Yet Another Probable Contamination

View previous topic View next topic Go down

Yet Another Probable Contamination

Post by Aprius on 14th February 2010, 2:30 am

This is why I'm no longer allowing my 9 year old brother ANY, ANY unauthorized access on the internet. Mbam won't run at al, reinstalld it, and found out Something keeps deleting mbam.exe from the mbam folder, even though I've put it back.

Hopefully,Hijackthis can help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:28:24 PM, on 2/13/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\GamersFirst\LIVE!\Live.exe
C:\PROGRA~1\COMMON~1\AOL\126076~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\COMMON~1\AOL\126076~1\EE\AOLServiceHost.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Crawler\CToolbar.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = ${URL_SEARCHPAGE}
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
O2 - BHO: ToggleEN Toolbar - {038cb5c7-48ea-4af9-94e0-a1646542e62b} - C:\Program Files\ToggleEN\tbTog1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\ctbr.dll
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: ToggleEN Toolbar - {038cb5c7-48ea-4af9-94e0-a1646542e62b} - C:\Program Files\ToggleEN\tbTog1.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\ctbr.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1260767234\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-21-4131186697-2858195597-1335476900-1009\..\Run: [Power2GoExpress] NA (User 'rita wilson')
O4 - HKUS\S-1-5-21-4131186697-2858195597-1335476900-1009\..\Run: [BitTorrent DNA] "C:\Documents and Settings\rita wilson\Program Files\DNA\btdna.exe" (User 'rita wilson')
O4 - Global Startup: GamersFirst LIVE!.lnk = C:\Program Files\GamersFirst\LIVE!\Live.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\ctbr.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL wosarako.dll c:\windows\system32\wejuwava.dll
O21 - SSODL: vifonovel - {0c8c7a14-05f0-424d-b34d-d42e7999b730} - c:\windows\system32\wejuwava.dll (file missing)
O22 - SharedTaskScheduler: gahurihor - {0c8c7a14-05f0-424d-b34d-d42e7999b730} - c:\windows\system32\wejuwava.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 9163 bytes


BY THE WAY this is my favorite computer, The emachines with the dual 3.2 Ghz processors. Just throwing that out there. It's Xp SP 2. I.I.R.C


[You must be registered and logged in to see this link.]

Aprius
Intermediate
Intermediate

Posts Posts : 90
Joined Joined : 2009-11-10
Gender Gender : Male
OS OS : Windows 7 64Bit
Protection Protection : Hijack This!, Ccleaner, MalwareBytes,Avast!
Points Points : 26362
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Yet Another Probable Contamination

Post by Belahzur on 14th February 2010, 10:29 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = [You must be registered and logged in to see this link.]
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = [You must be registered and logged in to see this link.]
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = ${URL_SEARCHPAGE}
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = [You must be registered and logged in to see this link.]
    O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\ctbr.dll
    O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\ctbr.dll
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
    O8 - Extra context menu item: Crawler Search - tbr:iemenu
    O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\ctbr.dll
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL wosarako.dll c:\windows\system32\wejuwava.dll
    O21 - SSODL: vifonovel - {0c8c7a14-05f0-424d-b34d-d42e7999b730} - c:\windows\system32\wejuwava.dll (file missing)
    O22 - SharedTaskScheduler: gahurihor - {0c8c7a14-05f0-424d-b34d-d42e7999b730} - c:\windows\system32\wejuwava.dll (file missing)



  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Yet Another Probable Contamination

Post by Aprius on 16th February 2010, 1:28 pm

ANother Hijack this log file. Still cant use MBAM, and I reinstalled it and re downloaded it again.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:27:55 AM, on 2/16/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\COMMON~1\AOL\126076~1\EE\AOLHOS~1.EXE
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\Program Files\GamersFirst\LIVE!\Live.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\COMMON~1\AOL\126076~1\EE\AOLServiceHost.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = ${URL_SEARCHPAGE}
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: ToggleEN Toolbar - {038cb5c7-48ea-4af9-94e0-a1646542e62b} - C:\Program Files\ToggleEN\tbTog0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: ToggleEN Toolbar - {038cb5c7-48ea-4af9-94e0-a1646542e62b} - C:\Program Files\ToggleEN\tbTog0.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1260767234\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O4 - HKLM\..\Run: [tijivufet] Rundll32.exe "c:\windows\system32\sujehihu.dll",a
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O4 - HKUS\S-1-5-21-4131186697-2858195597-1335476900-1009\..\Run: [Power2GoExpress] NA (User 'rita wilson')
O4 - HKUS\S-1-5-21-4131186697-2858195597-1335476900-1009\..\Run: [tijivufet] Rundll32.exe "c:\windows\system32\pozimadu.dll",a (User 'rita wilson')
O4 - HKUS\S-1-5-21-4131186697-2858195597-1335476900-1009\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe (User 'rita wilson')
O4 - HKUS\S-1-5-21-4131186697-2858195597-1335476900-1009\..\Run: [fastnsta] rundll32 "C:\WINDOWS\system32\dvduopen.dll",DllEntryPoint (User 'rita wilson')
O4 - Global Startup: GamersFirst LIVE!.lnk = C:\Program Files\GamersFirst\LIVE!\Live.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: c:\windows\system32\pozimadu.dll c:\windows\system32\sujehihu.dll,yavawoji.dll
O21 - SSODL: vifonovel - {0c8c7a14-05f0-424d-b34d-d42e7999b730} - (no file)
O21 - SSODL: zodevalud - {ced5b9f2-5240-4d74-bafb-67ffd8bd946e} - (no file)
O21 - SSODL: yukelekut - {ab76e428-23f9-4927-b3d9-0fe93b83f5a1} - c:\windows\system32\pozimadu.dll
O22 - SharedTaskScheduler: gahurihor - {0c8c7a14-05f0-424d-b34d-d42e7999b730} - (no file)
O22 - SharedTaskScheduler: jugezatag - {ced5b9f2-5240-4d74-bafb-67ffd8bd946e} - (no file)
O22 - SharedTaskScheduler: kupuhivus - {ab76e428-23f9-4927-b3d9-0fe93b83f5a1} - c:\windows\system32\pozimadu.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 10729 bytes


[You must be registered and logged in to see this link.]

Aprius
Intermediate
Intermediate

Posts Posts : 90
Joined Joined : 2009-11-10
Gender Gender : Male
OS OS : Windows 7 64Bit
Protection Protection : Hijack This!, Ccleaner, MalwareBytes,Avast!
Points Points : 26362
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Yet Another Probable Contamination

Post by Belahzur on 16th February 2010, 9:58 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Yet Another Probable Contamination

Post by Aprius on 21st February 2010, 5:11 pm

Awesome (sparkly) It says "
Kitty ate it :p " In there. xD


ComboFix 10-02-20.04 - HackerX 02/21/2010 11:56:29.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.894.622 [GMT -5:00]
Running from: c:\documents and settings\HackerX\My Documents\Downloads\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
The following files were disabled during the run:
c:\windows\system32\dvduopen.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Brandon.M\Local Settings\Application Data\{D8854CF0-0689-4F44-A53D-F5F1B762B5D0}
c:\documents and settings\Brandon.M\Local Settings\Application Data\{D8854CF0-0689-4F44-A53D-F5F1B762B5D0}\chrome.manifest
c:\documents and settings\Brandon.M\Local Settings\Application Data\{D8854CF0-0689-4F44-A53D-F5F1B762B5D0}\chrome\content\_cfg.js
c:\documents and settings\Brandon.M\Local Settings\Application Data\{D8854CF0-0689-4F44-A53D-F5F1B762B5D0}\chrome\content\overlay.xul
c:\documents and settings\Brandon.M\Local Settings\Application Data\{D8854CF0-0689-4F44-A53D-F5F1B762B5D0}\install.rdf
c:\documents and settings\HackerX\Desktop\Security essentials 2010.lnk
c:\documents and settings\HackerX\Local Settings\Application Data\{E68319FE-84E6-4C28-B372-9B0F53AE15A7}
c:\documents and settings\HackerX\Local Settings\Application Data\{E68319FE-84E6-4C28-B372-9B0F53AE15A7}\chrome.manifest
c:\documents and settings\HackerX\Local Settings\Application Data\{E68319FE-84E6-4C28-B372-9B0F53AE15A7}\chrome\content\_cfg.js
c:\documents and settings\HackerX\Local Settings\Application Data\{E68319FE-84E6-4C28-B372-9B0F53AE15A7}\chrome\content\overlay.xul
c:\documents and settings\HackerX\Local Settings\Application Data\{E68319FE-84E6-4C28-B372-9B0F53AE15A7}\install.rdf
c:\documents and settings\HackerX\Start Menu\Security essentials 2010.lnk
c:\documents and settings\rita wilson\Local Settings\Application Data\{D713D8E9-99FA-436A-8AD1-F55948136410}
c:\documents and settings\rita wilson\Local Settings\Application Data\{D713D8E9-99FA-436A-8AD1-F55948136410}\chrome.manifest
c:\documents and settings\rita wilson\Local Settings\Application Data\{D713D8E9-99FA-436A-8AD1-F55948136410}\chrome\content\_cfg.js
c:\documents and settings\rita wilson\Local Settings\Application Data\{D713D8E9-99FA-436A-8AD1-F55948136410}\chrome\content\overlay.xul
c:\documents and settings\rita wilson\Local Settings\Application Data\{D713D8E9-99FA-436A-8AD1-F55948136410}\install.rdf
c:\program files\Securityessentials2010
c:\program files\Securityessentials2010\SE2010.exe
c:\recycler\S-1-5-21-3142272795-1391450550-3467938909-500
c:\windows\oteqazaqesu.dll
c:\windows\system32\fuzoyalu.dll
c:\windows\system32\gafilumu.dll
c:\windows\system32\helpers32.dll
c:\windows\system32\hikepohe.dll
c:\windows\system32\hiyivonu.dll
c:\windows\system32\juguteto.dll
c:\windows\system32\napokoku.dll
c:\windows\system32\setunude.dll
c:\windows\system32\SIntf16.dll
c:\windows\system32\siruguhu.dll
c:\windows\system32\smss32.exe
c:\windows\system32\sujehihu.dll
c:\windows\system32\susonuno.dll
c:\windows\system32\Thumbs.db
c:\windows\system32\tosofove.dll
c:\windows\system32\vetaweyo.dll
c:\windows\system32\warnings.html
c:\windows\system32\winlogon32.exe
c:\windows\system32\wolizapa.dll
c:\windows\system32\yajosofo.dll
c:\windows\system32\zasezara.dll
c:\windows\system32\zomisula.dll
c:\windows\Tasks\lemrjgoz.job
c:\windows\Tasks\mgrbkxmg.job
D:\Autorun.inf

----- BITS: Possible infected sites -----

[You must be registered and logged in to see this link.]
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2010-01-21 to 2010-02-21 )))))))))))))))))))))))))))))))
.

2010-02-20 17:09 . 2010-02-20 17:09 -------- d-----w- c:\documents and settings\Brandon.M\Application Data\AdobeUM
2010-02-20 16:21 . 2010-02-20 16:27 -------- d-----w- c:\program files\American Civil War - Gettysburg
2010-02-20 01:59 . 2010-02-20 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2010-02-20 01:12 . 2010-02-20 01:12 -------- d-----w- c:\program files\3DO
2010-02-18 22:53 . 2010-02-18 22:53 -------- d-----w- C:\Xfire
2010-02-18 00:36 . 2010-02-18 00:36 -------- d-----w- c:\documents and settings\rita wilson\Local Settings\Application Data\IsolatedStorage
2010-02-18 00:36 . 2010-02-18 00:36 -------- d-----w- c:\documents and settings\rita wilson\Local Settings\Application Data\Intuit
2010-02-18 00:36 . 2010-02-18 00:36 -------- d-----w- c:\documents and settings\rita wilson\Application Data\Intuit
2010-02-18 00:15 . 2010-02-19 14:09 0 ----a-w- c:\documents and settings\rita wilson\Local Settings\Application Data\Mwokumulig.bin
2010-02-18 00:15 . 2010-02-19 14:09 120 ----a-w- c:\documents and settings\rita wilson\Local Settings\Application Data\Lsalif.dat
2010-02-17 20:25 . 2010-02-21 14:38 0 ----a-w- c:\windows\Mwokumulig.bin
2010-02-17 20:25 . 2010-02-21 16:43 120 ----a-w- c:\windows\Lsalif.dat
2010-02-16 13:25 . 2010-02-16 13:25 -------- d-----w- c:\documents and settings\HackerX\Local Settings\Application Data\Conduit
2010-02-16 13:25 . 2010-02-18 23:18 -------- d-----w- c:\documents and settings\HackerX\Local Settings\Application Data\ToggleEN
2010-02-16 13:23 . 2010-02-21 16:45 -------- d-----w- c:\documents and settings\HackerX\Application Data\HPAppData
2010-02-16 13:16 . 2010-02-19 22:25 35328 ----a-w- c:\windows\system32\dvduopen.dll.vir
2010-02-16 13:08 . 2010-02-16 13:08 -------- d-----w- c:\documents and settings\rita wilson\Application Data\Yahoo!
2010-02-16 13:05 . 2010-02-19 14:10 -------- d-----w- c:\documents and settings\rita wilson\Application Data\HPAppData
2010-02-15 16:23 . 2010-02-15 16:23 -------- d-----w- c:\documents and settings\Brandon.M\Application Data\Yahoo!
2010-02-15 16:22 . 2010-02-21 00:32 -------- d-----w- c:\documents and settings\Brandon.M\Application Data\HPAppData
2010-02-15 16:21 . 2010-02-15 16:21 -------- d-----w- c:\documents and settings\Brandon.M\Application Data\HP
2010-02-15 15:58 . 2010-02-15 16:04 -------- d-----w- c:\documents and settings\HackerX\Application Data\HP
2010-02-15 15:58 . 2010-02-15 15:58 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
2010-02-15 15:54 . 2010-02-15 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-02-15 15:54 . 2010-02-15 15:54 -------- d-----w- c:\documents and settings\HackerX\Application Data\Yahoo!
2010-02-15 15:54 . 2010-02-15 15:54 -------- d-----w- c:\program files\Yahoo!
2010-02-15 15:53 . 2010-02-15 15:53 -------- d-----w- c:\program files\Common Files\HP
2010-02-15 15:52 . 2010-02-15 15:52 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2010-02-15 15:50 . 2010-02-15 15:50 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2010-02-15 15:50 . 2010-02-18 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-02-15 15:48 . 2010-02-15 15:58 160812 ----a-w- c:\windows\hphins33.dat
2010-02-15 15:48 . 2009-06-11 10:17 586 ------w- c:\windows\hphmdl33.dat
2010-02-15 15:36 . 2010-02-15 15:53 -------- d-----w- c:\program files\HP
2010-02-15 15:35 . 2008-10-28 10:27 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2010-02-15 15:35 . 2008-10-28 10:27 49920 ----a-r- c:\windows\system32\drivers\HPZid412.sys
2010-02-15 15:34 . 2009-04-16 19:08 126976 ----a-w- c:\windows\system32\hpfll70v.dll
2010-02-15 15:34 . 2009-04-16 19:08 312832 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpfpp70v.dll
2010-02-15 15:34 . 2009-04-15 21:53 452408 ----a-r- c:\windows\system32\hpzids01.dll
2010-02-15 15:34 . 2010-02-15 15:34 -------- dc----w- c:\windows\system32\DRVSTORE
2010-02-15 15:33 . 2008-10-28 10:27 309760 ----a-r- c:\windows\system32\difxapi.dll
2010-02-15 15:33 . 2008-10-28 10:27 372736 ----a-r- c:\windows\system32\hppldcoi.dll
2010-02-15 15:33 . 2008-10-28 10:27 21568 ----a-r- c:\windows\system32\drivers\HPZius12.sys
2010-02-15 15:32 . 2004-08-04 04:01 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-02-15 15:32 . 2004-08-04 04:01 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-02-14 19:59 . 2010-02-16 22:00 -------- d-----w- c:\program files\StarCraft
2010-02-14 19:59 . 2010-02-14 20:09 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-02-14 02:28 . 2010-02-14 02:28 -------- d-----w- c:\program files\Trend Micro
2010-02-13 20:03 . 2010-02-13 20:03 -------- d-----w- c:\documents and settings\Brandon.M\Local Settings\Application Data\Help
2010-02-13 19:41 . 2010-02-20 23:48 -------- d-----w- c:\documents and settings\Brandon.M\Application Data\Software Informer
2010-02-13 19:41 . 2010-02-13 19:43 -------- d-----w- c:\program files\Software Informer
2010-02-13 17:02 . 2010-02-13 17:02 -------- d-----w- c:\program files\Atari
2010-02-12 22:06 . 2010-02-12 22:06 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\IsolatedStorage
2010-02-12 22:06 . 2010-02-12 22:06 -------- d-----w- c:\documents and settings\HackerX\Local Settings\Application Data\Intuit
2010-02-12 22:05 . 2010-02-12 22:05 -------- d-----w- c:\documents and settings\HackerX\Application Data\Intuit
2010-02-12 22:05 . 2010-02-12 22:05 -------- d-----w- c:\program files\Common Files\AnswerWorks 5.0
2010-02-12 21:57 . 2010-02-12 21:57 -------- d-----w- c:\documents and settings\HackerX\Local Settings\Application Data\IsolatedStorage
2010-02-12 21:57 . 2010-02-12 22:04 -------- d-----w- c:\program files\Common Files\Intuit
2010-02-12 21:56 . 2010-02-12 21:56 -------- d-----w- c:\program files\TurboTax
2010-02-12 21:55 . 2010-02-12 21:55 -------- d-----w- c:\windows\system32\XPSViewer
2010-02-12 21:55 . 2010-02-12 21:55 -------- d-----w- c:\program files\MSBuild
2010-02-12 21:54 . 2010-02-12 21:54 -------- d-----w- c:\program files\Reference Assemblies
2010-02-12 21:54 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-02-12 21:54 . 2010-02-12 21:54 -------- d-----w- C:\689cbcae47736664b9
2010-02-12 21:54 . 2008-07-06 12:06 89088 -c--a-w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-02-12 21:54 . 2008-07-06 12:06 575488 -c--a-w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-02-12 21:54 . 2008-07-06 12:06 575488 ----a-w- c:\windows\system32\xpsshhdr.dll
2010-02-12 21:54 . 2008-07-06 12:06 1676288 -c--a-w- c:\windows\system32\dllcache\xpssvcs.dll
2010-02-12 21:54 . 2008-07-06 12:06 1676288 ----a-w- c:\windows\system32\xpssvcs.dll
2010-02-12 21:54 . 2008-07-06 12:06 117760 ----a-w- c:\windows\system32\prntvpt.dll
2010-02-12 21:54 . 2008-07-06 10:50 597504 -c--a-w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-02-12 21:54 . 2008-07-06 10:50 597504 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-02-12 21:51 . 2010-02-12 21:51 -------- d-----w- c:\program files\MSXML 6.0
2010-02-12 21:45 . 2010-02-12 21:45 -------- d-----w- c:\documents and settings\HackerX\Local Settings\Application Data\DNA
2010-02-12 21:45 . 2010-02-21 17:04 -------- d-----w- c:\documents and settings\HackerX\Application Data\DNA
2010-02-12 21:45 . 2010-02-12 21:45 -------- d-----w- c:\documents and settings\HackerX\Local Settings\Application Data\GamersFirst LIVE!
2010-02-11 13:33 . 2010-02-11 13:33 -------- d-----w- c:\documents and settings\rita wilson\Local Settings\Application Data\DNA
2010-02-11 13:33 . 2010-02-19 14:14 -------- d-----w- c:\documents and settings\rita wilson\Application Data\DNA
2010-02-11 13:33 . 2010-02-11 13:33 -------- d-----w- c:\documents and settings\rita wilson\Program Files
2010-02-11 13:33 . 2010-02-11 13:33 -------- d-----w- c:\documents and settings\rita wilson\Local Settings\Application Data\GamersFirst LIVE!
2010-02-11 03:16 . 2010-02-11 03:16 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-02-10 22:51 . 2010-02-10 22:57 -------- d-----w- c:\documents and settings\Brandon.M\Local Settings\Application Data\GamersFirst LIVE!
2010-02-10 22:51 . 2010-02-10 22:51 -------- d-----w- c:\program files\GamersFirst
2010-02-10 19:50 . 2010-02-12 22:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2010-02-09 20:45 . 2010-02-09 20:45 -------- d-----w- c:\program files\MSXML 4.0
2010-02-08 20:27 . 2010-02-08 20:34 -------- d-----w- c:\program files\Galaxy Online
2010-02-08 14:52 . 2010-02-08 14:52 -------- d-----w- c:\windows\system32\drivers\NSS
2010-02-08 14:52 . 2010-02-08 14:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-08 14:52 . 2010-02-08 14:52 -------- d-----w- c:\program files\Norton Security Scan
2010-02-08 14:52 . 2010-02-08 14:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-02-08 14:52 . 2010-02-08 14:52 -------- d-----w- c:\program files\NortonInstaller
2010-02-08 14:52 . 2010-02-08 14:52 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-02-08 02:25 . 2010-02-08 02:25 -------- d-----w- c:\windows\system32\Adobe
2010-02-07 19:32 . 2010-02-07 19:33 -------- d-----w- c:\documents and settings\Brandon.M\Local Settings\Application Data\Adobe
2010-02-07 00:09 . 2010-02-07 00:09 65536 ----a-w- c:\windows\IFinst27.exe
2010-02-03 00:06 . 2004-08-10 19:00 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2010-02-03 00:01 . 2010-02-03 00:01 -------- d-----w- c:\program files\Windows Media Connect 2
2010-02-03 00:00 . 2010-02-03 00:00 -------- d-----w- c:\windows\system32\drivers\UMDF
2010-02-02 23:51 . 2010-02-02 23:51 -------- d-----w- c:\documents and settings\Brandon.M\Application Data\uTorrent
2010-02-02 21:25 . 2009-12-16 19:42 43008 ----a-w- c:\documents and settings\HackerX\Application Data\Mozilla\Firefox\Profiles\yael0wua.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-02-02 21:25 . 2009-12-16 19:42 872960 ----a-w- c:\documents and settings\HackerX\Application Data\Mozilla\Firefox\Profiles\yael0wua.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-02-02 21:25 . 2009-12-16 19:42 340480 ----a-w- c:\documents and settings\HackerX\Application Data\Mozilla\Firefox\Profiles\yael0wua.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-02-02 21:25 . 2009-12-16 19:41 346624 ----a-w- c:\documents and settings\HackerX\Application Data\Mozilla\Firefox\Profiles\yael0wua.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-02-02 21:16 . 2010-02-02 21:16 -------- d-----w- c:\program files\uTorrent
2010-02-02 21:15 . 2010-02-03 00:03 -------- d-----w- c:\documents and settings\HackerX\Application Data\uTorrent
2010-02-02 21:01 . 2010-02-02 21:01 -------- d-----w- c:\documents and settings\HackerX\Application Data\Malwarebytes
2010-02-02 02:25 . 2010-02-16 21:17 38968 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-01-31 19:38 . 2010-01-31 19:38 -------- d-----w- c:\documents and settings\rita wilson\Application Data\Red Alert 3
2010-01-31 19:38 . 2010-01-31 19:38 -------- d--h--r- c:\documents and settings\rita wilson\Application Data\SecuROM
2010-01-30 17:53 . 2009-12-16 19:42 43008 ----a-w- c:\documents and settings\rita wilson\Application Data\Mozilla\Firefox\Profiles\48jwqe1o.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-01-30 17:53 . 2009-12-16 19:42 340480 ----a-w- c:\documents and settings\rita wilson\Application Data\Mozilla\Firefox\Profiles\48jwqe1o.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-01-30 17:53 . 2009-12-16 19:41 346624 ----a-w- c:\documents and settings\rita wilson\Application Data\Mozilla\Firefox\Profiles\48jwqe1o.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-01-30 17:53 . 2009-12-16 19:42 872960 ----a-w- c:\documents and settings\rita wilson\Application Data\Mozilla\Firefox\Profiles\48jwqe1o.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-01-28 00:07 . 2010-01-28 00:07 -------- d-----w- c:\documents and settings\Brandon.M\Application Data\Petroglyph
2010-01-27 23:47 . 2010-01-27 23:47 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Xfire
2010-01-27 02:43 . 2009-12-16 19:42 872960 ----a-w- c:\documents and settings\Brandon.M\Application Data\Mozilla\Firefox\Profiles\gxyhp0ai.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-01-27 02:43 . 2009-12-16 19:42 43008 ----a-w- c:\documents and settings\Brandon.M\Application Data\Mozilla\Firefox\Profiles\gxyhp0ai.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-01-27 02:43 . 2009-12-16 19:42 340480 ----a-w- c:\documents and settings\Brandon.M\Application Data\Mozilla\Firefox\Profiles\gxyhp0ai.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-01-27 02:43 . 2009-12-16 19:41 346624 ----a-w- c:\documents and settings\Brandon.M\Application Data\Mozilla\Firefox\Profiles\gxyhp0ai.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-01-27 02:38 . 2010-01-27 02:38 -------- d-----w- c:\windows\CD95F661A5C444F5A6AAECDD91C240BB.TMP
2010-01-27 02:37 . 2010-01-27 02:37 -------- d-----w- c:\documents and settings\Brandon.M\Application Data\Notepad++
2010-01-27 02:37 . 2010-01-27 02:37 -------- d-----w- c:\program files\Notepad++
2010-01-27 02:31 . 2010-01-27 02:31 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-01-27 02:27 . 2010-02-16 21:14 -------- d-----w- c:\documents and settings\rita wilson\Local Settings\Application Data\ToggleEN
2010-01-27 02:27 . 2010-01-27 02:27 -------- d-----w- c:\documents and settings\rita wilson\Local Settings\Application Data\Conduit
2010-01-24 17:55 . 2010-01-24 17:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-21 17:03 . 2010-01-10 22:28 -------- d-----w- c:\program files\DNA
2010-02-21 02:15 . 2010-01-10 22:28 -------- d-----w- c:\documents and settings\Brandon.M\Application Data\DNA
2010-02-20 20:44 . 2010-01-17 01:43 -------- d-----w- c:\documents and settings\Brandon.M\Application Data\Xfire
2010-02-19 21:25 . 2010-01-17 01:43 -------- d-s---w- c:\program files\Xfire
2010-02-16 13:08 . 2010-01-16 20:40 -------- d-----w- c:\program files\ToggleEN
2010-02-15 16:04 . 2006-06-19 04:25 38968 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-15 15:36 . 2010-01-12 20:29 -------- d-----w- c:\documents and settings\rita wilson\Application Data\McAfee.com Personal Firewall
2010-02-13 21:14 . 2010-01-13 01:22 -------- d-----w- c:\documents and settings\Brandon.M\Application Data\Red Alert 3
2010-02-13 20:33 . 2009-12-14 04:56 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-12 21:58 . 2010-01-09 17:21 -------- d-----w- c:\documents and settings\HackerX\Application Data\McAfee.com Personal Firewall
2010-02-11 22:23 . 2010-01-17 01:20 509708424 ----a-w- c:\documents and settings\Brandon.M\Application Data\ijjigame\U_SFInstaller.exe
2010-02-09 20:46 . 2010-01-16 21:35 -------- d-----w- c:\program files\GameSpy Arcade
2010-02-09 20:43 . 2009-12-20 03:04 -------- d-----w- c:\program files\Microsoft Games
2010-01-23 03:13 . 2010-01-16 17:50 -------- d-----w- c:\program files\Youdagames
2010-01-23 03:11 . 2009-12-14 04:56 -------- d-----w- c:\program files\CyberLink
2010-01-23 03:10 . 2009-12-14 05:07 -------- d-----w- c:\program files\Common Files\AOL
2010-01-23 03:10 . 2009-12-14 05:07 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2010-01-23 03:04 . 2009-12-14 05:02 -------- d-----w- c:\program files\Gateway Games
2010-01-23 03:04 . 2009-12-14 05:02 -------- d-----w- c:\program files\WildTangent
2010-01-23 03:04 . 2009-12-14 05:02 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent
2010-01-17 21:43 . 2010-01-17 18:40 1804553488 ----a-w- c:\documents and settings\Brandon.M\Application Data\ijjigame\U_AVA_Setup.exe
2010-01-17 20:18 . 2010-01-17 01:20 -------- d--h--w- c:\documents and settings\Brandon.M\Application Data\ijjigame
2010-01-17 14:59 . 2010-01-17 14:59 -------- d-----w- c:\documents and settings\LocalService\Application Data\Xfire
2010-01-17 02:08 . 2010-01-17 02:08 -------- d-----w- c:\documents and settings\All Users\Application Data\ijjigame
2010-01-17 01:47 . 2010-01-17 01:47 -------- d-----w- c:\program files\Common Files\INCA Shared
2010-01-17 00:33 . 2010-01-17 00:33 -------- d-----w- c:\program files\ijji
2010-01-16 21:38 . 2010-01-16 21:38 -------- d-----w- c:\documents and settings\Brandon.M\Application Data\Sierra
2010-01-16 21:34 . 2010-01-16 21:34 -------- d-----w- c:\program files\Sierra
2010-01-16 20:43 . 2010-01-16 17:50 -------- d-----w- c:\documents and settings\Brandon.M\Application Data\Youdagames
2010-01-16 20:42 . 2010-01-16 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Youdagames
2010-01-16 20:40 . 2010-01-16 20:40 -------- d-----w- c:\program files\Conduit
2010-01-15 22:13 . 2010-01-15 22:13 138056 ----a-w- c:\documents and settings\Brandon.M\Application Data\PnkBstrK.sys
2010-01-15 22:13 . 2010-01-15 22:13 138056 ----a-w- c:\documents and settings\Brandon.M\Application Data\PnkBstrK.sys
2010-01-15 22:02 . 2010-01-15 22:02 -------- d-----w- c:\program files\EA Games
2010-01-15 17:05 . 2010-01-15 17:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Age of Empires 3 XPack Trial
2010-01-13 01:21 . 2010-01-13 01:21 -------- d--h--r- c:\documents and settings\Brandon.M\Application Data\SecuROM
2010-01-12 21:37 . 2010-01-12 13:15 -------- d-----w- c:\documents and settings\All Users\Application Data\NexonUS
2010-01-12 21:35 . 2010-01-12 21:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Nexon
2010-01-12 13:15 . 2010-01-12 13:15 90112 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
2010-01-12 13:15 . 2010-01-12 13:15 561152 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
2010-01-12 13:15 . 2010-01-12 13:15 393216 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2010-01-12 13:15 . 2010-01-12 13:15 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll
2010-01-12 13:15 . 2010-01-12 13:15 118784 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll
2010-01-12 13:15 . 2010-01-12 13:15 167936 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe
2010-01-12 12:52 . 2010-01-12 12:52 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2010-01-12 12:51 . 2010-01-12 12:51 -------- d-----w- c:\program files\Pando Networks
2010-01-12 12:45 . 2010-01-09 17:47 -------- d-----w- c:\program files\StarWarsGalaxies
2010-01-10 17:29 . 2010-01-10 17:18 -------- d-----w- c:\documents and settings\Brandon.M\Application Data\McAfee.com Personal Firewall
2010-01-09 17:35 . 2010-01-09 17:35 -------- d-----w- c:\program files\Sony
2010-01-09 17:25 . 2009-12-14 05:10 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com Personal Firewall
2009-12-28 01:32 . 2009-12-14 04:18 12464 ----a-w- c:\windows\system32\drivers\secdrv.sys
2009-12-28 01:22 . 2009-12-28 01:22 484 ----a-w- c:\windows\eReg.dat
2009-12-28 01:22 . 2009-12-28 01:22 -------- d-----w- c:\program files\Maxis
2009-12-27 23:14 . 2009-12-16 01:25 -------- d-----w- c:\program files\LucasArts
2009-12-22 00:15 . 2009-12-20 03:15 21840 ----atw- c:\windows\system32\SIntfNT.dll
2009-12-22 00:15 . 2009-12-20 03:15 17212 ----atw- c:\windows\system32\SIntf32.dll
2009-12-20 03:01 . 2009-12-20 03:01 16 ----a-w- c:\windows\popcinfo.dat
2009-12-20 02:09 . 2009-12-20 02:09 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-12-20 01:35 . 2009-12-20 01:35 3624 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-12-17 23:18 . 2009-12-17 23:18 75264 ----a-w- c:\windows\system32\uc_holybeast_launching.dll
2009-12-17 23:17 . 2009-12-17 23:17 64000 ----a-w- c:\windows\system32\uc_sfighters_launching.dll
2009-12-15 22:21 . 2009-12-15 22:21 427008 ----a-w- c:\windows\system32\uc_wepic_launching.dll
2009-12-14 05:07 . 2009-12-14 05:07 8552 ----a-w- c:\windows\system32\drivers\asctrm.sys
2009-12-14 05:07 . 2009-12-14 05:07 335 ----a-w- c:\windows\nsreg.dat
2009-12-14 05:05 . 2009-12-14 05:05 4 ----a-w- c:\windows\Pix11.dat
2009-12-14 04:43 . 2009-12-14 04:43 60 ----a-w- c:\windows\system32\SYSDRV.DAT
1601-01-01 00:03 . 1601-01-01 00:03 66560 --sha-w- c:\windows\system32\bevukeyo.dll
1601-01-01 00:03 . 1601-01-01 00:03 51712 --sha-w- c:\windows\system32\bibegipe.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03 100352 --sha-w- c:\windows\system32\dinibafi.dll
1601-01-01 00:03 . 1601-01-01 00:03 53248 --sha-w- c:\windows\system32\ganizoni.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03 96768 --sha-w- c:\windows\system32\honomige.dll
1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\system32\jinorije.dll
1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\system32\juwefisi.dll
1601-01-01 00:03 . 1601-01-01 00:03 56320 --sha-w- c:\windows\system32\ligijowe.dll
1601-01-01 00:03 . 1601-01-01 00:03 100864 --sha-w- c:\windows\system32\mipiduwi.dll
1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\system32\tanetezo.dll
1601-01-01 00:03 . 1601-01-01 00:03 51712 --sha-w- c:\windows\system32\wosarako.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03 92672 --sha-w- c:\windows\system32\wuganabu.dll
1601-01-01 00:03 . 1601-01-01 00:03 53248 --sha-w- c:\windows\system32\yavawoji.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03 53248 --sha-w- c:\windows\system32\yidurufo.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03 51712 --sha-w- c:\windows\system32\zazuporo.dll.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{038cb5c7-48ea-4af9-94e0-a1646542e62b}]
2010-02-16 13:26 2349080 ----a-w- c:\program files\ToggleEN\tbTog0.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf6e7a71-8e16-4097-bc40-d31902456e61}]
1601-01-01 00:03 56320 --sha-w- c:\windows\system32\ligijowe.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{038cb5c7-48ea-4af9-94e0-a1646542e62b}"= "c:\program files\ToggleEN\tbTog0.dll" [2010-02-16 2349080]

[HKEY_CLASSES_ROOT\clsid\{038cb5c7-48ea-4af9-94e0-a1646542e62b}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{038CB5C7-48EA-4AF9-94E0-A1646542E62B}"= "c:\program files\ToggleEN\tbTog0.dll" [2010-02-16 2349080]

[HKEY_CLASSES_ROOT\clsid\{038cb5c7-48ea-4af9-94e0-a1646542e62b}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2010-02-12 323392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 16143872]
"HostManager"="c:\program files\Common Files\AOL\1260767234\EE\AOLHostManager.exe" [2004-11-03 125528]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-12-14 98304]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-13 1121792]

c:\documents and settings\Brandon.M\Start Menu\Programs\Startup\
Xfire.lnk - c:\program files\Xfire\xfire.exe [2010-2-10 3207056]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
GamersFirst LIVE!.lnk - c:\program files\GamersFirst\LIVE!\Live.exe [2009-10-27 2665328]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
WG111v2 Smart Wizard Wireless Setting.lnk - c:\program files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2009-12-14 745472]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-11-18 495432]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli anetut.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Install Pending Files.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Install Pending Files.LNK
backup=c:\windows\pss\Install Pending Files.LNKCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1260767234\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III - The WarChiefs Trial\\age3x.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War Forces of Corruption\\swfoc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\ehome\\ehtray.exe"=
"c:\\Program Files\\Digital Media Reader\\readericon45G.exe"=
"c:\\WINDOWS\\RTHDCPL.exe"=
"c:\\WINDOWS\\creator\\Remind_XP.exe"=
"c:\\Program Files\\GamersFirst\\LIVE!\\Live.exe"=
"c:\\Program Files\\NETGEAR\\WG111v2 Configuration Utility\\RtlWake.exe"=
"c:\\WINDOWS\\system32\\Macromed\\Flash\\NPSWF32_FlashUtil.exe"=
"c:\\Program Files\\WinZip\\WZQKPICK.EXE"=
"c:\\Program Files\\Common Files\\AOL\\1260767234\\EE\\AOLHostManager.exe"=
"c:\\Program Files\\McAfee\\SpamKiller\\MSKDetct.exe"=
"c:\\WINDOWS\\ehome\\ehmsas.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57064:TCP"= 57064:TCP:Pando Media Booster
"57064:UDP"= 57064:UDP:Pando Media Booster

R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [12/14/2009 6:39 PM 66048]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [12/14/2009 6:26 PM 167808]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [12/14/2009 6:39 PM 13532]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-12-14 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2009-12-14 19:00]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
IE: &Search
IE: Crawler Search - tbr:iemenu
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: buy-security-essentials.com
Trusted Zone: download-soft-package.com
Trusted Zone: download-software-package.com
Trusted Zone: get-key-se10.com
Trusted Zone: intuit.com\ttlc
Trusted Zone: is-software-download.com
Trusted Zone: buy-security-essentials.com
Trusted Zone: get-key-se10.com
FF - ProfilePath - c:\documents and settings\HackerX\Application Data\Mozilla\Firefox\Profiles\yael0wua.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\documents and settings\HackerX\Application Data\Mozilla\Firefox\Profiles\yael0wua.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSeymour.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-smss32.exe - c:\windows\system32\smss32.exe
HKCU-Run-Security essentials 2010 - c:\program files\Securityessentials2010\SE2010.exe
HKLM-Run-Pdaluz - c:\windows\oteqazaqesu.dll
HKLM-Run-tijivufet - c:\windows\system32\vetaweyo.dll
HKLM-Run-donepofibi - yajosofo.dll
SharedTaskScheduler-{0c8c7a14-05f0-424d-b34d-d42e7999b730} - (no file)
SharedTaskScheduler-{ced5b9f2-5240-4d74-bafb-67ffd8bd946e} - (no file)
SharedTaskScheduler-{ab76e428-23f9-4927-b3d9-0fe93b83f5a1} - c:\windows\system32\sujehihu.dll
SharedTaskScheduler-{5b761b56-ff04-40ae-aa42-9180b8a4d98d} - c:\windows\system32\sujehihu.dll
SharedTaskScheduler-{9155ab46-df69-4a54-9aa1-cf9bb6693050} - c:\windows\system32\kafawagi.dll
SharedTaskScheduler-{885f25e6-b444-41be-8d8f-3dcefde7af16} - c:\windows\system32\fihiyota.dll
SharedTaskScheduler-{a9376150-0334-41ee-af64-fa39e20b92d7} - c:\windows\system32\wolizapa.dll
SharedTaskScheduler-{e0fecb7e-7885-42e6-a861-e99f0b35c3ed} - c:\windows\system32\wolizapa.dll
SharedTaskScheduler-{06b4fd7d-d54b-43ce-aba2-61c484e5185e} - c:\windows\system32\vetaweyo.dll
SharedTaskScheduler-{212c22cf-6ec4-415c-9e89-504a0470592a} - c:\windows\system32\vetaweyo.dll
SSODL-vifonovel-{0c8c7a14-05f0-424d-b34d-d42e7999b730} - (no file)
SSODL-zodevalud-{ced5b9f2-5240-4d74-bafb-67ffd8bd946e} - (no file)
SSODL-yukelekut-{ab76e428-23f9-4927-b3d9-0fe93b83f5a1} - c:\windows\system32\sujehihu.dll
SSODL-tovazejag-{5b761b56-ff04-40ae-aa42-9180b8a4d98d} - c:\windows\system32\sujehihu.dll
SSODL-hebuhogat-{9155ab46-df69-4a54-9aa1-cf9bb6693050} - c:\windows\system32\kafawagi.dll
SSODL-harigogon-{885f25e6-b444-41be-8d8f-3dcefde7af16} - c:\windows\system32\fihiyota.dll
SSODL-vebabutef-{a9376150-0334-41ee-af64-fa39e20b92d7} - c:\windows\system32\wolizapa.dll
SSODL-lolulahuz-{e0fecb7e-7885-42e6-a861-e99f0b35c3ed} - c:\windows\system32\wolizapa.dll
SSODL-pebefogew-{06b4fd7d-d54b-43ce-aba2-61c484e5185e} - c:\windows\system32\vetaweyo.dll
SSODL-doyohiwah-{212c22cf-6ec4-415c-9e89-504a0470592a} - c:\windows\system32\vetaweyo.dll
MSConfigStartUp-MCAgentExe - c:\progra~1\mcafee.com\agent\mcagent.exe
MSConfigStartUp-MCUpdateExe - c:\progra~1\mcafee.com\agent\mcupdate.exe
MSConfigStartUp-tijivufet - c:\windows\system32\wejuwava.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-02-21 12:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(536)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(592)
c:\windows\anetut.dll

- - - - - - - > 'explorer.exe'(2172)
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
c:\windows\system32\msls31.dll
c:\windows\system32\shdoclc.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\MSCTF.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\anetut.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\windows\RTHDCPL.EXE
c:\progra~1\COMMON~1\AOL\126076~1\EE\AOLHOS~1.EXE
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\progra~1\COMMON~1\AOL\126076~1\EE\AOLServiceHost.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-02-21 12:08:57 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-21 17:08

Pre-Run: 61,319,008,256 bytes free
Post-Run: 61,388,476,416 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - CF21DC843158C2613132B862DAA92F8C


[You must be registered and logged in to see this link.]

Aprius
Intermediate
Intermediate

Posts Posts : 90
Joined Joined : 2009-11-10
Gender Gender : Male
OS OS : Windows 7 64Bit
Protection Protection : Hijack This!, Ccleaner, MalwareBytes,Avast!
Points Points : 26362
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Yet Another Probable Contamination

Post by Belahzur on 21st February 2010, 8:08 pm

Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    c:\windows\system32\bevukeyo.dll
    c:\windows\system32\bibegipe.dll.tmp
    c:\windows\system32\dinibafi.dll
    c:\windows\system32\ganizoni.dll.tmp
    c:\windows\system32\honomige.dll
    c:\windows\system32\jinorije.dll
    c:\windows\system32\juwefisi.dll
    c:\windows\system32\ligijowe.dll
    c:\windows\system32\mipiduwi.dll
    c:\windows\system32\tanetezo.dll
    c:\windows\system32\wosarako.dll.tmp
    c:\windows\system32\wuganabu.dll
    c:\windows\system32\yavawoji.dll.tmp
    c:\windows\system32\yidurufo.dll.tmp
    c:\windows\system32\zazuporo.dll.tmp
    c:\windows\anetut.dll

    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf6e7a71-8e16-4097-bc40-d31902456e61}]
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

    Domains::
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Yet Another Probable Contamination

Post by Aprius on 27th February 2010, 5:27 pm

ComboFix 10-02-21.02 - HackerX 02/27/2010 12:14:12.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.894.521 [GMT -5:00]
Running from: c:\documents and settings\HackerX\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\HackerX\Desktop\CFScript.txt.txt
AV: McAfee VirusScan *On-access scanning enabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
The following files were disabled during the run:
c:\windows\system32\dvduopen.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Brandon.M\Local Settings\Application Data\{999B48A6-519E-4D95-8219-37C5D29D1D8D}
c:\documents and settings\Brandon.M\Local Settings\Application Data\{999B48A6-519E-4D95-8219-37C5D29D1D8D}\chrome.manifest
c:\documents and settings\Brandon.M\Local Settings\Application Data\{999B48A6-519E-4D95-8219-37C5D29D1D8D}\chrome\content\_cfg.js
c:\documents and settings\Brandon.M\Local Settings\Application Data\{999B48A6-519E-4D95-8219-37C5D29D1D8D}\chrome\content\overlay.xul
c:\documents and settings\Brandon.M\Local Settings\Application Data\{999B48A6-519E-4D95-8219-37C5D29D1D8D}\install.rdf
c:\documents and settings\HackerX\Local Settings\Application Data\{07CFF975-09BF-4C9F-9173-919A461699D3}
c:\documents and settings\HackerX\Local Settings\Application Data\{07CFF975-09BF-4C9F-9173-919A461699D3}\chrome.manifest
c:\documents and settings\HackerX\Local Settings\Application Data\{07CFF975-09BF-4C9F-9173-919A461699D3}\chrome\content\_cfg.js
c:\documents and settings\HackerX\Local Settings\Application Data\{07CFF975-09BF-4C9F-9173-919A461699D3}\chrome\content\overlay.xul
c:\documents and settings\HackerX\Local Settings\Application Data\{07CFF975-09BF-4C9F-9173-919A461699D3}\install.rdf
c:\documents and settings\rita wilson\Local Settings\Application Data\{1C2F94C7-5807-483A-A454-1DB539B6C4DC}
c:\documents and settings\rita wilson\Local Settings\Application Data\{1C2F94C7-5807-483A-A454-1DB539B6C4DC}\chrome.manifest
c:\documents and settings\rita wilson\Local Settings\Application Data\{1C2F94C7-5807-483A-A454-1DB539B6C4DC}\chrome\content\_cfg.js
c:\documents and settings\rita wilson\Local Settings\Application Data\{1C2F94C7-5807-483A-A454-1DB539B6C4DC}\chrome\content\overlay.xul
c:\documents and settings\rita wilson\Local Settings\Application Data\{1C2F94C7-5807-483A-A454-1DB539B6C4DC}\install.rdf
c:\windows\isataqunuhogaj.dll

.
((((((((((((((((((((((((( Files Created from 2010-01-27 to 2010-02-27 )))))))))))))))))))))))))))))))
.

2010-02-20 17:09 . 2010-02-20 17:09 -------- d-----w- c:\documents and settings\Brandon.M\Application Data\AdobeUM
2010-02-20 16:21 . 2010-02-20 16:27 -------- d-----w- c:\program files\American Civil War - Gettysburg
2010-02-20 01:59 . 2010-02-20 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2010-02-20 01:12 . 2010-02-20 01:12 -------- d-----w- c:\program files\3DO
2010-02-18 22:53 . 2010-02-18 22:53 -------- d-----w- C:\Xfire
2010-02-18 00:36 . 2010-02-18 00:36 -------- d-----w- c:\documents and settings\rita wilson\Local Settings\Application Data\IsolatedStorage
2010-02-18 00:36 . 2010-02-18 00:36 -------- d-----w- c:\documents and settings\rita wilson\Local Settings\Application Data\Intuit
2010-02-18 00:36 . 2010-02-18 00:36 -------- d-----w- c:\documents and settings\rita wilson\Application Data\Intuit
2010-02-18 00:15 . 2010-02-24 23:36 120 ----a-w- c:\documents and settings\rita wilson\Local Settings\Application Data\Lsalif.dat
2010-02-18 00:15 . 2010-02-19 14:09 0 ----a-w- c:\documents and settings\rita wilson\Local Settings\Application Data\Mwokumulig.bin
2010-02-17 20:25 . 2010-02-27 13:26 0 ----a-w- c:\windows\Mwokumulig.bin
2010-02-17 20:25 . 2010-02-27 15:28 120 ----a-w- c:\windows\Lsalif.dat
2010-02-16 13:25 . 2010-02-16 13:25 -------- d-----w- c:\documents and settings\HackerX\Local Settings\Application Data\Conduit
2010-02-16 13:25 . 2010-02-18 23:18 -------- d-----w- c:\documents and settings\HackerX\Local Settings\Application Data\ToggleEN
2010-02-16 13:23 . 2010-02-27 15:28 -------- d-----w- c:\documents and settings\HackerX\Application Data\HPAppData
2010-02-16 13:16 . 2010-02-19 22:25 35328 ----a-w- c:\windows\system32\dvduopen.dll
2010-02-16 13:08 . 2010-02-16 13:08 -------- d-----w- c:\documents and settings\rita wilson\Application Data\Yahoo!
2010-02-16 13:05 . 2010-02-19 14:10 -------- d-----w- c:\documents and settings\rita wilson\Application Data\HPAppData
2010-02-15 16:23 . 2010-02-15 16:23 -------- d-----w- c:\documents and settings\Brandon.M\Application Data\Yahoo!
2010-02-15 16:22 . 2010-02-27 15:07 -------- d-----w- c:\documents and settings\Brandon.M\Application Data\HPAppData
2010-02-15 16:21 . 2010-02-15 16:21 -------- d-----w- c:\documents and settings\Brandon.M\Application Data\HP
2010-02-15 15:58 . 2010-02-15 16:04 -------- d-----w- c:\documents and settings\HackerX\Application Data\HP
2010-02-15 15:58 . 2010-02-15 15:58 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
2010-02-15 15:54 . 2010-02-15 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-02-15 15:54 . 2010-02-15 15:54 -------- d-----w- c:\documents and settings\HackerX\Application Data\Yahoo!
2010-02-15 15:54 . 2010-02-15 15:54 -------- d-----w- c:\program files\Yahoo!
2010-02-15 15:53 . 2010-02-15 15:53 -------- d-----w- c:\program files\Common Files\HP
2010-02-15 15:52 . 2010-02-15 15:52 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2010-02-15 15:50 . 2010-02-15 15:50 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2010-02-15 15:50 . 2010-02-18 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-02-15 15:48 . 2010-02-15 15:58 160812 ----a-w- c:\windows\hphins33.dat
2010-02-15 15:48 . 2009-06-11 10:17 586 ------w- c:\windows\hphmdl33.dat
2010-02-15 15:36 . 2010-02-15 15:53 -------- d-----w- c:\program files\HP
2010-02-15 15:35 . 2008-10-28 10:27 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2010-02-15 15:35 . 2008-10-28 10:27 49920 ----a-r- c:\windows\system32\drivers\HPZid412.sys
2010-02-15 15:34 . 2009-04-16 19:08 126976 ----a-w- c:\windows\system32\hpfll70v.dll
2010-02-15 15:34 . 2009-04-16 19:08 312832 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpfpp70v.dll
2010-02-15 15:34 . 2009-04-15 21:53 452408 ----a-r- c:\windows\system32\hpzids01.dll
2010-02-15 15:34 . 2010-02-15 15:34 -------- dc----w- c:\windows\system32\DRVSTORE
2010-02-15 15:33 . 2008-10-28 10:27 309760 ----a-r- c:\windows\system32\difxapi.dll
2010-02-15 15:33 . 2008-10-28 10:27 372736 ----a-r- c:\windows\system32\hppldcoi.dll
2010-02-15 15:33 . 2008-10-28 10:27 21568 ----a-r- c:\windows\system32\drivers\HPZius12.sys
2010-02-15 15:32 . 2004-08-04 04:01 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-02-15 15:32 . 2004-08-04 04:01 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-02-14 19:59 . 2010-02-16 22:00 -------- d-----w- c:\program files\StarCraft
2010-02-14 19:59 . 2010-02-14 20:09 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-02-14 02:28 . 2010-02-14 02:28 -------- d-----w- c:\program files\Trend Micro
2010-02-13 20:03 . 2010-02-13 20:03 -------- d-----w- c:\documents and settings\Brandon.M\Local Settings\Application Data\Help
2010-02-13 19:41 . 2010-02-27 15:02 -------- d-----w- c:\documents and settings\Brandon.M\Application Data\Software Informer
2010-02-13 19:41 . 2010-02-13 19:43 -------- d-----w- c:\program files\Software Informer
2010-02-13 17:02 . 2010-02-13 17:02 -------- d-----w- c:\program files\Atari
2010-02-12 22:06 . 2010-02-12 22:06 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\IsolatedStorage
2010-02-12 22:06 . 2010-02-12 22:06 -------- d-----w- c:\documents and settings\HackerX\Local Settings\Application Data\Intuit
2010-02-12 22:05 . 2010-02-12 22:05 -------- d-----w- c:\documents and settings\HackerX\Application Data\Intuit
2010-02-12 22:05 . 2010-02-12 22:05 -------- d-----w- c:\program files\Common Files\AnswerWorks 5.0
2010-02-12 21:57 . 2010-02-12 21:57 -------- d-----w- c:\documents and settings\HackerX\Local Settings\Application Data\IsolatedStorage
2010-02-12 21:57 . 2010-02-12 22:04 -------- d-----w- c:\program files\Common Files\Intuit
2010-02-12 21:56 . 2010-02-12 21:56 -------- d-----w- c:\program files\TurboTax
2010-02-12 21:55 . 2010-02-12 21:55 -------- d-----w- c:\windows\system32\XPSViewer
2010-02-12 21:55 . 2010-02-12 21:55 -------- d-----w- c:\program files\MSBuild
2010-02-12 21:54 . 2010-02-12 21:54 -------- d-----w- c:\program files\Reference Assemblies
2010-02-12 21:54 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-02-12 21:54 . 2010-02-12 21:54 -------- d-----w- C:\689cbcae47736664b9
2010-02-12 21:54 . 2008-07-06 12:06 89088 -c--a-w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-02-12 21:54 . 2008-07-06 12:06 575488 -c--a-w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-02-12 21:54 . 2008-07-06 12:06 575488 ----a-w- c:\windows\system32\xpsshhdr.dll
2010-02-12 21:54 . 2008-07-06 12:06 1676288 -c--a-w- c:\windows\system32\dllcache\xpssvcs.dll
2010-02-12 21:54 . 2008-07-06 12:06 1676288 ----a-w- c:\windows\system32\xpssvcs.dll
2010-02-12 21:54 . 2008-07-06 12:06 117760 ----a-w- c:\windows\system32\prntvpt.dll
2010-02-12 21:54 . 2008-07-06 10:50 597504 -c--a-w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-02-12 21:54 . 2008-07-06 10:50 597504 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-02-12 21:51 . 2010-02-12 21:51 -------- d-----w- c:\program files\MSXML 6.0
2010-02-12 21:45 . 2010-02-12 21:45 -------- d-----w- c:\documents and settings\HackerX\Local Settings\Application Data\DNA
2010-02-12 21:45 . 2010-02-27 17:22 -------- d-----w- c:\documents and settings\HackerX\Application Data\DNA
2010-02-12 21:45 . 2010-02-12 21:45 -------- d-----w- c:\documents and settings\HackerX\Local Settings\Application Data\GamersFirst LIVE!
2010-02-11 13:33 . 2010-02-11 13:33 -------- d-----w- c:\documents and settings\rita wilson\Local Settings\Application Data\DNA
2010-02-11 13:33 . 2010-02-19 14:14 -------- d-----w- c:\documents and settings\rita wilson\Application Data\DNA
2010-02-11 13:33 . 2010-02-11 13:33 -------- d-----w- c:\documents and settings\rita wilson\Program Files
2010-02-11 13:33 . 2010-02-11 13:33 -------- d-----w- c:\documents and settings\rita wilson\Local Settings\Application Data\GamersFirst LIVE!
2010-02-11 03:16 . 2010-02-11 03:16 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-02-10 22:51 . 2010-02-10 22:57 -------- d-----w- c:\documents and settings\Brandon.M\Local Settings\Application Data\GamersFirst LIVE!
2010-02-10 22:51 . 2010-02-10 22:51 -------- d-----w- c:\program files\GamersFirst
2010-02-10 19:50 . 2010-02-12 22:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2010-02-09 20:45 . 2010-02-09 20:45 -------- d-----w- c:\program files\MSXML 4.0
2010-02-08 20:27 . 2010-02-08 20:34 -------- d-----w- c:\program files\Galaxy Online
2010-02-08 14:52 . 2010-02-08 14:52 -------- d-----w- c:\windows\system32\drivers\NSS
2010-02-08 14:52 . 2010-02-08 14:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-08 14:52 . 2010-02-08 14:52 -------- d-----w- c:\program files\Norton Security Scan
2010-02-08 14:52 . 2010-02-08 14:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-02-08 14:52 . 2010-02-08 14:52 -------- d-----w- c:\program files\NortonInstaller
2010-02-08 14:52 . 2010-02-08 14:52 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-02-08 02:25 . 2010-02-08 02:25 -------- d-----w- c:\windows\system32\Adobe
2010-02-07 19:32 . 2010-02-07 19:33 -------- d-----w- c:\documents and settings\Brandon.M\Local Settings\Application Data\Adobe
2010-02-07 00:09 . 2010-02-07 00:09 65536 ----a-w- c:\windows\IFinst27.exe
2010-02-03 00:06 . 2004-08-10 19:00 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2010-02-03 00:01 . 2010-02-03 00:01 -------- d-----w- c:\program files\Windows Media Connect 2
2010-02-03 00:00 . 2010-02-03 00:00 -------- d-----w- c:\windows\system32\drivers\UMDF
2010-02-02 23:51 . 2010-02-02 23:51 -------- d-----w- c:\documents and settings\Brandon.M\Application Data\uTorrent
2010-02-02 21:25 . 2009-12-16 19:42 43008 ----a-w- c:\documents and settings\HackerX\Application Data\Mozilla\Firefox\Profiles\yael0wua.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-02-02 21:25 . 2009-12-16 19:42 872960 ----a-w- c:\documents and settings\HackerX\Application Data\Mozilla\Firefox\Profiles\yael0wua.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-02-02 21:25 . 2009-12-16 19:42 340480 ----a-w- c:\documents and settings\HackerX\Application Data\Mozilla\Firefox\Profiles\yael0wua.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-02-02 21:25 . 2009-12-16 19:41 346624 ----a-w- c:\documents and settings\HackerX\Application Data\Mozilla\Firefox\Profiles\yael0wua.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-02-02 21:16 . 2010-02-02 21:16 -------- d-----w- c:\program files\uTorrent
2010-02-02 21:15 . 2010-02-03 00:03 -------- d-----w- c:\documents and settings\HackerX\Application Data\uTorrent
2010-02-02 21:01 . 2010-02-02 21:01 -------- d-----w- c:\documents and settings\HackerX\Application Data\Malwarebytes
2010-02-02 02:25 . 2010-02-16 21:17 38968 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-01-31 19:38 . 2010-01-31 19:38 -------- d-----w- c:\documents and settings\rita wilson\Application Data\Red Alert 3
2010-01-31 19:38 . 2010-01-31 19:38 -------- d--h--r- c:\documents and settings\rita wilson\Application Data\SecuROM
2010-01-30 17:53 . 2009-12-16 19:42 43008 ----a-w- c:\documents and settings\rita wilson\Application Data\Mozilla\Firefox\Profiles\48jwqe1o.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-01-30 17:53 . 2009-12-16 19:42 340480 ----a-w- c:\documents and settings\rita wilson\Application Data\Mozilla\Firefox\Profiles\48jwqe1o.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-01-30 17:53 . 2009-12-16 19:41 346624 ----a-w- c:\documents and settings\rita wilson\Application Data\Mozilla\Firefox\Profiles\48jwqe1o.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-01-30 17:53 . 2009-12-16 19:42 872960 ----a-w- c:\documents and settings\rita wilson\Application Data\Mozilla\Firefox\Profiles\48jwqe1o.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-27 17:22 . 2010-01-10 22:28 -------- d-----w- c:\program files\DNA
2010-02-27 17:20 . 2010-01-10 22:28 -------- d-----w- c:\documents and settings\Brandon.M\Application Data\DNA
2010-02-26 03:10 . 2010-01-17 01:43 -------- d-s---w- c:\program files\Xfire
2010-02-26 01:40 . 2010-01-17 01:43 -------- d-----w- c:\documents and settings\Brandon.M\Application Data\Xfire
2010-02-18 01:39 . 2010-01-24 17:46 -------- d-----w- c:\program files\Crawler
2010-02-16 13:25 . 2010-01-23 03:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-16 13:08 . 2010-01-16 20:40 -------- d-----w- c:\program files\ToggleEN
2010-02-15 16:04 . 2006-06-19 04:25 38968 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-15 15:36 . 2010-01-12 20:29 -------- d-----w- c:\documents and settings\rita wilson\Application Data\McAfee.com Personal Firewall
2010-02-13 21:14 . 2010-01-13 01:22 -------- d-----w- c:\documents and settings\Brandon.M\Application Data\Red Alert 3
2010-02-13 20:33 . 2009-12-14 04:56 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-12 21:58 . 2010-01-09 17:21 -------- d-----w- c:\documents and settings\HackerX\Application Data\McAfee.com Personal Firewall
2010-02-11 22:23 . 2010-01-17 01:20 509708424 ----a-w- c:\documents and settings\Brandon.M\Application Data\ijjigame\U_SFInstaller.exe
2010-02-09 20:46 . 2010-01-16 21:35 -------- d-----w- c:\program files\GameSpy Arcade
2010-02-09 20:43 . 2009-12-20 03:04 -------- d-----w- c:\program files\Microsoft Games
2010-01-28 00:07 . 2010-01-28 00:07 -------- d-----w- c:\documents and settings\Brandon.M\Application Data\Petroglyph
2010-01-27 23:47 . 2010-01-27 23:47 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Xfire
2010-01-27 02:37 . 2010-01-27 02:37 -------- d-----w- c:\documents and settings\Brandon.M\Application Data\Notepad++
2010-01-27 02:37 . 2010-01-27 02:37 -------- d-----w- c:\program files\Notepad++
2010-01-27 02:31 . 2010-01-27 02:31 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-01-25 03:59 . 2010-01-24 17:55 -------- d-----w- c:\documents and settings\Brandon.M\Application Data\Azureus
2010-01-24 17:55 . 2010-01-24 17:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
2010-01-24 17:54 . 2010-01-24 17:54 -------- d-----w- c:\program files\Vuze
2010-01-23 03:13 . 2010-01-16 17:50 -------- d-----w- c:\program files\Youdagames
2010-01-23 03:11 . 2009-12-14 04:56 -------- d-----w- c:\program files\CyberLink
2010-01-23 03:10 . 2009-12-14 05:07 -------- d-----w- c:\program files\Common Files\AOL
2010-01-23 03:10 . 2009-12-14 05:07 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2010-01-23 03:05 . 2010-01-23 03:05 -------- d-----w- c:\documents and settings\Brandon.M\Application Data\Malwarebytes
2010-01-23 03:04 . 2009-12-14 05:02 -------- d-----w- c:\program files\Gateway Games
2010-01-23 03:04 . 2010-01-23 03:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-23 03:04 . 2009-12-14 05:02 -------- d-----w- c:\program files\WildTangent
2010-01-23 03:04 . 2009-12-14 05:02 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent
2010-01-23 03:02 . 2010-01-23 03:02 -------- d-----w- c:\program files\CCleaner
2010-01-23 02:43 . 2010-01-23 02:43 -------- d-----w- c:\program files\Softnyx
2010-01-17 21:43 . 2010-01-17 18:40 1804553488 ----a-w- c:\documents and settings\Brandon.M\Application Data\ijjigame\U_AVA_Setup.exe
2010-01-17 20:18 . 2010-01-17 01:20 -------- d--h--w- c:\documents and settings\Brandon.M\Application Data\ijjigame
2010-01-17 14:59 . 2010-01-17 14:59 -------- d-----w- c:\documents and settings\LocalService\Application Data\Xfire
2010-01-17 02:08 . 2010-01-17 02:08 -------- d-----w- c:\documents and settings\All Users\Application Data\ijjigame
2010-01-17 01:47 . 2010-01-17 01:47 -------- d-----w- c:\program files\Common Files\INCA Shared
2010-01-17 00:33 . 2010-01-17 00:33 -------- d-----w- c:\program files\ijji
2010-01-16 21:38 . 2010-01-16 21:38 -------- d-----w- c:\documents and settings\Brandon.M\Application Data\Sierra
2010-01-16 21:34 . 2010-01-16 21:34 -------- d-----w- c:\program files\Sierra
2010-01-16 20:43 . 2010-01-16 17:50 -------- d-----w- c:\documents and settings\Brandon.M\Application Data\Youdagames
2010-01-16 20:42 . 2010-01-16 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Youdagames
2010-01-16 20:40 . 2010-01-16 20:40 -------- d-----w- c:\program files\Conduit
2010-01-15 22:13 . 2010-01-15 22:13 138056 ----a-w- c:\documents and settings\Brandon.M\Application Data\PnkBstrK.sys
2010-01-15 22:13 . 2010-01-15 22:13 138056 ----a-w- c:\documents and settings\Brandon.M\Application Data\PnkBstrK.sys
2010-01-15 22:02 . 2010-01-15 22:02 -------- d-----w- c:\program files\EA Games
2010-01-15 17:05 . 2010-01-15 17:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Age of Empires 3 XPack Trial
2010-01-13 01:21 . 2010-01-13 01:21 -------- d--h--r- c:\documents and settings\Brandon.M\Application Data\SecuROM
2010-01-12 21:37 . 2010-01-12 13:15 -------- d-----w- c:\documents and settings\All Users\Application Data\NexonUS
2010-01-12 21:35 . 2010-01-12 21:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Nexon
2010-01-12 13:15 . 2010-01-12 13:15 90112 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
2010-01-12 13:15 . 2010-01-12 13:15 561152 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
2010-01-12 13:15 . 2010-01-12 13:15 393216 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2010-01-12 13:15 . 2010-01-12 13:15 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll
2010-01-12 13:15 . 2010-01-12 13:15 118784 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll
2010-01-12 13:15 . 2010-01-12 13:15 167936 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe
2010-01-12 12:52 . 2010-01-12 12:52 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2010-01-12 12:51 . 2010-01-12 12:51 -------- d-----w- c:\program files\Pando Networks
2010-01-12 12:45 . 2010-01-09 17:47 -------- d-----w- c:\program files\StarWarsGalaxies
2010-01-10 17:29 . 2010-01-10 17:18 -------- d-----w- c:\documents and settings\Brandon.M\Application Data\McAfee.com Personal Firewall
2010-01-09 17:35 . 2010-01-09 17:35 -------- d-----w- c:\program files\Sony
2010-01-09 17:25 . 2009-12-14 05:10 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com Personal Firewall
2010-01-07 21:07 . 2010-01-23 03:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2010-01-23 03:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-28 01:32 . 2009-12-14 04:18 12464 ----a-w- c:\windows\system32\drivers\secdrv.sys
2009-12-28 01:22 . 2009-12-28 01:22 484 ----a-w- c:\windows\eReg.dat
2009-12-22 00:15 . 2009-12-20 03:15 21840 ----atw- c:\windows\system32\SIntfNT.dll
2009-12-22 00:15 . 2009-12-20 03:15 17212 ----atw- c:\windows\system32\SIntf32.dll
2009-12-20 03:01 . 2009-12-20 03:01 16 ----a-w- c:\windows\popcinfo.dat
2009-12-20 02:09 . 2009-12-20 02:09 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-12-20 01:35 . 2009-12-20 01:35 3624 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-12-17 23:18 . 2009-12-17 23:18 75264 ----a-w- c:\windows\system32\uc_holybeast_launching.dll
2009-12-17 23:17 . 2009-12-17 23:17 64000 ----a-w- c:\windows\system32\uc_sfighters_launching.dll
2009-12-16 19:42 . 2010-01-27 02:43 872960 ----a-w- c:\documents and settings\Brandon.M\Application Data\Mozilla\Firefox\Profiles\gxyhp0ai.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-12-16 19:42 . 2010-01-27 02:43 43008 ----a-w- c:\documents and settings\Brandon.M\Application Data\Mozilla\Firefox\Profiles\gxyhp0ai.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-12-16 19:42 . 2010-01-27 02:43 340480 ----a-w- c:\documents and settings\Brandon.M\Application Data\Mozilla\Firefox\Profiles\gxyhp0ai.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-12-16 19:41 . 2010-01-27 02:43 346624 ----a-w- c:\documents and settings\Brandon.M\Application Data\Mozilla\Firefox\Profiles\gxyhp0ai.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-12-15 22:21 . 2009-12-15 22:21 427008 ----a-w- c:\windows\system32\uc_wepic_launching.dll
2009-12-14 05:07 . 2009-12-14 05:07 8552 ----a-w- c:\windows\system32\drivers\asctrm.sys
2009-12-14 05:07 . 2009-12-14 05:07 335 ----a-w- c:\windows\nsreg.dat
2009-12-14 05:05 . 2009-12-14 05:05 4 ----a-w- c:\windows\Pix11.dat
2009-12-14 04:43 . 2009-12-14 04:43 60 ----a-w- c:\windows\system32\SYSDRV.DAT
1601-01-01 00:03 . 1601-01-01 00:03 66560 --sha-w- c:\windows\system32\bevukeyo.dll
1601-01-01 00:03 . 1601-01-01 00:03 51712 --sha-w- c:\windows\system32\bibegipe.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03 100352 --sha-w- c:\windows\system32\dinibafi.dll
1601-01-01 00:03 . 1601-01-01 00:03 53248 --sha-w- c:\windows\system32\ganizoni.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03 96768 --sha-w- c:\windows\system32\honomige.dll
1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\system32\jinorije.dll
1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\system32\juwefisi.dll
1601-01-01 00:03 . 1601-01-01 00:03 56320 --sha-w- c:\windows\system32\ligijowe.dll
1601-01-01 00:03 . 1601-01-01 00:03 100864 --sha-w- c:\windows\system32\mipiduwi.dll
1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\system32\tanetezo.dll
1601-01-01 00:03 . 1601-01-01 00:03 51712 --sha-w- c:\windows\system32\wosarako.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03 92672 --sha-w- c:\windows\system32\wuganabu.dll
1601-01-01 00:03 . 1601-01-01 00:03 53248 --sha-w- c:\windows\system32\yavawoji.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03 53248 --sha-w- c:\windows\system32\yidurufo.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03 51712 --sha-w- c:\windows\system32\zazuporo.dll.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{038cb5c7-48ea-4af9-94e0-a1646542e62b}]
2010-02-16 13:26 2349080 ----a-w- c:\program files\ToggleEN\tbTog0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{038cb5c7-48ea-4af9-94e0-a1646542e62b}"= "c:\program files\ToggleEN\tbTog0.dll" [2010-02-16 2349080]

[HKEY_CLASSES_ROOT\clsid\{038cb5c7-48ea-4af9-94e0-a1646542e62b}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{038CB5C7-48EA-4AF9-94E0-A1646542E62B}"= "c:\program files\ToggleEN\tbTog0.dll" [2010-02-16 2349080]

[HKEY_CLASSES_ROOT\clsid\{038cb5c7-48ea-4af9-94e0-a1646542e62b}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2010-02-12 323392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 16143872]
"HostManager"="c:\program files\Common Files\AOL\1260767234\EE\AOLHostManager.exe" [2004-11-03 125528]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-12-14 98304]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-13 1121792]
"donepofibi"="yajosofo.dll" [BU]
"Pdaluz"="c:\windows\isataqunuhogaj.dll" [BU]

c:\documents and settings\Brandon.M\Start Menu\Programs\Startup\
Xfire.lnk - c:\program files\Xfire\xfire.exe [2010-2-10 3207056]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
GamersFirst LIVE!.lnk - c:\program files\GamersFirst\LIVE!\Live.exe [2009-10-27 2665328]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
WG111v2 Smart Wizard Wireless Setting.lnk - c:\program files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2009-12-14 745472]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-11-18 495432]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli anetut.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Install Pending Files.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Install Pending Files.LNK
backup=c:\windows\pss\Install Pending Files.LNKCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1260767234\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III - The WarChiefs Trial\\age3x.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War Forces of Corruption\\swfoc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\ehome\\ehtray.exe"=
"c:\\Program Files\\Digital Media Reader\\readericon45G.exe"=
"c:\\WINDOWS\\RTHDCPL.exe"=
"c:\\WINDOWS\\creator\\Remind_XP.exe"=
"c:\\Program Files\\GamersFirst\\LIVE!\\Live.exe"=
"c:\\Program Files\\NETGEAR\\WG111v2 Configuration Utility\\RtlWake.exe"=
"c:\\WINDOWS\\system32\\Macromed\\Flash\\NPSWF32_FlashUtil.exe"=
"c:\\Program Files\\WinZip\\WZQKPICK.EXE"=
"c:\\Program Files\\Common Files\\AOL\\1260767234\\EE\\AOLHostManager.exe"=
"c:\\Program Files\\McAfee\\SpamKiller\\MSKDetct.exe"=
"c:\\WINDOWS\\ehome\\ehmsas.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Electronic Arts\\Red Alert 3\\Data\\ra3_1.12.game"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57064:TCP"= 57064:TCP:Pando Media Booster
"57064:UDP"= 57064:UDP:Pando Media Booster

R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [12/14/2009 6:39 PM 66048]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [12/14/2009 6:26 PM 167808]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [12/14/2009 6:39 PM 13532]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-12-14 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2009-12-14 19:00]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
IE: &Search
IE: Crawler Search - tbr:iemenu
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\HackerX\Application Data\Mozilla\Firefox\Profiles\yael0wua.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\documents and settings\HackerX\Application Data\Mozilla\Firefox\Profiles\yael0wua.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSeymour.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-02-27 12:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(536)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(592)
c:\windows\anetut.dll

- - - - - - - > 'explorer.exe'(2860)
c:\windows\system32\dvduopen.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\anetut.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\windows\eHome\ehRecvr.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\eHome\ehmsas.exe
c:\progra~1\COMMON~1\AOL\126076~1\EE\AOLHOS~1.EXE
c:\progra~1\COMMON~1\AOL\126076~1\EE\AOLServiceHost.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2010-02-27 12:26:40 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-27 17:26
ComboFix2.txt 2010-02-21 17:08

Pre-Run: 61,080,039,424 bytes free
Post-Run: 61,056,139,264 bytes free

- - End Of File - - 2E15CB78EB50F5EB8C3ED46B325FD787


[You must be registered and logged in to see this link.]

Aprius
Intermediate
Intermediate

Posts Posts : 90
Joined Joined : 2009-11-10
Gender Gender : Male
OS OS : Windows 7 64Bit
Protection Protection : Hijack This!, Ccleaner, MalwareBytes,Avast!
Points Points : 26362
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Yet Another Probable Contamination

Post by Belahzur on 27th February 2010, 8:27 pm

Hello.
That didn't work right, you either didn't copy/paste everything inside my quote box, or saved the script file wrong.

The script was saved as CFScript.txt.txt, and not CFScript.txt. Please try again.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum