\LimeWire\id3v2.pack
c:\program files\LimeWire\jcraft.jar.tmp
c:\program files\LimeWire\jcraft.pack
c:\program files\LimeWire\jdic.jar.tmp
c:\program files\LimeWire\jdic.pack
c:\program files\LimeWire\jdic_stub.jar.tmp
c:\program files\LimeWire\jdic_stub.pack
c:\program files\LimeWire\jflac.jar.tmp
c:\program files\LimeWire\jflac.pack
c:\program files\LimeWire\jl.jar.tmp
c:\program files\LimeWire\jl.pack
c:\program files\LimeWire\jmdns.jar.tmp
c:\program files\LimeWire\jmdns.pack
c:\program files\LimeWire\jogg.jar.tmp
c:\program files\LimeWire\jogg.pack
c:\program files\LimeWire\jorbis.jar.tmp
c:\program files\LimeWire\jorbis.pack
c:\program files\LimeWire\lib\UnpackedJars.7z
c:\program files\LimeWire\LimeWire.jar.tmp
c:\program files\LimeWire\log4j.jar.tmp
c:\program files\LimeWire\log4j.pack
c:\program files\LimeWire\looks.jar.tmp
c:\program files\LimeWire\looks.pack
c:\program files\LimeWire\messages.jar.tmp
c:\program files\LimeWire\messages.pack
c:\program files\LimeWire\mp3spi.jar.tmp
c:\program files\LimeWire\mp3spi.pack
c:\program files\LimeWire\ProgressTabs.jar.tmp
c:\program files\LimeWire\ProgressTabs.pack
c:\program files\LimeWire\swt.jar.tmp
c:\program files\LimeWire\swt.pack
c:\program files\LimeWire\themes.jar.tmp
c:\program files\LimeWire\themes.pack
c:\program files\LimeWire\tritonus.jar.tmp
c:\program files\LimeWire\tritonus.pack
c:\program files\LimeWire\vorbisspi.jar.tmp
c:\program files\LimeWire\vorbisspi.pack
C:\sqmdata00.sqm
C:\sqmdata01.sqm
C:\sqmdata02.sqm
C:\sqmdata03.sqm
C:\sqmdata04.sqm
C:\sqmdata05.sqm
C:\sqmdata06.sqm
C:\sqmdata07.sqm
C:\sqmdata08.sqm
C:\sqmdata09.sqm
C:\sqmdata10.sqm
C:\sqmdata11.sqm
C:\sqmdata12.sqm
C:\sqmdata13.sqm
C:\sqmdata14.sqm
C:\sqmdata16.sqm
C:\sqmdata17.sqm
C:\sqmdata18.sqm
C:\sqmdata19.sqm
C:\sqmnoopt00.sqm
C:\sqmnoopt01.sqm
C:\sqmnoopt02.sqm
C:\sqmnoopt03.sqm
C:\sqmnoopt04.sqm
C:\sqmnoopt05.sqm
C:\sqmnoopt06.sqm
C:\sqmnoopt07.sqm
C:\sqmnoopt08.sqm
C:\sqmnoopt09.sqm
C:\sqmnoopt10.sqm
C:\sqmnoopt11.sqm
C:\sqmnoopt12.sqm
C:\sqmnoopt13.sqm
C:\sqmnoopt14.sqm
C:\sqmnoopt15.sqm
C:\sqmnoopt16.sqm
C:\sqmnoopt17.sqm
C:\sqmnoopt18.sqm
C:\sqmnoopt19.sqm
c:\windows\system32\O1t6f2r2.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2009-03-20 to 2009-04-20 )))))))))))))))))))))))))))))))
.

2009-04-17 06:57 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-17 06:57 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 06:57 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-17 06:57 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 06:57 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-17 06:57 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 06:57 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 06:57 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 06:57 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 06:57 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-17 06:55 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-17 06:55 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-17 06:55 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-14 18:24 . 2009-04-14 18:24 0 ----a-w c:\documents and settings\HOME\settings.dat
2009-04-12 10:47 . 1994-09-21 00:00 92208 ----a-w c:\windows\system\WING.DLL
2009-04-12 10:47 . 1994-09-21 00:00 12800 ----a-w c:\windows\system\WING32.DLL
2009-04-01 18:58 . 2009-02-11 09:19 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-01 18:58 . 2009-02-11 09:19 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-01 18:58 . 2009-04-01 18:58 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-01 18:58 . 2009-04-01 18:58 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-01 17:45 . 2009-04-18 15:23 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-01 17:44 . 2009-04-01 17:44 -------- d-----w c:\program files\SpywareBlaster
2009-03-31 19:36 . 2009-03-31 19:36 -------- d-----w c:\windows\system32\scripting
2009-03-31 19:36 . 2009-03-31 19:36 -------- d-----w c:\windows\l2schemas
2009-03-31 19:36 . 2009-03-31 19:36 -------- d-----w c:\windows\system32\en
2009-03-31 19:36 . 2009-03-31 19:36 -------- d-----w c:\windows\system32\bits
2009-03-31 19:34 . 2009-03-31 19:34 -------- d-----w c:\windows\ServicePackFiles
2009-03-30 18:13 . 2009-03-30 18:13 -------- d-----w c:\program files\Sophos
2009-03-28 17:27 . 2009-03-28 17:27 -------- d-----w c:\documents and settings\All Users\Application Data\Citrix
2009-03-28 16:50 . 2009-03-28 16:50 -------- d-----w c:\documents and settings\HOME\Local Settings\Application Data\Citrix
2009-03-28 16:50 . 2009-03-28 16:50 61224 ----a-w c:\documents and settings\HOME\GoToAssistDownloadHelper.exe
2009-03-28 15:01 . 2009-03-28 15:01 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-03-26 20:55 . 2009-03-26 20:55 -------- d--h--w c:\windows\system32\GroupPolicy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-20 18:14 . 2008-03-13 15:55 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-17 06:56 . 2006-01-18 11:23 -------- d-----w c:\program files\McAfee
2009-04-15 20:51 . 2008-02-03 19:33 -------- d-----w c:\documents and settings\All Users\Application Data\Napster
2009-04-01 18:49 . 2006-02-04 13:02 5956 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-04-01 18:49 . 2006-02-04 13:02 50376 ----a-w c:\documents and settings\HOME\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-31 19:39 . 2004-08-11 17:14 88499 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-31 19:32 . 2004-08-11 17:00 250048 --sha-r C:\ntldr
2009-03-28 15:49 . 2008-07-28 14:37 -------- d-----w c:\program files\Bonjour
2009-03-26 20:33 . 2009-02-03 14:31 -------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-03-25 10:06 . 2007-02-17 11:09 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 10:06 . 2007-02-17 11:09 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-03-25 10:06 . 2007-02-17 11:09 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-25 10:06 . 2007-02-17 11:09 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 10:05 . 2007-02-17 11:09 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-03-24 18:38 . 2007-12-03 19:49 268 ---ha-w C:\sqmdata15.sqm
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\system32\dllcache\kernel32.dll
2009-03-19 13:47 . 2009-03-19 13:47 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\SACore
2009-03-07 19:39 . 2006-01-18 11:23 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-03-06 14:22 . 2004-08-11 17:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-05-10 05:25 826368 ----a-w c:\windows\system32\dllcache\wininet.dll
2009-03-03 00:18 . 2004-08-11 17:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 04:54 . 2004-08-11 17:12 636072 ----a-w c:\windows\system32\dllcache\iexplore.exe
2009-02-20 10:20 . 2007-05-09 18:37 13824 ------w c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 10:20 . 2006-11-07 03:26 70656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 05:14 . 2006-11-07 03:25 161792 ------w c:\windows\system32\dllcache\ieakui.dll
2009-02-09 12:10 . 2004-08-11 17:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-11 17:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-11 17:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-11 17:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2008-10-16 11:27 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 11:13 . 2004-08-11 17:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 18:02 . 2008-10-16 11:27 2066048 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-11 17:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2008-10-16 11:27 2189056 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-16 11:27 2145280 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 11:06 . 2004-08-11 17:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-11 17:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2008-10-16 11:27 2023936 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\system32\dllcache\secur32.dll
2009-02-03 19:59 . 2004-08-11 17:00 56832 ----a-w c:\windows\system32\secur32.dll
2006-10-29 17:29 . 2006-10-29 17:29 49600 ----a-w c:\documents and settings\HOME\Application Data\GDIPFONTCACHEV1.DAT
2006-04-06 06:59 . 2006-04-06 06:59 127 ----a-w c:\documents and settings\HOME\Local Settings\Application Data\fusioncache.dat
2006-07-11 18:54 . 2006-07-11 18:54 56 --sh--r c:\windows\system32\E48057C54E.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-04-18_15.40.14 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-11 17:00 . 2008-04-14 00:12 90112 c:\windows\system32\wshext.dll
+ 2004-08-11 17:00 . 2008-05-09 10:53 90112 c:\windows\system32\wshext.dll
+ 2006-01-28 16:50 . 2008-07-09 07:38 26488 c:\windows\system32\spupdsvc.exe
- 2006-01-28 16:50 . 2007-08-10 19:46 26488 c:\windows\system32\spupdsvc.exe
- 2004-08-11 17:00 . 2008-12-20 23:15 44544 c:\windows\system32\pngfilt.dll
+ 2004-08-11 17:00 . 2009-02-20 18:09 44544 c:\windows\system32\pngfilt.dll
- 2004-08-11 17:00 . 2009-04-18 15:39 53436 c:\windows\system32\perfc009.dat
+ 2004-08-11 17:00 . 2009-04-20 18:18 53436 c:\windows\system32\perfc009.dat
- 2004-08-11 17:11 . 2008-04-14 00:12 91648 c:\windows\system32\mtxoci.dll
+ 2004-08-11 17:11 . 2008-06-12 14:23 91648 c:\windows\system32\mtxoci.dll
- 2004-08-11 17:00 . 2008-04-14 00:12 66560 c:\windows\system32\mtxclu.dll
+ 2004-08-11 17:00 . 2008-06-12 14:23 66560 c:\windows\system32\mtxclu.dll
+ 2006-11-07 21:03 . 2009-02-20 18:09 52224 c:\windows\system32\msfeedsbs.dll
- 2006-11-07 21:03 . 2008-12-20 23:15 52224 c:\windows\system32\msfeedsbs.dll
+ 2004-08-11 17:11 . 2008-06-12 14:23 58880 c:\windows\system32\msdtclog.dll
- 2004-08-11 17:11 . 2008-04-14 00:11 58880 c:\windows\system32\msdtclog.dll
+ 2004-08-11 17:00 . 2009-02-20 18:09 27648 c:\windows\system32\jsproxy.dll
- 2004-08-11 17:00 . 2008-12-20 23:15 27648 c:\windows\system32\jsproxy.dll
- 2006-11-07 03:26 . 2008-12-19 09:10 13824 c:\windows\system32\ieudinit.exe
+ 2006-11-07 03:26 . 2009-02-20 10:20 13824 c:\windows\system32\ieudinit.exe
+ 2004-08-11 17:00 . 2009-02-20 18:09 44544 c:\windows\system32\iernonce.dll
- 2004-08-11 17:00 . 2008-12-20 23:15 44544 c:\windows\system32\iernonce.dll
+ 2004-08-11 17:00 . 2009-02-20 18:09 78336 c:\windows\system32\ieencode.dll
- 2004-08-11 17:00 . 2008-12-19 09:10 70656 c:\windows\system32\ie4uinit.exe
+ 2004-08-11 17:00 . 2009-02-20 10:20 70656 c:\windows\system32\ie4uinit.exe
+ 2006-10-17 11:58 . 2009-02-20 18:09 63488 c:\windows\system32\icardie.dll
- 2006-10-17 11:58 . 2008-12-20 23:15 63488 c:\windows\system32\icardie.dll
+ 2008-05-09 10:53 . 2008-05-09 10:53 90112 c:\windows\system32\dllcache\wshext.dll
+ 2006-05-10 05:25 . 2009-02-20 18:09 44544 c:\windows\system32\dllcache\pngfilt.dll
- 2006-05-10 05:25 . 2008-12-20 23:15 44544 c:\windows\system32\dllcache\pngfilt.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 91648 c:\windows\system32\dllcache\mtxoci.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 66560 c:\windows\system32\dllcache\mtxclu.dll
- 2007-05-09 18:37 . 2008-12-20 23:15 52224 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2007-05-09 18:37 . 2009-02-20 18:09 52224 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 58880 c:\windows\system32\dllcache\msdtclog.dll
- 2006-05-10 05:25 . 2008-12-20 23:15 27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2006-05-10 05:25 . 2009-02-20 18:09 27648 c:\windows\system32\dllcache\jsproxy.dll
- 2006-11-07 03:26 . 2008-12-20 23:15 44544 c:\windows\system32\dllcache\iernonce.dll
+ 2006-11-07 03:26 . 2009-02-20 18:09 44544 c:\windows\system32\dllcache\iernonce.dll
+ 2009-02-20 18:09 . 2009-02-20 18:09 78336 c:\windows\system32\dllcache\ieencode.dll
+ 2007-08-20 10:04 . 2009-02-20 18:09 63488 c:\windows\system32\dllcache\icardie.dll
- 2007-08-20 10:04 . 2008-12-20 23:15 63488 c:\windows\system32\dllcache\icardie.dll
- 2006-01-22 17:14 . 2009-04-18 15:29 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-01-22 17:14 . 2009-04-20 18:20 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-01-22 17:14 . 2009-04-18 15:29 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-01-22 17:14 . 2009-04-20 18:20 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-01-22 17:14 . 2009-04-18 15:29 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2006-01-22 17:14 . 2009-04-20 18:20 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-04-18 17:41 . 2008-12-20 23:15 44544 c:\windows\ie7updates\KB963027-IE7\pngfilt.dll
+ 2009-04-18 17:41 . 2008-12-20 23:15 52224 c:\windows\ie7updates\KB963027-IE7\msfeedsbs.dll
+ 2009-04-18 17:41 . 2008-12-20 23:15 27648 c:\windows\ie7updates\KB963027-IE7\jsproxy.dll
+ 2009-04-18 17:41 . 2008-12-19 09:10 13824 c:\windows\ie7updates\KB963027-IE7\ieudinit.exe
+ 2009-04-18 17:41 . 2008-12-20 23:15 44544 c:\windows\ie7updates\KB963027-IE7\iernonce.dll
+ 2009-04-18 17:41 . 2008-04-14 00:11 81920 c:\windows\ie7updates\KB963027-IE7\ieencode.dll
+ 2009-04-18 17:41 . 2008-12-19 09:10 70656 c:\windows\ie7updates\KB963027-IE7\ie4uinit.exe
+ 2009-04-18 17:41 . 2008-12-20 23:15 63488 c:\windows\ie7updates\KB963027-IE7\icardie.dll
- 2004-08-11 17:00 . 2008-04-14 00:12 155648 c:\windows\system32\wscript.exe
+ 2004-08-11 17:00 . 2008-05-08 11:24 155648 c:\windows\system32\wscript.exe
+ 2004-08-11 17:00 . 2008-12-16 12:30 354304 c:\windows\system32\winhttp.dll
- 2004-08-11 17:00 . 2008-04-14 00:12 354304 c:\windows\system32\winhttp.dll
- 2004-08-11 17:00 . 2008-12-20 23:15 233472 c:\windows\system32\webcheck.dll
+ 2004-08-11 17:00 . 2009-02-20 18:09 233472 c:\windows\system32\webcheck.dll
+ 2004-08-11 17:11 . 2009-02-06 10:10 227840 c:\windows\system32\wbem\wmiprvse.exe
+ 2004-08-11 17:11 . 2009-02-09 12:10 453120 c:\windows\system32\wbem\wmiprvsd.dll
+ 2004-08-11 17:11 . 2009-02-09 12:10 473600 c:\windows\system32\wbem\fastprox.dll
+ 2004-08-11 17:00 . 2008-05-09 10:53 430080 c:\windows\system32\vbscript.dll
+ 2004-08-11 17:00 . 2009-02-20 18:09 105984 c:\windows\system32\url.dll
- 2004-08-11 17:00 . 2008-12-20 23:15 105984 c:\windows\system32\url.dll
- 2004-08-11 17:00 . 2008-04-14 00:12 172032 c:\windows\system32\scrrun.dll
+ 2004-08-11 17:00 . 2008-05-09 10:53 172032 c:\windows\system32\scrrun.dll
+ 2004-08-11 17:00 . 2008-05-09 10:53 180224 c:\windows\system32\scrobj.dll
- 2004-08-11 17:00 . 2008-04-14 00:12 180224 c:\windows\system32\scrobj.dll
- 2004-08-11 17:00 . 2009-04-18 15:39 381692 c:\windows\system32\perfh009.dat
+ 2004-08-11 17:00 . 2009-04-20 18:18 381692 c:\windows\system32\perfh009.dat
+ 2004-08-11 17:00 . 2009-02-20 18:09 102912 c:\windows\system32\occache.dll
- 2004-08-11 17:00 . 2008-12-20 23:15 102912 c:\windows\system32\occache.dll
+ 2004-08-11 17:00 . 2009-02-20 18:09 671232 c:\windows\system32\mstime.dll
- 2004-08-11 17:00 . 2008-12-20 23:15 671232 c:\windows\system32\mstime.dll
+ 2004-08-11 17:00 . 2009-02-20 18:09 193024 c:\windows\system32\msrating.dll
- 2004-08-11 17:00 . 2008-12-20 23:15 193024 c:\windows\system32\msrating.dll
- 2004-08-11 17:00 . 2008-12-20 23:15 477696 c:\windows\system32\mshtmled.dll
+ 2004-08-11 17:00 . 2009-02-20 18:09 477696 c:\windows\system32\mshtmled.dll
- 2006-11-07 21:03 . 2008-12-20 23:15 459264 c:\windows\system32\msfeeds.dll
+ 2006-11-07 21:03 . 2009-02-20 18:09 459264 c:\windows\system32\msfeeds.dll
+ 2004-08-11 17:11 . 2008-06-12 14:23 161792 c:\windows\system32\msdtcuiu.dll
- 2004-08-11 17:11 . 2008-04-14 00:11 161792 c:\windows\system32\msdtcuiu.dll
+ 2004-08-11 17:11 . 2008-06-12 14:23 956928 c:\windows\system32\msdtctm.dll
- 2004-08-11 17:11 . 2008-04-14 00:11 956928 c:\windows\system32\msdtctm.dll
+ 2004-08-11 17:11 . 2008-06-12 14:23 428032 c:\windows\system32\msdtcprx.dll
- 2004-08-11 17:00 . 2008-04-14 00:11 989696 c:\windows\system32\kernel32.dll
+ 2004-08-11 17:00 . 2009-03-21 14:06 989696 c:\windows\system32\kernel32.dll
- 2004-08-11 17:00 . 2008-04-14 00:11 512000 c:\windows\system32\jscript.dll
+ 2004-08-11 17:00 . 2008-05-09 10:53 512000 c:\windows\system32\jscript.dll
+ 2006-10-17 11:57 . 2009-02-20 18:09 268288 c:\windows\system32\iertutil.dll
+ 2004-08-11 17:00 . 2009-02-20 18:09 385024 c:\windows\system32\iedkcs32.dll
+ 2006-10-17 11:27 . 2009-02-20 18:09 383488 c:\windows\system32\ieapfltr.dll
- 2006-10-17 11:27 . 2008-12-20 23:15 383488 c:\windows\system32\ieapfltr.dll
- 2004-08-11 17:00 . 2008-12-19 05:23 161792 c:\windows\system32\ieakui.dll
+ 2004-08-11 17:00 . 2009-02-20 05:14 161792 c:\windows\system32\ieakui.dll
- 2004-08-11 17:00 . 2008-12-20 23:15 230400 c:\windows\system32\ieaksie.dll
+ 2004-08-11 17:00 . 2009-02-20 18:09 230400 c:\windows\system32\ieaksie.dll
- 2004-08-11 17:00 . 2008-12-20 23:15 153088 c:\windows\system32\ieakeng.dll
+ 2004-08-11 17:00 . 2009-02-20 18:09 153088 c:\windows\system32\ieakeng.dll
- 2004-08-11 17:00 . 2008-12-20 23:15 133120 c:\windows\system32\extmgr.dll
+ 2004-08-11 17:00 . 2009-02-20 18:09 133120 c:\windows\system32\extmgr.dll
- 2004-08-11 17:00 . 2008-12-20 23:15 214528 c:\windows\system32\dxtrans.dll
+ 2004-08-11 17:00 . 2009-02-20 18:09 214528 c:\windows\system32\dxtrans.dll
- 2004-08-11 17:00 . 2008-12-20 23:15 347136 c:\windows\system32\dxtmsft.dll
+ 2004-08-11 17:00 . 2009-02-20 18:09 347136 c:\windows\system32\dxtmsft.dll
+ 2008-05-08 11:24 . 2008-05-08 11:24 155648 c:\windows\system32\dllcache\wscript.exe
+ 2008-12-16 12:30 . 2008-12-16 12:30 354304 c:\windows\system32\dllcache\winhttp.dll
+ 2006-11-07 21:03 . 2009-02-20 18:09 233472 c:\windows\system32\dllcache\webcheck.dll
- 2006-11-07 21:03 . 2008-12-20 23:15 233472 c:\windows\system32\dllcache\webcheck.dll
+ 2008-05-09 10:53 . 2008-05-09 10:53 430080 c:\windows\system32\dllcache\vbscript.dll
- 2006-10-17 12:05 . 2008-12-20 23:15 105984 c:\windows\system32\dllcache\url.dll
+ 2006-10-17 12:05 . 2009-02-20 18:09 105984 c:\windows\system32\dllcache\url.dll
+ 2008-05-09 10:53 . 2008-05-09 10:53 172032 c:\windows\system32\dllcache\scrrun.dll
+ 2008-05-09 10:53 . 2008-05-09 10:53 180224 c:\windows\system32\dllcache\scrobj.dll
- 2006-10-17 12:04 . 2008-12-20 23:15 102912 c:\windows\system32\dllcache\occache.dll
+ 2006-10-17 12:04 . 2009-02-20 18:09 102912 c:\windows\system32\dllcache\occache.dll
- 2006-05-10 05:25 . 2008-12-20 23:15 671232 c:\windows\system32\dllcache\mstime.dll
+ 2006-05-10 05:25 . 2009-02-20 18:09 671232 c:\windows\system32\dllcache\mstime.dll
- 2006-05-10 05:25 . 2008-12-20 23:15 193024 c:\windows\system32\dllcache\msrating.dll
+ 2006-05-10 05:25 . 2009-02-20 18:09 193024 c:\windows\system32\dllcache\msrating.dll
- 2006-05-10 05:25 . 2008-12-20 23:15 477696 c:\windows\system32\dllcache\mshtmled.dll
+ 2006-05-10 05:25 . 2009-02-20 18:09 477696 c:\windows\system32\dllcache\mshtmled.dll
+ 2007-05-09 18:37 . 2009-02-20 18:09 459264 c:\windows\system32\dllcache\msfeeds.dll
- 2007-05-09 18:37 . 2008-12-20 23:15 459264 c:\windows\system32\dllcache\msfeeds.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 161792 c:\windows\system32\dllcache\msdtcuiu.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 956928 c:\windows\system32\dllcache\msdtctm.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 428032 c:\windows\system32\dllcache\msdtcprx.dll
+ 2008-05-09 10:53 . 2008-05-09 10:53 512000 c:\windows\system32\dllcache\jscript.dll
+ 2007-05-09 18:37 . 2009-02-20 18:09 268288 c:\windows\system32\dllcache\iertutil.dll
+ 2006-11-07 03:27 . 2009-02-20 18:09 385024 c:\windows\system32\dllcache\iedkcs32.dll
+ 2007-05-09 18:37 . 2009-02-20 18:09 383488 c:\windows\system32\dllcache\ieapfltr.dll
- 2007-05-09 18:37 . 2008-12-20 23:15 383488 c:\windows\system32\dllcache\ieapfltr.dll
- 2006-11-07 03:27 . 2008-12-20 23:15 230400 c:\windows\system32\dllcache\ieaksie.dll
+ 2006-11-07 03:27 . 2009-02-20 18:09 230400 c:\windows\system32\dllcache\ieaksie.dll
- 2006-11-07 03:26 . 2008-12-20 23:15 153088 c:\windows\system32\dllcache\ieakeng.dll
+ 2006-11-07 03:26 . 2009-02-20 18:09 153088 c:\windows\system32\dllcache\ieakeng.dll
- 2006-05-10 05:25 . 2008-12-20 23:15 133120 c:\windows\system32\dllcache\extmgr.dll
+ 2006-05-10 05:25 . 2009-02-20 18:09 133120 c:\windows\system32\dllcache\extmgr.dll
- 2006-05-10 05:25 . 2008-12-20 23:15 214528 c:\windows\system32\dllcache\dxtrans.dll
+ 2006-05-10 05:25 . 2009-02-20 18:09 214528 c:\windows\system32\dllcache\dxtrans.dll
+ 2006-05-10 05:25 . 2009-02-20 18:09 347136 c:\windows\system32\dllcache\dxtmsft.dll
- 2006-05-10 05:25 . 2008-12-20 23:15 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-05-07 09:07 . 2008-05-07 09:07 135168 c:\windows\system32\dllcache\cscript.exe
- 2006-11-07 03:26 . 2008-12-20 23:15 124928 c:\windows\system32\dllcache\advpack.dll
+ 2006-11-07 03:26 . 2009-02-20 18:09 124928 c:\windows\system32\dllcache\advpack.dll
+ 2004-08-11 17:00 . 2008-05-07 09:07 135168 c:\windows\system32\cscript.exe
- 2004-08-11 17:00 . 2008-12-20 23:15 124928 c:\windows\system32\advpack.dll
+ 2004-08-11 17:00 . 2009-02-20 18:09 124928 c:\windows\system32\advpack.dll
+ 2009-04-18 17:41 . 2008-12-20 23:15 826368 c:\windows\ie7updates\KB963027-IE7\wininet.dll
+ 2009-04-18 17:41 . 2008-12-20 23:15 233472 c:\windows\ie7updates\KB963027-IE7\webcheck.dll
+ 2009-04-18 17:41 . 2008-12-20 23:15 105984 c:\windows\ie7updates\KB963027-IE7\url.dll
+ 2009-04-18 17:41 . 2008-07-09 07:38 382840 c:\windows\ie7updates\KB963027-IE7\spuninst\updspapi.dll
+ 2009-04-18 17:41 . 2008-07-08 13:02 231288 c:\windows\ie7updates\KB963027-IE7\spuninst\spuninst.exe
+ 2009-04-18 17:41 . 2008-12-20 23:15 102912 c:\windows\ie7updates\KB963027-IE7\occache.dll
+ 2009-04-18 17:41 . 2008-12-20 23:15 671232 c:\windows\ie7updates\KB963027-IE7\mstime.dll
+ 2009-04-18 17:41 . 2008-12-20 23:15 193024 c:\windows\ie7updates\KB963027-IE7\msrating.dll
+ 2009-04-18 17:41 . 2008-12-20 23:15 477696 c:\windows\ie7updates\KB963027-IE7\mshtmled.dll
+ 2009-04-18 17:41 . 2008-12-20 23:15 459264 c:\windows\ie7updates\KB963027-IE7\msfeeds.dll
+ 2009-04-18 17:41 . 2008-12-19 05:25 634024 c:\windows\ie7updates\KB963027-IE7\iexplore.exe
+ 2009-04-18 17:41 . 2008-12-20 23:15 267776 c:\windows\ie7updates\KB963027-IE7\iertutil.dll
+ 2009-04-18 17:41 . 2008-12-20 23:15 384512 c:\windows\ie7updates\KB963027-IE7\iedkcs32.dll
+ 2009-04-18 17:41 . 2008-12-20 23:15 383488 c:\windows\ie7updates\KB963027-IE7\ieapfltr.dll
+ 2009-04-18 17:41 . 2008-12-19 05:23 161792 c:\windows\ie7updates\KB963027-IE7\ieakui.dll
+ 2009-04-18 17:41 . 2008-12-20 23:15 230400 c:\windows\ie7updates\KB963027-IE7\ieaksie.dll
+ 2009-04-18 17:41 . 2008-12-20 23:15 153088 c:\windows\ie7updates\KB963027-IE7\ieakeng.dll
+ 2009-04-18 17:41 . 2008-12-20 23:15 133120 c:\windows\ie7updates\KB963027-IE7\extmgr.dll
+ 2009-04-18 17:41 . 2008-12-20 23:15 214528 c:\windows\ie7updates\KB963027-IE7\dxtrans.dll
+ 2009-04-18 17:41 . 2008-12-20 23:15 347136 c:\windows\ie7updates\KB963027-IE7\dxtmsft.dll
+ 2009-04-18 17:41 . 2008-12-20 23:15 124928 c:\windows\ie7updates\KB963027-IE7\advpack.dll
+ 2004-08-11 17:00 . 2009-02-20 18:09 1160192 c:\windows\system32\urlmon.dll
- 2004-08-11 17:00 . 2008-12-20 23:15 1160192 c:\windows\system32\urlmon.dll
+ 2004-08-11 17:00 . 2008-12-20 22:14 1288192 c:\windows\system32\quartz.dll
- 2004-08-11 17:00 . 2008-05-07 05:12 1288192 c:\windows\system32\quartz.dll
+ 2008-09-28 14:27 . 2008-09-10 01:14 1307648 c:\windows\system32\msxml6.dll
+ 2004-08-11 17:00 . 2009-02-20 18:09 3595264 c:\windows\system32\mshtml.dll
+ 2006-11-07 21:03 . 2009-02-20 18:09 6066176 c:\windows\system32\ieframe.dll
- 2006-09-05 23:01 . 2007-04-17 09:28 2455488 c:\windows\system32\ieapfltr.dat
+ 2006-09-05 23:01 . 2008-07-09 14:25 2455488 c:\windows\system32\ieapfltr.dat
+ 2006-05-10 05:25 . 2009-02-20 18:09 1160192 c:\windows\system32\dllcache\urlmon.dll
- 2006-05-10 05:25 . 2008-12-20 23:15 1160192 c:\windows\system32\dllcache\urlmon.dll
+ 2008-05-07 05:12 . 2008-12-20 22:14 1288192 c:\windows\system32\dllcache\quartz.dll
- 2008-05-07 05:12 . 2008-05-07 05:12 1288192 c:\windows\system32\dllcache\quartz.dll
+ 2008-09-28 14:27 . 2008-09-10 01:14 1307648 c:\windows\system32\dllcache\msxml6.dll
+ 2006-05-19 15:06 . 2009-02-20 18:09 3595264 c:\windows\system32\dllcache\mshtml.dll
+ 2007-05-09 18:37 . 2009-02-20 18:09 6066176 c:\windows\system32\dllcache\ieframe.dll
- 2007-05-09 18:37 . 2007-04-17 09:28 2455488 c:\windows\system32\dllcache\ieapfltr.dat
+ 2007-05-09 18:37 . 2008-07-09 14:25 2455488 c:\windows\system32\dllcache\ieapfltr.dat
+ 2009-04-18 17:41 . 2008-12-20 23:15 1160192 c:\windows\ie7updates\KB963027-IE7\urlmon.dll
+ 2009-04-18 17:41 . 2009-01-16 21:35 3594752 c:\windows\ie7updates\KB963027-IE7\mshtml.dll
+ 2009-04-18 17:41 . 2008-12-20 23:15 6066688 c:\windows\ie7updates\KB963027-IE7\ieframe.dll
+ 2009-04-18 17:41 . 2007-04-17 09:28 2455488 c:\windows\ie7updates\KB963027-IE7\ieapfltr.dat
+ 2008-10-16 11:27 . 2009-02-06 11:08 2189056 c:\windows\Driver Cache\i386\ntoskrnl.exe
- 2008-10-16 11:27 . 2008-08-14 09:33 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-10-16 11:27 . 2009-02-06 10:32 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2008-10-16 11:27 . 2008-08-14 09:33 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-10-16 11:27 . 2009-02-07 18:02 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2008-10-16 11:27 . 2008-08-14 10:09 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2008-10-16 11:27 . 2009-02-06 11:06 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2006-02-25 10:51 . 2009-04-06 14:57 24921544 c:\windows\system32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-01-12 4898816]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-13 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 144784]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 94208]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 106496]
"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2006-01-07 81920]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-01-20 200704]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-13 185896]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-01-12 4898816]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-1-18 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R3 MEMSWEEP2;MEMSWEEP2; [x]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]

.
Contents of the 'Scheduled Tasks' folder

2008-07-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2009-04-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-03-02 14:23]

2007-02-17 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-17 10:53]

2007-09-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-17 10:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.orange.co.uk/all?brand=ou ... &p=_adr&q={searchTerms}
mWindow Title = Microsoft Internet Explorer Provided by Wanadoo
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Search with Wanadoo - c:\windows\system32\WSBar.dll/VSearch.htm
TCP: {D2B791E6-E135-46B4-B4B9-21DFC75773DD} = 195.92.195.90 195.92.195.91
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-20 19:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\21.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,c4,d2,e1,bc,1d,
a5,01,21,c8,28,51,af,b0,29,a3,98,64,51,e1,45,6a,9d,f1,89,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,5a,a7,c5,ae,89,
b0,6c,30,71,3b,04,66,8b,46,0d,96,79,f9,b9,e8,2f,bb,cf,51,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,a8,cb,6b,43,0f,
ff,34,2a,25,da,ec,7e,55,20,c9,26,71,18,49,a9,9b,cb,85,84,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,68,f9,d1,c5,97,
30,c6,0a,3e,1e,9e,e0,57,5a,93,61,60,6f,e2,43,5b,5e,e4,4b,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,54,a3,77,ac,f0,
11,7c,a8,cd,44,cd,b9,a6,33,6c,cd,9f,3f,e3,21,c9,52,13,70,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,b4,ad,82,16,af,
96,02,5c,b0,18,ed,a7,3f,8d,37,a4,d8,3c,8e,23,f7,dc,45,98,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,54,95,03,58,ee,
d0,65,22,31,77,e1,ba,b1,f8,68,02,7d,7f,2d,19,6e,27,80,ad,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,82,4b,7e,d0,4a,
84,d3,4e,83,6c,56,8b,a0,85,96,ab,d4,88,24,f0,90,55,ab,16,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,25,b4,0f,40,6b,
ec,e4,0e,51,fa,6e,91,28,9e,14,cc,38,c0,71,f6,69,27,aa,a8,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,71,cc,60,51,72,
17,2d,a7,b1,cd,45,5a,a8,c4,f8,b9,48,f2,fa,2d,66,e3,5c,82,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,35,a0,e3,ee,f9,
b8,cc,d2,e3,0e,66,d5,eb,bc,2f,6b,8f,06,d4,89,b7,be,74,02,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:05,73,21,dd,54,d8,4a,c5,d2,42,58,d1,5d,
be,5a,1a,fa,ea,66,7f,d4,3b,6b,70,08,d8,e8,a9,8c,4a,03,5f,6c,43,2d,1e,aa,22,\
.
Completion time: 2009-04-20 19:49
ComboFix-quarantined-files.txt 2009-04-20 18:49
ComboFix2.txt 2009-04-18 15:42

Pre-Run: 30,193,188,864 bytes free
Post-Run: 30,178,385,920 bytes free

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
632 --- E O F --- 2009-04-19 10:30

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, April 20, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, April 20, 2009 20:18:21
Records in database: 2063871
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 87059
Threat name: 3
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 01:25:42

File name / Threat name / Threats count
C:\Documents and Settings\HOME\My Documents\LimeWire\Saved\bassline house cute girl has orgasm on webcam.mp3 Infected: Trojan-Downloader.WMA.Wimad.o 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gaopdxglavldqsnsdfuiuwyowlfdyidhhbgiwd.dll.vir Infected: Trojan.Win32.Agent2.gxn 1
C:\Qoobox\Quarantine\[4]-Submit_2009-04-20@19.43.zip Infected: Trojan-Downloader.Win32.Agent.bpdk 1

The selected area was scanned.

ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time: 2009/04/20 22:59
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA44E000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A4E000 Size: 8192 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA8F1F000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\sqlite_kNOpFd5KIr63LmB
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\sqlite_w2qiUd6qpxqcIMs
Status: Allocation size mismatch (API: 4096, Raw: 0)

Thanks again

by **jmw3** » April 23rd, 2009, 8:10 am

Hello alfie
First off... my apologies for not posting sooner. I've had phone line issues that ultimately lead to no internet connection until now.

View Hidden Files & Folders Windows XP
To view Hidden Files & Folders do the following:
Click Start
Open My Computer
Select the Tools menu and click Folder Options
Select the View Tab
Under the Hidden files and folders heading select Show hidden files and folders
Uncheck the Hide protected operating system files (recommended) option
Click Yes to confirm
Click OK

Upload Files for Scanning
Go to VirSCAN & upload the following File & Path for scanning.

Copy & paste the following File & Path in the text box next to the Browse button.
Code: Select all
```
c:\windows\system32\E48057C54E.sys
```
Click Upload.
Wait for scans to finish then copy & paste the results into your next reply.

Delete Files
Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to and find the following files: if found, delete them (some may not be present after previous steps):

C:\Documents and Settings\HOME\My Documents\LimeWire\Saved\bassline house cute girl has orgasm on webcam.mp3

Your last Combofix log is showing quite a few ControlSets. Something is blocking Windows from housekeeping.

Gmer
Download gmer.zip from Gmer here & save it to your desktop.

Right click on gmer.zip, select Extract All... & extract the contents to your desktop
Double click the Gmer.exe file. If asked to allow gmer.sys driver to load, please consent
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- Sections
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
Then click the Scan button & wait for it to finish
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post
Save it where you can easily find it, such as your desktop, and post it in reply

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Note: Do not run any programs while Gmer is running.

To post in next reply:
Results from VirSCAN
Gmer log

by **alfie** » April 24th, 2009, 5:24 pm

Hi jmw
Thanks for getting back to me.It must have been a pain without a phone line.
Please see logs as requested.
I must also mention that from the 27th April to 2nd May I will not have access to my pc to carry out any scans etc.
Do I need to post a reply to prevent the topic from being closed?
Thanks

VirSCAN.org Scanned Report :
Scanned time : 2009/04/24 18:00:14 (BST)
Scanner results: All Scanners reported not find malware!
File Name : E48057C54E.sys
File Size : 56 byte
File Type : data
MD5 : b9b8bedb40bfe1077b40f471801af67a
SHA1 : 426ee4680a0fe512b4f54066e20e49056382bd15
Online report : http://virscan.org/report/d660ae705214f ... f61f6.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090424020229 2009-04-24 1.96 -
AhnLab V3 2009.04.25.00 2009.04.25 2009-04-25 0.72 -
AntiVir 7.9.0.155 7.1.3.107 2009-04-24 2.12 -
Antiy 2.0.18 20090423.2316706 2009-04-23 0.13 -
Arcavir 2009 200904240931 2009-04-24 0.02 -
Authentium 5.1.1 200904231938 2009-04-23 1.16 -
AVAST! 3.0.1 090423-0 2009-04-23 0.00 -
AVG 7.5.52.442 270.12.4/2078 2009-04-24 2.00 -
BitDefender 7.81008.2850163 7.24986 2009-04-24 2.67 -
CA (VET) 9.0.0.143 31.6.6473 2009-04-24 26.09 -
ClamAV 0.95 9283 2009-04-24 0.01 -
Comodo 3.8 1133 2009-04-24 1.22 -
CP Secure 1.1.0.715 2009.04.24 2009-04-24 8.52 -
Dr.Web 4.44.0.9170 2009.04.24 2009-04-24 4.42 -
F-Prot 4.4.4.56 20090423 2009-04-23 1.11 -
F-Secure 5.51.6100 2009.04.24.08 2009-04-24 5.21 -
Fortinet 2.81-3.117 10.315 2009-04-24 0.21 -
GData 19.4833/19.308 20090424 2009-04-24 4.25 -
ViRobot 20090424 2009.04.24 2009-04-24 0.96 -
Ikarus T3.1.01.49 2009.04.24.72626 2009-04-24 2.72 -
JiangMin 11.0.706 2009.04.24 2009-04-24 4.76 -
Kaspersky 5.5.10 2009.04.24 2009-04-24 0.02 -
KingSoft 2009.2.5.15 2009.4.24.21 2009-04-24 3.17 -
McAfee 5.3.00 5594 2009-04-23 2.75 -
Microsoft 1.4602 2009.04.24 2009-04-24 7.65 -
mks_vir 2.01 2009.04.24 2009-04-24 2.68 -
Norman 6.00.06 6.00.00 2009-04-24 10.01 -
Panda 9.05.01 2009.04.24 2009-04-24 8.19 -
Trend Micro 8.700-1004 5.984.02 2009-04-24 0.02 -
Quick Heal 10.00 2009.04.23 2009-04-23 2.32 -
Rising 20.0 21.26.44.00 2009-04-24 3.07 -
Sophos 2.85.0 4.40 2009-04-24 2.28 -
Sunbelt 5110 5110 2009-04-23 8.82 -
Symantec 1.3.0.24 20090423.004 2009-04-23 0.20 -
nProtect 20090424.03 3494918 2009-04-24 18.64 -
The Hacker 6.3.4.0 v00313 2009-04-23 2.34 -
VBA32 3.12.10.3 20090423.1331 2009-04-23 1.83 -
VirusBuster 4.5.11.10 10.105.4/1295687 2009-04-23 1.62 -

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-24 22:06:18
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xAA4F14EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xAA4F1581]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xAA4F1498]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xAA4F14AC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xAA4F1595]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xAA4F15C1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xAA4F162F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xAA4F1619]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xAA4F152A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xAA4F165B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xAA4F156D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xAA4F1470]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xAA4F1484]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xAA4F14FE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xAA4F1697]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xAA4F1603]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xAA4F15ED]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xAA4F15AB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xAA4F1683]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xAA4F166F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xAA4F14D6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xAA4F14C2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xAA4F15D7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xAA4F1559]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xAA4F1645]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xAA4F1540]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xAA4F1514]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxwboeteppptmovrorutobwrqxdugtbrpl.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxwboeteppptmovrorutobwrqxdugtbrpl.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxglavldqsnsdfuiuwyowlfdyidhhbgiwd.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxwboeteppptmovrorutobwrqxdugtbrpl.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxwboeteppptmovrorutobwrqxdugtbrpl.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxglavldqsnsdfuiuwyowlfdyidhhbgiwd.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxwboeteppptmovrorutobwrqxdugtbrpl.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxwboeteppptmovrorutobwrqxdugtbrpl.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxglavldqsnsdfuiuwyowlfdyidhhbgiwd.dll
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxwboeteppptmovrorutobwrqxdugtbrpl.sys
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxwboeteppptmovrorutobwrqxdugtbrpl.sys
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxglavldqsnsdfuiuwyowlfdyidhhbgiwd.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xE2 0x63 0x26 0xF1 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x71 0x3B 0x04 0x66 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x86 0x8C 0x21 0x01 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xDF 0x20 0x58 0x62 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x05 0x73 0x21 0xDD ...

---- EOF - GMER 1.0.15 ----

by **jmw3** » April 25th, 2009, 12:36 am

Hi

I must also mention that from the 27th April to 2nd May I will not have access to my pc to carry out any scans etc.
Do I need to post a reply to prevent the topic from being closed?

Hopefully we'll be finished by then, but you should be OK as you have let me know

Delete the copy of Combofix you have & download it again:
Link 1
Link 2
Link 3

CFScript
Close any open browsers.
Open notepad and copy/paste the text in the code box below into it:

Code: Select all

RegNull::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
RegLockDel::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gaopdxserv.sys]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\gaopdxserv.sys]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gaopdxserv.sys]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\gaopdxserv.sys]

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

To post in next reply:
Combofix log
New Gmer log
Update on how the computer is behaving

by **alfie** » April 25th, 2009, 9:12 am

Hi jmw
Please see logs as requested

ComboFix 09-04-17.01 - HOME 20/04/2009 19:43.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.426 [GMT 1:00]
Running from: c:\documents and settings\HOME\Desktop\commy.exe
Command switches used :: c:\documents and settings\HOME\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point

FILE ::
C:\sqmdata00.sqm
C:\sqmdata01.sqm
C:\sqmdata02.sqm
C:\sqmdata03.sqm
C:\sqmdata04.sqm
C:\sqmdata05.sqm
C:\sqmdata06.sqm
C:\sqmdata07.sqm
C:\sqmdata08.sqm
C:\sqmdata09.sqm
C:\sqmdata10.sqm
C:\sqmdata11.sqm
C:\sqmdata12.sqm
C:\sqmdata13.sqm
C:\sqmdata14.sqm
C:\sqmdata16.sqm
C:\sqmdata17.sqm
C:\sqmdata18.sqm
C:\sqmdata19.sqm
C:\sqmnoopt00.sqm
C:\sqmnoopt01.sqm
C:\sqmnoopt02.sqm
C:\sqmnoopt03.sqm
C:\sqmnoopt04.sqm
C:\sqmnoopt05.sqm
C:\sqmnoopt06.sqm
C:\sqmnoopt07.sqm
C:\sqmnoopt08.sqm
C:\sqmnoopt09.sqm
C:\sqmnoopt10.sqm
C:\sqmnoopt11.sqm
C:\sqmnoopt12.sqm
C:\sqmnoopt13.sqm
C:\sqmnoopt14.sqm
C:\sqmnoopt15.sqm
C:\sqmnoopt16.sqm
C:\sqmnoopt17.sqm
C:\sqmnoopt18.sqm
C:\sqmnoopt19.sqm
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\BearShare Applications
c:\program files\BearShare Applications\BearShare\WMHelper.log
c:\program files\LimeWire
c:\program files\LimeWire\aopalliance.jar.tmp
c:\program files\LimeWire\aopalliance.pack
c:\program files\LimeWire\clink.jar.tmp
c:\program files\LimeWire\clink.pack
c:\program files\LimeWire\commons-httpclient.jar.tmp
c:\program files\LimeWire\commons-httpclient.pack
c:\program files\LimeWire\commons-logging.jar.tmp
c:\program files\LimeWire\commons-logging.pack
c:\program files\LimeWire\commons-net.jar.tmp
c:\program files\LimeWire\commons-net.pack
c:\program files\LimeWire\commons-pool.jar.tmp
c:\program files\LimeWire\commons-pool.pack
c:\program files\LimeWire\daap.jar.tmp
c:\program files\LimeWire\daap.pack
c:\program files\LimeWire\forms.jar.tmp
c:\program files\LimeWire\forms.pack
c:\program files\LimeWire\foxtrot.jar.tmp
c:\program files\LimeWire\foxtrot.pack
c:\program files\LimeWire\gettext-commons.jar.tmp
c:\program files\LimeWire\gettext-commons.pack
c:\program files\LimeWire\guice-1.0.jar.tmp
c:\program files\LimeWire\guice-1.0.pack
c:\program files\LimeWire\httpcore-nio.jar.tmp
c:\program files\LimeWire\httpcore-nio.pack
c:\program files\LimeWire\httpcore.jar.tmp
c:\program files\LimeWire\httpcore.pack
c:\program files\LimeWire\icu4j.jar.tmp
c:\program files\LimeWire\icu4j.pack
c:\program files\LimeWire\id3v2.jar.tmp
c:\program files\LimeWire\id3v2.pack
c:\program files\LimeWire\jcraft.jar.tmp
c:\program files\LimeWire\jcraft.pack
c:\program files\LimeWire\jdic.jar.tmp
c:\program files\LimeWire\jdic.pack
c:\program files\LimeWire\jdic_stub.jar.tmp
c:\program files\LimeWire\jdic_stub.pack
c:\program files\LimeWire\jflac.jar.tmp
c:\program files\LimeWire\jflac.pack
c:\program files\LimeWire\jl.jar.tmp
c:\program files\LimeWire\jl.pack
c:\program files\LimeWire\jmdns.jar.tmp
c:\program files\LimeWire\jmdns.pack
c:\program files\LimeWire\jogg.jar.tmp
c:\program files\LimeWire\jogg.pack
c:\program files\LimeWire\jorbis.jar.tmp
c:\program files\LimeWire\jorbis.pack
c:\program files\LimeWire\lib\UnpackedJars.7z
c:\program files\LimeWire\LimeWire.jar.tmp
c:\program files\LimeWire\log4j.jar.tmp
c:\program files\LimeWire\log4j.pack
c:\program files\LimeWire\looks.jar.tmp
c:\program files\LimeWire\looks.pack
c:\program files\LimeWire\messages.jar.tmp
c:\program files\LimeWire\messages.pack
c:\program files\LimeWire\mp3spi.jar.tmp
c:\program files\LimeWire\mp3spi.pack
c:\program files\LimeWire\ProgressTabs.jar.tmp
c:\program files\LimeWire\ProgressTabs.pack
c:\program files\LimeWire\swt.jar.tmp
c:\program files\LimeWire\swt.pack
c:\program files\LimeWire\themes.jar.tmp
c:\program files\LimeWire\themes.pack
c:\program files\LimeWire\tritonus.jar.tmp
c:\program files\LimeWire\tritonus.pack
c:\program files\LimeWire\vorbisspi.jar.tmp
c:\program files\LimeWire\vorbisspi.pack
C:\sqmdata00.sqm
C:\sqmdata01.sqm
C:\sqmdata02.sqm
C:\sqmdata03.sqm
C:\sqmdata04.sqm
C:\sqmdata05.sqm
C:\sqmdata06.sqm
C:\sqmdata07.sqm
C:\sqmdata08.sqm
C:\sqmdata09.sqm
C:\sqmdata10.sqm
C:\sqmdata11.sqm
C:\sqmdata12.sqm
C:\sqmdata13.sqm
C:\sqmdata14.sqm
C:\sqmdata16.sqm
C:\sqmdata17.sqm
C:\sqmdata18.sqm
C:\sqmdata19.sqm
C:\sqmnoopt00.sqm
C:\sqmnoopt01.sqm
C:\sqmnoopt02.sqm
C:\sqmnoopt03.sqm
C:\sqmnoopt04.sqm
C:\sqmnoopt05.sqm
C:\sqmnoopt06.sqm
C:\sqmnoopt07.sqm
C:\sqmnoopt08.sqm
C:\sqmnoopt09.sqm
C:\sqmnoopt10.sqm
C:\sqmnoopt11.sqm
C:\sqmnoopt12.sqm
C:\sqmnoopt13.sqm
C:\sqmnoopt14.sqm
C:\sqmnoopt15.sqm
C:\sqmnoopt16.sqm
C:\sqmnoopt17.sqm
C:\sqmnoopt18.sqm
C:\sqmnoopt19.sqm
c:\windows\system32\O1t6f2r2.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2009-03-20 to 2009-04-20 )))))))))))))))))))))))))))))))
.

2009-04-17 06:57 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-17 06:57 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 06:57 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-17 06:57 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 06:57 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-17 06:57 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 06:57 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 06:57 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 06:57 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 06:57 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-17 06:55 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-17 06:55 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-17 06:55 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-14 18:24 . 2009-04-14 18:24 0 ----a-w c:\documents and settings\HOME\settings.dat
2009-04-12 10:47 . 1994-09-21 00:00 92208 ----a-w c:\windows\system\WING.DLL
2009-04-12 10:47 . 1994-09-21 00:00 12800 ----a-w c:\windows\system\WING32.DLL
2009-04-01 18:58 . 2009-02-11 09:19 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-01 18:58 . 2009-02-11 09:19 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-01 18:58 . 2009-04-01 18:58 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-01 18:58 . 2009-04-01 18:58 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-01 17:45 . 2009-04-18 15:23 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-01 17:44 . 2009-04-01 17:44 -------- d-----w c:\program files\SpywareBlaster
2009-03-31 19:36 . 2009-03-31 19:36 -------- d-----w c:\windows\system32\scripting
2009-03-31 19:36 . 2009-03-31 19:36 -------- d-----w c:\windows\l2schemas
2009-03-31 19:36 . 2009-03-31 19:36 -------- d-----w c:\windows\system32\en
2009-03-31 19:36 . 2009-03-31 19:36 -------- d-----w c:\windows\system32\bits
2009-03-31 19:34 . 2009-03-31 19:34 -------- d-----w c:\windows\ServicePackFiles
2009-03-30 18:13 . 2009-03-30 18:13 -------- d-----w c:\program files\Sophos
2009-03-28 17:27 . 2009-03-28 17:27 -------- d-----w c:\documents and settings\All Users\Application Data\Citrix
2009-03-28 16:50 . 2009-03-28 16:50 -------- d-----w c:\documents and settings\HOME\Local Settings\Application Data\Citrix
2009-03-28 16:50 . 2009-03-28 16:50 61224 ----a-w c:\documents and settings\HOME\GoToAssistDownloadHelper.exe
2009-03-28 15:01 . 2009-03-28 15:01 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-03-26 20:55 . 2009-03-26 20:55 -------- d--h--w c:\windows\system32\GroupPolicy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-20 18:14 . 2008-03-13 15:55 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-17 06:56 . 2006-01-18 11:23 -------- d-----w c:\program files\McAfee
2009-04-15 20:51 . 2008-02-03 19:33 -------- d-----w c:\documents and settings\All Users\Application Data\Napster
2009-04-01 18:49 . 2006-02-04 13:02 5956 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-04-01 18:49 . 2006-02-04 13:02 50376 ----a-w c:\documents and settings\HOME\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-31 19:39 . 2004-08-11 17:14 88499 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-31 19:32 . 2004-08-11 17:00 250048 --sha-r C:\ntldr
2009-03-28 15:49 . 2008-07-28 14:37 -------- d-----w c:\program files\Bonjour
2009-03-26 20:33 . 2009-02-03 14:31 -------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-03-25 10:06 . 2007-02-17 11:09 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 10:06 . 2007-02-17 11:09 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-03-25 10:06 . 2007-02-17 11:09 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-25 10:06 . 2007-02-17 11:09 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 10:05 . 2007-02-17 11:09 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-03-24 18:38 . 2007-12-03 19:49 268 ---ha-w C:\sqmdata15.sqm
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\system32\dllcache\kernel32.dll
2009-03-19 13:47 . 2009-03-19 13:47 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\SACore
2009-03-07 19:39 . 2006-01-18 11:23 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-03-06 14:22 . 2004-08-11 17:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-05-10 05:25 826368 ----a-w c:\windows\system32\dllcache\wininet.dll
2009-03-03 00:18 . 2004-08-11 17:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 04:54 . 2004-08-11 17:12 636072 ----a-w c:\windows\system32\dllcache\iexplore.exe
2009-02-20 10:20 . 2007-05-09 18:37 13824 ------w c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 10:20 . 2006-11-07 03:26 70656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 05:14 . 2006-11-07 03:25 161792 ------w c:\windows\system32\dllcache\ieakui.dll
2009-02-09 12:10 . 2004-08-11 17:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-11 17:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-11 17:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-11 17:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2008-10-16 11:27 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 11:13 . 2004-08-11 17:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 18:02 . 2008-10-16 11:27 2066048 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-11 17:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2008-10-16 11:27 2189056 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-16 11:27 2145280 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 11:06 . 2004-08-11 17:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-11 17:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2008-10-16 11:27 2023936 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\system32\dllcache\secur32.dll
2009-02-03 19:59 . 2004-08-11 17:00 56832 ----a-w c:\windows\system32\secur32.dll
2006-10-29 17:29 . 2006-10-29 17:29 49600 ----a-w c:\documents and settings\HOME\Application Data\GDIPFONTCACHEV1.DAT
2006-04-06 06:59 . 2006-04-06 06:59 127 ----a-w c:\documents and settings\HOME\Local Settings\Application Data\fusioncache.dat
2006-07-11 18:54 . 2006-07-11 18:54 56 --sh--r c:\windows\system32\E48057C54E.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-04-18_15.40.14 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-11 17:00 . 2008-04-14 00:12 90112 c:\windows\system32\wshext.dll
+ 2004-08-11 17:00 . 2008-05-09 10:53 90112 c:\windows\system32\wshext.dll
+ 2006-01-28 16:50 . 2008-07-09 07:38 26488 c:\windows\system32\spupdsvc.exe
- 2006-01-28 16:50 . 2007-08-10 19:46 26488 c:\windows\system32\spupdsvc.exe
- 2004-08-11 17:00 . 2008-12-20 23:15 44544 c:\windows\system32\pngfilt.dll
+ 2004-08-11 17:00 . 2009-02-20 18:09 44544 c:\windows\system32\pngfilt.dll
- 2004-08-11 17:00 . 2009-04-18 15:39 53436 c:\windows\system32\perfc009.dat
+ 2004-08-11 17:00 . 2009-04-20 18:18 53436 c:\windows\system32\perfc009.dat
- 2004-08-11 17:11 . 2008-04-14 00:12 91648 c:\windows\system32\mtxoci.dll
+ 2004-08-11 17:11 . 2008-06-12 14:23 91648 c:\windows\system32\mtxoci.dll
- 2004-08-11 17:00 . 2008-04-14 00:12 66560 c:\windows\system32\mtxclu.dll
+ 2004-08-11 17:00 . 2008-06-12 14:23 66560 c:\windows\system32\mtxclu.dll
+ 2006-11-07 21:03 . 2009-02-20 18:09 52224 c:\windows\system32\msfeedsbs.dll
- 2006-11-07 21:03 . 2008-12-20 23:15 52224 c:\windows\system32\msfeedsbs.dll
+ 2004-08-11 17:11 . 2008-06-12 14:23 58880 c:\windows\system32\msdtclog.dll
- 2004-08-11 17:11 . 2008-04-14 00:11 58880 c:\windows\system32\msdtclog.dll
+ 2004-08-11 17:00 . 2009-02-20 18:09 27648 c:\windows\system32\jsproxy.dll
- 2004-08-11 17:00 . 2008-12-20 23:15 27648 c:\windows\system32\jsproxy.dll
- 2006-11-07 03:26 . 2008-12-19 09:10 13824 c:\windows\system32\ieudinit.exe
+ 2006-11-07 03:26 . 2009-02-20 10:20 13824 c:\windows\system32\ieudinit.exe
+ 2004-08-11 17:00 . 2009-02-20 18:09 44544 c:\windows\system32\iernonce.dll
- 2004-08-11 17:00 . 2008-12-20 23:15 44544 c:\windows\system32\iernonce.dll
+ 2004-08-11 17:00 . 2009-02-20 18:09 78336 c:\windows\system32\ieencode.dll
- 2004-08-11 17:00 . 2008-12-19 09:10 70656 c:\windows\system32\ie4uinit.exe
+ 2004-08-11 17:00 . 2009-02-20 10:20 70656 c:\windows\system32\ie4uinit.exe
+ 2006-10-17 11:58 . 2009-02-20 18:09 63488 c:\windows\system32\icardie.dll
- 2006-10-17 11:58 . 2008-12-20 23:15 63488 c:\windows\system32\icardie.dll
+ 2008-05-09 10:53 . 2008-05-09 10:53 90112 c:\windows\system32\dllcache\wshext.dll
+ 2006-05-10 05:25 . 2009-02-20 18:09 44544 c:\windows\system32\dllcache\pngfilt.dll
- 2006-05-10 05:25 . 2008-12-20 23:15 44544 c:\windows\system32\dllcache\pngfilt.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 91648 c:\windows\system32\dllcache\mtxoci.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 66560 c:\windows\system32\dllcache\mtxclu.dll
- 2007-05-09 18:37 . 2008-12-20 23:15 52224 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2007-05-09 18:37 . 2009-02-20 18:09 52224 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 58880 c:\windows\system32\dllcache\msdtclog.dll
- 2006-05-10 05:25 . 2008-12-20 23:15 27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2006-05-10 05:25 . 2009-02-20 18:09 27648 c:\windows\system32\dllcache\jsproxy.dll
- 2006-11-07 03:26 . 2008-12-20 23:15 44544 c:\windows\system32\dllcache\iernonce.dll
+ 2006-11-07 03:26 . 2009-02-20 18:09 44544 c:\windows\system32\dllcache\iernonce.dll
+ 2009-02-20 18:09 . 2009-02-20 18:09 78336 c:\windows\system32\dllcache\ieencode.dll
+ 2007-08-20 10:04 . 2009-02-20 18:09 63488 c:\windows\system32\dllcache\icardie.dll
- 2007-08-20 10:04 . 2008-12-20 23:15 63488 c:\windows\system32\dllcache\icardie.dll
- 2006-01-22 17:14 . 2009-04-18 15:29 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-01-22 17:14 . 2009-04-20 18:20 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-01-22 17:14 . 2009-04-18 15:29 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-01-22 17:14 . 2009-04-20 18:20 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-01-22 17:14 . 2009-04-18 15:29 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2006-01-22 17:14 . 2009-04-20 18:20 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-04-18 17:41 . 2008-12-20 23:15 44544 c:\windows\ie7updates\KB963027-IE7\pngfilt.dll
+ 2009-04-18 17:41 . 2008-12-20 23:15 52224 c:\windows\ie7updates\KB963027-IE7\msfeedsbs.dll
+ 2009-04-18 17:41 . 2008-12-20 23:15 27648 c:\windows\ie7updates\KB963027-IE7\jsproxy.dll
+ 2009-04-18 17:41 . 2008-12-19 09:10 13824 c:\windows\ie7updates\KB963027-IE7\ieudinit.exe
+ 2009-04-18 17:41 . 2008-12-20 23:15 44544 c:\windows\ie7updates\KB963027-IE7\iernonce.dll
+ 2009-04-18 17:41 . 2008-04-14 00:11 81920 c:\windows\ie7updates\KB963027-IE7\ieencode.dll
+ 2009-04-18 17:41 . 2008-12-19 09:10 70656 c:\windows\ie7updates\KB963027-IE7\ie4uinit.exe
+ 2009-04-18 17:41 . 2008-12-20 23:15 63488 c:\windows\ie7updates\KB963027-IE7\icardie.dll
- 2004-08-11 17:00 . 2008-04-14 00:12 155648 c:\windows\system32\wscript.exe
+ 2004-08-11 17:00 . 2008-05-08 11:24 155648 c:\windows\system32\wscript.exe
+ 2004-08-11 17:00 . 2008-12-16 12:30 354304 c:\windows\system32\winhttp.dll
- 2004-08-11 17:00 . 2008-04-14 00:12 354304 c:\windows\system32\winhttp.dll
- 2004-08-11 17:00 . 2008-12-20 23:15 233472 c:\windows\system32\webcheck.dll
+ 2004-08-11 17:00 . 2009-02-20 18:09 233472 c:\windows\system32\webcheck.dll
+ 2004-08-11 17:11 . 2009-02-06 10:10 227840 c:\windows\system32\wbem\wmiprvse.exe
+ 2004-08-11 17:11 . 2009-02-09 12:10 453120 c:\windows\system32\wbem\wmiprvsd.dll
+ 2004-08-11 17:11 . 2009-02-09 12:10 473600 c:\windows\system32\wbem\fastprox.dll
+ 2004-08-11 17:00 . 2008-05-09 10:53 430080 c:\windows\system32\vbscript.dll
+ 2004-08-11 17:00 . 2009-02-20 18:09 105984 c:\windows\system32\url.dll
- 2004-08-11 17:00 . 2008-12-20 23:15 105984 c:\windows\system32\url.dll
- 2004-08-11 17:00 . 2008-04-14 00:12 172032 c:\windows\system32\scrrun.dll
+ 2004-08-11 17:00 . 2008-05-09 10:53 172032 c:\windows\system32\scrrun.dll
+ 2004-08-11 17:00 . 2008-05-09 10:53 180224 c:\windows\system32\scrobj.dll
- 2004-08-11 17:00 . 2008-04-14 00:12 180224 c:\windows\system32\scrobj.dll
- 2004-08-11 17:00 . 2009-04-18 15:39 381692 c:\windows\system32\perfh009.dat
+ 2004-08-11 17:00 . 2009-04-20 18:18 381692 c:\windows\system32\perfh009.dat
+ 2004-08-11 17:00 . 2009-02-20 18:09 102912 c:\windows\system32\occache.dll
- 2004-08-11 17:00 . 2008-12-20 23:15 102912 c:\windows\system32\occache.dll
+ 2004-08-11 17:00 . 2009-02-20 18:09 671232 c:\windows\system32\mstime.dll
- 2004-08-11 17:00 . 2008-12-20 23:15 671232 c:\windows\system32\mstime.dll
+ 2004-08-11 17:00 . 2009-02-20 18:09 193024 c:\windows\system32\msrating.dll
- 2004-08-11 17:00 . 2008-12-20 23:15 193024 c:\windows\system32\msrating.dll
- 2004-08-11 17:00 . 2008-12-20 23:15 477696 c:\windows\system32\mshtmled.dll
+ 2004-08-11 17:00 . 2009-02-20 18:09 477696 c:\windows\system32\mshtmled.dll
- 2006-11-07 21:03 . 2008-12-20 23:15 459264 c:\windows\system32\msfeeds.dll
+ 2006-11-07 21:03 . 2009-02-20 18:09 459264 c:\windows\system32\msfeeds.dll
+ 2004-08-11 17:11 . 2008-06-12 14:23 161792 c:\windows\system32\msdtcuiu.dll
- 2004-08-11 17:11 . 2008-04-14 00:11 161792 c:\windows\system32\msdtcuiu.dll
+ 2004-08-11 17:11 . 2008-06-12 14:23 956928 c:\windows\system32\msdtctm.dll
- 2004-08-11 17:11 . 2008-04-14 00:11 956928 c:\windows\system32\msdtctm.dll
+ 2004-08-11 17:11 . 2008-06-12 14:23 428032 c:\windows\system32\msdtcprx.dll
- 2004-08-11 17:00 . 2008-04-14 00:11 989696 c:\windows\system32\kernel32.dll
+ 2004-08-11 17:00 . 2009-03-21 14:06 989696 c:\windows\system32\kernel32.dll
- 2004-08-11 17:00 . 2008-04-14 00:11 512000 c:\windows\system32\jscript.dll
+ 2004-08-11 17:00 . 2008-05-09 10:53 512000 c:\windows\system32\jscript.dll
+ 2006-10-17 11:57 . 2009-02-20 18:09 268288 c:\windows\system32\iertutil.dll
+ 2004-08-11 17:00 . 2009-02-20 18:09 385024 c:\windows\system32\iedkcs32.dll
+ 2006-10-17 11:27 . 2009-02-20 18:09 383488 c:\windows\system32\ieapfltr.dll
- 2006-10-17 11:27 . 2008-12-20 23:15 383488 c:\windows\system32\ieapfltr.dll
- 2004-08-11 17:00 . 2008-12-19 05:23 161792 c:\windows\system32\ieakui.dll
+ 2004-08-11 17:00 . 2009-02-20 05:14 161792 c:\windows\system32\ieakui.dll
- 2004-08-11 17:00 . 2008-12-20 23:15 230400 c:\windows\system32\ieaksie.dll
+ 2004-08-11 17:00 . 2009-02-20 18:09 230400 c:\windows\system32\ieaksie.dll
- 2004-08-11 17:00 . 2008-12-20 23:15 153088 c:\windows\system32\ieakeng.dll
+ 2004-08-11 17:00 . 2009-02-20 18:09 153088 c:\windows\system32\ieakeng.dll
- 2004-08-11 17:00 . 2008-12-20 23:15 133120 c:\windows\system32\extmgr.dll
+ 2004-08-11 17:00 . 2009-02-20 18:09 133120 c:\windows\system32\extmgr.dll
- 2004-08-11 17:00 . 2008-12-20 23:15 214528 c:\windows\system32\dxtrans.dll
+ 2004-08-11 17:00 . 2009-02-20 18:09 214528 c:\windows\system32\dxtrans.dll
- 2004-08-11 17:00 . 2008-12-20 23:15 347136 c:\windows\system32\dxtmsft.dll
+ 2004-08-11 17:00 . 2009-02-20 18:09 347136 c:\windows\system32\dxtmsft.dll
+ 2008-05-08 11:24 . 2008-05-08 11:24 155648 c:\windows\system32\dllcache\wscript.exe
+ 2008-12-16 12:30 . 2008-12-16 12:30 354304 c:\windows\system32\dllcache\winhttp.dll
+ 2006-11-07 21:03 . 2009-02-20 18:09 233472 c:\windows\system32\dllcache\webcheck.dll
- 2006-11-07 21:03 . 2008-12-20 23:15 233472 c:\windows\system32\dllcache\webcheck.dll
+ 2008-05-09 10:53 . 2008-05-09 10:53 430080 c:\windows\system32\dllcache\vbscript.dll
- 2006-10-17 12:05 . 2008-12-20 23:15 105984 c:\windows\system32\dllcache\url.dll
+ 2006-10-17 12:05 . 2009-02-20 18:09 105984 c:\windows\system32\dllcache\url.dll
+ 2008-05-09 10:53 . 2008-05-09 10:53 172032 c:\windows\system32\dllcache\scrrun.dll
+ 2008-05-09 10:53 . 2008-05-09 10:53 180224 c:\windows\system32\dllcache\scrobj.dll
- 2006-10-17 12:04 . 2008-12-20 23:15 102912 c:\windows\system32\dllcache\occache.dll
+ 2006-10-17 12:04 . 2009-02-20 18:09 102912 c:\windows\system32\dllcache\occache.dll
- 2006-05-10 05:25 . 2008-12-20 23:15 671232 c:\windows\system32\dllcache\mstime.dll
+ 2006-05-10 05:25 . 2009-02-20 18:09 671232 c:\windows\system32\dllcache\mstime.dll
- 2006-05-10 05:25 . 2008-12-20 23:15 193024 c:\windows\system32\dllcache\msrating.dll
+ 2006-05-10 05:25 . 2009-02-20 18:09 193024 c:\windows\system32\dllcache\msrating.dll
- 2006-05-10 05:25 . 2008-12-20 23:15 477696 c:\windows\system32\dllcache\mshtmled.dll
+ 2006-05-10 05:25 . 2009-02-20 18:09 477696 c:\windows\system32\dllcache\mshtmled.dll
+ 2007-05-09 18:37 . 2009-02-20 18:09 459264 c:\windows\system32\dllcache\msfeeds.dll
- 2007-05-09 18:37 . 2008-12-20 23:15 459264 c:\windows\system32\dllcache\msfeeds.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 161792 c:\windows\system32\dllcache\msdtcuiu.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 956928 c:\windows\system32\dllcache\msdtctm.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 428032 c:\windows\system32\dllcache\msdtcprx.dll
+ 2008-05-09 10:53 . 2008-05-09 10:53 512000 c:\windows\system32\dllcache\jscript.dll
+ 2007-05-09 18:37 . 2009-02-20 18:09 268288 c:\windows\system32\dllcache\iertutil.dll
+ 2006-11-07 03:27 . 2009-02-20 18:09 385024 c:\windows\system32\dllcache\iedkcs32.dll
+ 2007-05-09 18:37 . 2009-02-20 18:09 383488 c:\windows\system32\dllcache\ieapfltr.dll
- 2007-05-09 18:37 . 2008-12-20 23:15 383488 c:\windows\system32\dllcache\ieapfltr.dll
- 2006-11-07 03:27 . 2008-12-20 23:15 230400 c:\windows\system32\dllcache\ieaksie.dll
+ 2006-11-07 03:27 . 2009-02-20 18:09 230400 c:\windows\system32\dllcache\ieaksie.dll
- 2006-11-07 03:26 . 2008-12-20 23:15 153088 c:\windows\system32\dllcache\ieakeng.dll
+ 2006-11-07 03:26 . 2009-02-20 18:09 153088 c:\windows\system32\dllcache\ieakeng.dll
- 2006-05-10 05:25 . 2008-12-20 23:15 133120 c:\windows\system32\dllcache\extmgr.dll
+ 2006-05-10 05:25 . 2009-02-20 18:09 133120 c:\windows\system32\dllcache\extmgr.dll
- 2006-05-10 05:25 . 2008-12-20 23:15 214528 c:\windows\system32\dllcache\dxtrans.dll
+ 2006-05-10 05:25 . 2009-02-20 18:09 214528 c:\windows\system32\dllcache\dxtrans.dll
+ 2006-05-10 05:25 . 2009-02-20 18:09 347136 c:\windows\system32\dllcache\dxtmsft.dll
- 2006-05-10 05:25 . 2008-12-20 23:15 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-05-07 09:07 . 2008-05-07 09:07 135168 c:\windows\system32\dllcache\cscript.exe
- 2006-11-07 03:26 . 2008-12-20 23:15 124928 c:\windows\system32\dllcache\advpack.dll
+ 2006-11-07 03:26 . 2009-02-20 18:09 124928 c:\windows\system32\dllcache\advpack.dll
+ 2004-08-11 17:00 . 2008-05-07 09:07 135168 c:\windows\system32\cscript.exe
- 2004-08-11 17:00 . 2008-12-20 23:15 124928 c:\windows\system32\advpack.dll
+ 2004-08-11 17:00 . 2009-02-20 18:09 124928 c:\windows\system32\advpack.dll
+ 2009-04-18 17:41 . 2008-12-20 23:15 826368 c:\windows\ie7updates\KB963027-IE7\wininet.dll
+ 2009-04-18 17:41 . 2008-12-20 23:15 233472 c:\windows\ie7updates\KB963027-IE7\webcheck.dll
+ 2009-04-18 17:41 . 2008-12-20 23:15 105984 c:\windows\ie7updates\KB963027-IE7\url.dll
+ 2009-04-18 17:41 . 2008-07-09 07:38 382840 c:\windows\ie7updates\KB963027-IE7\spuninst\updspapi.dll
+ 2009-04-18 17:41 . 2008-07-08 13:02 231288 c:\windows\ie7updates\KB963027-IE7\spuninst\spuninst.exe
+ 2009-04-18 17:41 . 2008-12-20 23:15 102912 c:\windows\ie7updates\KB963027-IE7\occache.dll
+ 2009-04-18 17:41 . 2008-12-20 23:15 671232 c:\windows\ie7updates\KB963027-IE7\mstime.dll
+ 2009-04-18 17:41 . 2008-12-20 23:15 193024 c:\windows\ie7updates\KB963027-IE7\msrating.dll
+ 2009-04-18 17:41 . 2008-12-20 23:15 477696 c:\windows\ie7updates\KB963027-IE7\mshtmled.dll
+ 2009-04-18 17:41 . 2008-12-20 23:15 459264 c:\windows\ie7updates\KB963027-IE7\msfeeds.dll
+ 2009-04-18 17:41 . 2008-12-19 05:25 634024 c:\windows\ie7updates\KB963027-IE7\iexplore.exe
+ 2009-04-18 17:41 . 2008-12-20 23:15 267776 c:\windows\ie7updates\KB963027-IE7\iertutil.dll
+ 2009-04-18 17:41 . 2008-12-20 23:15 384512 c:\windows\ie7updates\KB963027-IE7\iedkcs32.dll
+ 2009-04-18 17:41 . 2008-12-20 23:15 383488 c:\windows\ie7updates\KB963027-IE7\ieapfltr.dll
+ 2009-04-18 17:41 . 2008-12-19 05:23 161792 c:\windows\ie7updates\KB963027-IE7\ieakui.dll
+ 2009-04-18 17:41 . 2008-12-20 23:15 230400 c:\windows\ie7updates\KB963027-IE7\ieaksie.dll
+ 2009-04-18 17:41 . 2008-12-20 23:15 153088 c:\windows\ie7updates\KB963027-IE7\ieakeng.dll
+ 2009-04-18 17:41 . 2008-12-20 23:15 133120 c:\windows\ie7updates\KB963027-IE7\extmgr.dll
+ 2009-04-18 17:41 . 2008-12-20 23:15 214528 c:\windows\ie7updates\KB963027-IE7\dxtrans.dll
+ 2009-04-18 17:41 . 2008-12-20 23:15 347136 c:\windows\ie7updates\KB963027-IE7\dxtmsft.dll
+ 2009-04-18 17:41 . 2008-12-20 23:15 124928 c:\windows\ie7updates\KB963027-IE7\advpack.dll
+ 2004-08-11 17:00 . 2009-02-20 18:09 1160192 c:\windows\system32\urlmon.dll
- 2004-08-11 17:00 . 2008-12-20 23:15 1160192 c:\windows\system32\urlmon.dll
+ 2004-08-11 17:00 . 2008-12-20 22:14 1288192 c:\windows\system32\quartz.dll
- 2004-08-11 17:00 . 2008-05-07 05:12 1288192 c:\windows\system32\quartz.dll
+ 2008-09-28 14:27 . 2008-09-10 01:14 1307648 c:\windows\system32\msxml6.dll
+ 2004-08-11 17:00 . 2009-02-20 18:09 3595264 c:\windows\system32\mshtml.dll
+ 2006-11-07 21:03 . 2009-02-20 18:09 6066176 c:\windows\system32\ieframe.dll
- 2006-09-05 23:01 . 2007-04-17 09:28 2455488 c:\windows\system32\ieapfltr.dat
+ 2006-09-05 23:01 . 2008-07-09 14:25 2455488 c:\windows\system32\ieapfltr.dat
+ 2006-05-10 05:25 . 2009-02-20 18:09 1160192 c:\windows\system32\dllcache\urlmon.dll
- 2006-05-10 05:25 . 2008-12-20 23:15 1160192 c:\windows\system32\dllcache\urlmon.dll
+ 2008-05-07 05:12 . 2008-12-20 22:14 1288192 c:\windows\system32\dllcache\quartz.dll
- 2008-05-07 05:12 . 2008-05-07 05:12 1288192 c:\windows\system32\dllcache\quartz.dll
+ 2008-09-28 14:27 . 2008-09-10 01:14 1307648 c:\windows\system32\dllcache\msxml6.dll
+ 2006-05-19 15:06 . 2009-02-20 18:09 3595264 c:\windows\system32\dllcache\mshtml.dll
+ 2007-05-09 18:37 . 2009-02-20 18:09 6066176 c:\windows\system32\dllcache\ieframe.dll
- 2007-05-09 18:37 . 2007-04-17 09:28 2455488 c:\windows\system32\dllcache\ieapfltr.dat
+ 2007-05-09 18:37 . 2008-07-09 14:25 2455488 c:\windows\system32\dllcache\ieapfltr.dat
+ 2009-04-18 17:41 . 2008-12-20 23:15 1160192 c:\windows\ie7updates\KB963027-IE7\urlmon.dll
+ 2009-04-18 17:41 . 2009-01-16 21:35 3594752 c:\windows\ie7updates\KB963027-IE7\mshtml.dll
+ 2009-04-18 17:41 . 2008-12-20 23:15 6066688 c:\windows\ie7updates\KB963027-IE7\ieframe.dll
+ 2009-04-18 17:41 . 2007-04-17 09:28 2455488 c:\windows\ie7updates\KB963027-IE7\ieapfltr.dat
+ 2008-10-16 11:27 . 2009-02-06 11:08 2189056 c:\windows\Driver Cache\i386\ntoskrnl.exe
- 2008-10-16 11:27 . 2008-08-14 09:33 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-10-16 11:27 . 2009-02-06 10:32 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2008-10-16 11:27 . 2008-08-14 09:33 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-10-16 11:27 . 2009-02-07 18:02 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2008-10-16 11:27 . 2008-08-14 10:09 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2008-10-16 11:27 . 2009-02-06 11:06 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2006-02-25 10:51 . 2009-04-06 14:57 24921544 c:\windows\system32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-01-12 4898816]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-13 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 144784]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 94208]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 106496]
"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2006-01-07 81920]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-01-20 200704]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-13 185896]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-01-12 4898816]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-1-18 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R3 MEMSWEEP2;MEMSWEEP2; [x]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]

.
Contents of the 'Scheduled Tasks' folder

2008-07-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2009-04-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-03-02 14:23]

2007-02-17 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-17 10:53]

2007-09-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-17 10:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.orange.co.uk/all?brand=ou ... &p=_adr&q={searchTerms}
mWindow Title = Microsoft Internet Explorer Provided by Wanadoo
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Search with Wanadoo - c:\windows\system32\WSBar.dll/VSearch.htm
TCP: {D2B791E6-E135-46B4-B4B9-21DFC75773DD} = 195.92.195.90 195.92.195.91
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-20 19:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\21.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,c4,d2,e1,bc,1d,
a5,01,21,c8,28,51,af,b0,29,a3,98,64,51,e1,45,6a,9d,f1,89,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,5a,a7,c5,ae,89,
b0,6c,30,71,3b,04,66,8b,46,0d,96,79,f9,b9,e8,2f,bb,cf,51,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,a8,cb,6b,43,0f,
ff,34,2a,25,da,ec,7e,55,20,c9,26,71,18,49,a9,9b,cb,85,84,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,68,f9,d1,c5,97,
30,c6,0a,3e,1e,9e,e0,57,5a,93,61,60,6f,e2,43,5b,5e,e4,4b,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,54,a3,77,ac,f0,
11,7c,a8,cd,44,cd,b9,a6,33,6c,cd,9f,3f,e3,21,c9,52,13,70,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,b4,ad,82,16,af,
96,02,5c,b0,18,ed,a7,3f,8d,37,a4,d8,3c,8e,23,f7,dc,45,98,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,54,95,03,58,ee,
d0,65,22,31,77,e1,ba,b1,f8,68,02,7d,7f,2d,19,6e,27,80,ad,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,82,4b,7e,d0,4a,
84,d3,4e,83,6c,56,8b,a0,85,96,ab,d4,88,24,f0,90,55,ab,16,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,25,b4,0f,40,6b,
ec,e4,0e,51,fa,6e,91,28,9e,14,cc,38,c0,71,f6,69,27,aa,a8,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,71,cc,60,51,72,
17,2d,a7,b1,cd,45,5a,a8,c4,f8,b9,48,f2,fa,2d,66,e3,5c,82,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,35,a0,e3,ee,f9,
b8,cc,d2,e3,0e,66,d5,eb,bc,2f,6b,8f,06,d4,89,b7,be,74,02,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:05,73,21,dd,54,d8,4a,c5,d2,42,58,d1,5d,
be,5a,1a,fa,ea,66,7f,d4,3b,6b,70,08,d8,e8,a9,8c,4a,03,5f,6c,43,2d,1e,aa,22,\
.
Completion time: 2009-04-20 19:49
ComboFix-quarantined-files.txt 2009-04-20 18:49
ComboFix2.txt 2009-04-18 15:42

Pre-Run: 30,193,188,864 bytes free
Post-Run: 30,178,385,920 bytes free

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
632 --- E O F --- 2009-04-19 10:30

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-25 13:45:02
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xAA5174EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xAA517581]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xAA517498]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xAA5174AC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xAA517595]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xAA5175C1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xAA51762F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xAA517619]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xAA51752A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xAA51765B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xAA51756D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xAA517470]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xAA517484]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xAA5174FE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xAA517697]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xAA517603]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xAA5175ED]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xAA5175AB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xAA517683]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xAA51766F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xAA5174D6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xAA5174C2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xAA5175D7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xAA517559]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xAA517645]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xAA517540]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xAA517514]
Code \??\C:\DOCUME~1\HOME\LOCALS~1\Temp\catchme.sys pIofCallDriver
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----

The pc is running a lot better and boots up ok now.
Thanks for your continued help and support.
I will be able to reply up to 9.30am GMT on the 26th after that I will not have access to the pc for a week.
Thanks again

Free Malware Removal Forum

Problem removing a rootkit

Problem removing a rootkit

Re: Problem removing a rootkit

Re: Problem removing a rootkit

Re: Problem removing a rootkit

Re: Problem removing a rootkit

Re: Problem removing a rootkit

Re: Problem removing a rootkit

Re: Problem removing a rootkit

Re: Problem removing a rootkit

Re: Problem removing a rootkit

Re: Problem removing a rootkit

Re: Problem removing a rootkit

Re: Problem removing a rootkit

Re: Problem removing a rootkit

Re: Problem removing a rootkit

Who is online