Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 37

Thread: Virtumonde

  1. #11
    Member
    Join Date
    Sep 2009
    Posts
    32

    Default

    Hi,
    Here it is.
    ´╗┐SystemLook v1.0 by jpshortstuff (29.08.09)
    Log created at 06:20 on 19/09/2009 by John (Administrator - Elevation successful)

    ========== filefind ==========

    Searching for "svchost.exe"
    C:\i386\SVCHOST.EXE --a--c 14336 bytes [19:22 15/12/2004] [11:00 04/08/2004] 8F078AE4ED187AAABC0A305146DE6716
    C:\WINDOWS\$NtServicePackUninstall$\svchost.exe -----c 14336 bytes [14:24 30/07/2009] [11:00 04/08/2004] 8F078AE4ED187AAABC0A305146DE6716
    C:\WINDOWS\ServicePackFiles\i386\svchost.exe ------ 14336 bytes [00:12 14/04/2008] [00:12 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18
    C:\WINDOWS\SYSTEM32\svchost.exe --a--- 0 bytes [11:00 04/08/2004] [00:12 14/04/2008] D41D8CD98F00B204E9800998ECF8427E

    -=End Of File=-

  2. #12
    Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,300

    Default

    Hi,

    Open notepad and copy/paste the text in the quotebox below into it:

    Code:
    FCopy::
    C:\WINDOWS\$NtServicePackUninstall$\svchost.exe | c:\windows\system32\svchost.exe
    Reboot::

    Save this as
    CFScript

    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



    Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
    Then post the resultant log & fresh dds.txt log.
    Microsoft Windows Insider MVP 2016-2018
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  3. #13
    Member
    Join Date
    Sep 2009
    Posts
    32

    Default No drag & Drop function

    Is there another alternative? My Computer will not allow me to drag & Drop or paste files.

  4. #14
    Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,300

    Default

    Please have correct CFScript.txt file created on your desktop.

    When done, open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
    @echo off
    "%userprofile%\desktop\ComboFix.exe" "%userprofile%\desktop\CFScript.txt"

    Double-click on fixes.bat file to execute it.
    Microsoft Windows Insider MVP 2016-2018
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  5. #15
    Member
    Join Date
    Sep 2009
    Posts
    32

    Default

    Hi,
    Here are the log files.

    ComboFix 09-09-17.04 - John 09/20/2009 4:20.3.1 - NTFSx86
    Running from: c:\documents and settings\John.HOME\desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\John.HOME\desktop\CFScript.txt
    .

    ((((((((((((((((((((((((( Files Created from 2009-08-20 to 2009-09-20 )))))))))))))))))))))))))))))))
    .

    2009-09-15 18:24 . 2009-08-17 16:04 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2009-09-15 18:24 . 2009-08-17 16:04 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2009-09-15 18:24 . 2009-08-17 16:03 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2009-09-15 18:24 . 2009-08-17 16:02 97480 ----a-w- c:\windows\system32\AvastSS.scr
    2009-09-15 18:23 . 2009-08-17 16:06 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2009-09-15 18:23 . 2009-08-17 16:06 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2009-09-15 18:23 . 2009-08-17 16:05 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2009-09-15 18:23 . 2009-08-17 16:05 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2009-09-15 18:23 . 2009-08-17 16:10 1279456 ----a-w- c:\windows\system32\aswBoot.exe
    2009-09-15 18:23 . 2009-09-15 18:23 -------- d-----w- c:\program files\Alwil Software
    2009-09-15 08:11 . 2009-09-15 08:11 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
    2009-09-15 06:08 . 2009-09-15 06:08 -------- d-----w- c:\documents and settings\John.HOME\Local Settings\Application Data\COMODO
    2009-09-15 05:00 . 2009-09-15 06:58 -------- d-----w- c:\program files\COMODO
    2009-09-14 00:33 . 2009-09-14 00:33 -------- d-----w- c:\program files\Trend Micro
    2009-09-13 13:06 . 2009-09-13 13:06 1119618 -c--a-w- C:\OneCareSupportData.zip
    2009-09-09 21:48 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
    2009-09-04 04:45 . 2009-09-04 04:45 -------- dc----w- c:\documents and settings\Office\Local Settings\Application Data\Xara
    2009-09-04 04:41 . 2007-04-27 14:43 120200 ----a-w- c:\windows\system32\DLLDEV32i.dll
    2009-09-04 04:39 . 2009-09-04 04:46 -------- d-----w- c:\windows\system32\MAGIX
    2009-09-04 04:39 . 2008-04-15 20:14 700416 ----a-w- c:\windows\system32\mgxoschk.dll
    2009-09-04 03:37 . 2009-09-04 03:37 -------- d-----w- c:\program files\3ivx
    2009-09-04 03:37 . 2009-09-04 03:37 -------- dc----w- c:\documents and settings\All Users\Application Data\Flip Video
    2009-09-04 03:37 . 2009-09-04 03:37 -------- d-----w- c:\program files\Flip Video

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-09-20 09:25 . 2009-07-26 08:22 -------- d-----w- c:\program files\Microsoft Windows OneCare Live
    2009-09-16 00:03 . 2005-04-18 19:51 17920 -csha-w- c:\program files\Thumbs.db
    2009-09-15 08:20 . 2004-12-24 06:43 1364 ----a-w- c:\program files\CorelApp.ini
    2009-09-15 08:19 . 2004-12-24 06:43 2481 ----a-w- c:\program files\photohse.ini
    2009-09-15 08:19 . 2004-12-24 06:43 338 ----a-w- c:\program files\country.ini
    2009-09-15 08:19 . 2004-12-23 13:25 -------- d-----w- c:\program files\Custom
    2009-09-15 05:32 . 2009-07-11 11:44 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
    2009-09-13 13:45 . 2005-06-15 04:35 109968 -c--a-w- c:\documents and settings\John.HOME\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-09-12 22:00 . 2009-08-09 20:07 109968 -c--a-w- c:\documents and settings\Jessy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-09-12 10:58 . 2009-08-06 08:07 -------- dc----w- c:\documents and settings\Office\Application Data\uTorrent
    2009-09-09 11:21 . 2004-12-24 06:42 3292 -c--a-w- c:\program files\printhse.ini
    2009-09-09 11:18 . 2009-07-17 23:56 269 -c--a-w- c:\documents and settings\Office\Application Data\ftpfile.dat
    2009-09-09 06:23 . 2009-07-06 21:26 -------- dc----w- c:\documents and settings\All Users\Application Data\Motive
    2009-09-05 18:22 . 2006-08-06 10:50 109968 -c--a-w- c:\documents and settings\Angie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-09-05 09:34 . 2005-01-26 13:32 171 ----a-w- c:\program files\Color.ini
    2009-09-04 05:32 . 2009-03-07 21:05 109968 -c--a-w- c:\documents and settings\Office\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-09-04 04:46 . 2009-09-04 04:43 -------- dc----w- c:\documents and settings\All Users\Application Data\MAGIX
    2009-09-04 04:45 . 2009-09-04 04:43 -------- d-----w- c:\program files\Common Files\MAGIX Shared
    2009-09-04 04:43 . 2009-09-04 04:43 -------- d-----w- c:\program files\Common Files\xara
    2009-08-31 18:17 . 2009-06-06 04:44 -------- d-----w- c:\documents and settings\Angie\Application Data\gtk-2.0
    2009-08-23 11:55 . 2009-07-16 14:43 -------- d-----w- c:\program files\CoffeeCup Software
    2009-08-21 18:12 . 2009-07-12 20:06 -------- d-----w- c:\documents and settings\Angie\Application Data\dvdcss
    2009-08-20 02:47 . 2009-08-20 02:47 -------- d-----w- c:\documents and settings\Angie\Application Data\uTorrent
    2009-08-11 22:33 . 2009-08-11 22:33 -------- d-----w- c:\program files\Common Files\muvee Technologies
    2009-08-11 02:59 . 2009-07-09 09:31 -------- d-----w- c:\program files\Veoh Networks
    2009-08-08 04:15 . 2005-04-01 23:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-08-07 07:05 . 2009-08-07 07:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2009-08-06 23:50 . 2009-08-01 22:40 -------- d-----w- c:\program files\NCH Software
    2009-08-06 23:47 . 2009-08-01 22:40 -------- d-----w- c:\program files\NCH Swift Sound
    2009-08-06 23:46 . 2009-08-06 23:46 -------- dc----w- c:\documents and settings\Office\Application Data\NCH Swift Sound
    2009-08-05 09:01 . 2004-08-04 11:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
    2009-08-05 05:04 . 2009-04-29 02:04 -------- dc----w- c:\documents and settings\Office\Application Data\gtk-2.0
    2009-08-02 12:09 . 2009-08-02 12:09 -------- d-----w- c:\program files\MSBuild
    2009-08-02 12:09 . 2009-08-02 12:09 -------- d-----w- c:\program files\Reference Assemblies
    2009-08-01 22:42 . 2009-08-01 22:42 -------- dc----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
    2009-08-01 22:41 . 2009-08-01 22:40 -------- d-----w- c:\documents and settings\Angie\Application Data\NCH Swift Sound
    2009-08-01 17:19 . 2009-08-01 17:19 -------- d-----w- c:\documents and settings\LocalService\Application Data\PeerNetworking
    2009-07-26 09:43 . 2006-05-24 01:32 -------- d-----w- c:\program files\Yahoo!
    2009-07-26 09:24 . 2004-12-12 06:39 -------- d-----w- c:\program files\Java
    2009-07-26 09:19 . 2005-01-13 23:11 -------- d-----w- c:\program files\DivX
    2009-07-26 06:10 . 2009-07-09 08:53 -------- dc----w- c:\documents and settings\All Users\Application Data\Lavasoft
    2009-07-25 20:27 . 2009-07-25 08:36 -------- d-----w- c:\program files\Windows Live Safety Center
    2009-07-24 05:31 . 2006-11-05 03:04 -------- d-----w- c:\documents and settings\Angie\Application Data\LimeWire
    2009-07-17 19:01 . 2004-08-04 11:00 58880 ----a-w- c:\windows\system32\atl.dll
    2009-07-17 12:04 . 2009-07-17 12:04 335 ----a-w- c:\windows\mozregistry.dat
    2009-07-13 15:08 . 2004-08-04 11:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll
    2009-07-03 17:09 . 2004-08-04 11:00 915456 ----a-w- c:\windows\system32\wininet.dll
    2009-06-25 08:25 . 2004-08-04 11:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2009-06-25 08:25 . 2004-08-04 11:00 56832 ----a-w- c:\windows\system32\secur32.dll
    2009-06-25 08:25 . 2004-08-04 11:00 54272 ----a-w- c:\windows\system32\wdigest.dll
    2009-06-25 08:25 . 2004-08-04 11:00 301568 ----a-w- c:\windows\system32\kerberos.dll
    2009-06-25 08:25 . 2004-08-04 11:00 147456 ----a-w- c:\windows\system32\schannel.dll
    2009-06-25 08:25 . 2004-08-04 11:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
    2009-06-24 11:18 . 2004-08-04 11:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2009-06-17 03:47 . 2005-05-02 16:09 100261 -c-ha-w- c:\program files\photohse.GID
    2009-05-14 21:54 . 2006-03-02 16:25 69477 -c-ha-w- c:\program files\aim95.GID
    2009-03-05 09:35 . 2007-03-13 00:45 8444 -c--a-w- c:\program files\Xpcs Registry.dat
    2009-02-09 23:57 . 2003-12-10 05:39 178 -c--a-w- c:\program files\log.txt
    2008-10-30 17:39 . 2004-12-24 06:43 2449 -c--a-w- c:\program files\corelprn.ini
    2006-01-02 05:57 . 2006-01-02 05:56 2788656 ----a-w- c:\program files\LimeWireWin-full.exe
    2006-01-02 05:30 . 2006-01-02 05:28 359112 ----a-w- c:\program files\LimeWireWin.exe
    2005-05-26 13:32 . 2005-04-06 14:51 38435 -c--a-w- c:\program files\licens32.txt
    2005-05-21 02:00 . 2005-05-21 01:58 148564 -c-ha-w- c:\program files\Printhse.GID
    2005-04-08 13:07 . 2005-04-06 14:51 611 ----a-w- c:\program files\Uninstall AOL Instant Messenger.lnk
    2004-12-24 06:44 . 2004-12-24 06:42 713 -c----w- c:\program files\BOX.REG
    2004-12-24 06:44 . 2004-12-24 06:43 2860 -c----w- c:\program files\PHOTOHSE.REG
    2004-12-24 06:44 . 2004-12-24 06:42 832 -c----w- c:\program files\PRINTHSE.REG
    2004-08-27 23:29 . 2005-04-06 14:51 1935 -c--a-w- c:\program files\icbmftvc.lst
    2004-03-12 21:02 . 2005-04-06 14:51 116900 ----a-w- c:\program files\uninstll.exe
    2004-03-12 21:02 . 2005-04-06 14:51 1466368 ----a-w- c:\program files\AimRes.dll
    2004-03-12 20:22 . 2005-04-06 14:51 61440 ----a-w- c:\program files\aim.exe
    2004-03-12 20:22 . 2005-04-06 14:51 131072 ----a-w- c:\program files\ateima32.dll
    2004-03-12 20:21 . 2005-04-06 14:51 61440 -c--a-w- c:\program files\AlertUI.ocm
    2004-03-12 20:21 . 2005-04-06 14:51 25088 -c--a-w- c:\program files\browse.ocm
    2004-03-12 20:21 . 2005-04-06 14:51 208896 -c--a-w- c:\program files\buddyui.ocm
    2004-03-12 20:21 . 2005-04-06 14:51 225280 ----a-w- c:\program files\AimSecondarySvcs.dll
    2004-03-12 20:21 . 2005-04-06 14:51 6144 -c--a-w- c:\program files\stats.ocm
    2004-03-12 20:21 . 2005-04-06 14:51 98304 -c--a-w- c:\program files\ChatUI.ocm
    2004-03-12 20:20 . 2005-04-06 14:51 192512 ----a-w- c:\program files\AimCoreSvcs.dll
    2004-03-12 20:20 . 2005-04-06 14:51 237568 -c--a-w- c:\program files\icbmui.ocm
    2004-03-12 20:20 . 2005-04-06 14:51 49152 ----a-w- c:\program files\chksign.dll
    2004-03-12 20:20 . 2005-04-06 14:51 94208 -c--a-w- c:\program files\ticker.ocm
    2004-03-12 20:19 . 2005-04-06 14:51 98304 ----a-w- c:\program files\aimapi.dll
    2004-03-12 20:19 . 2005-04-06 14:51 15872 -c--a-w- c:\program files\Admin.ocm
    2004-03-12 20:19 . 2005-04-06 14:51 135168 -c--a-w- c:\program files\locateui.ocm
    2004-03-12 20:19 . 2005-04-06 14:51 184320 -c--a-w- c:\program files\miscui.ocm
    2004-03-12 20:19 . 2005-04-06 14:51 14848 -c--a-w- c:\program files\NTP.ocm
    2004-03-12 20:18 . 2005-04-06 14:51 59904 -c--a-w- c:\program files\OscMail.ocm
    2004-03-12 20:18 . 2005-04-06 14:51 19456 ----a-w- c:\program files\aimtalk.dll
    2004-03-12 20:18 . 2005-04-06 14:51 69632 -c--a-w- c:\program files\osclogin.ocm
    2004-03-12 20:18 . 2005-04-06 14:51 9216 -c--a-w- c:\program files\oscmain.ocm
    2004-03-12 20:18 . 2005-04-06 14:51 53248 -c--a-w- c:\program files\startup.ocm
    2004-03-12 20:18 . 2005-04-06 14:51 147456 ----a-w- c:\program files\aimauto.exe
    2004-03-12 20:17 . 2005-04-06 14:51 81920 -c--a-w- c:\program files\OscSrch.ocm
    2004-03-12 20:17 . 2005-04-06 14:51 2048 ----a-w- c:\program files\ShareFile.exe
    2004-03-12 20:17 . 2005-04-06 14:51 2048 ----a-w- c:\program files\SendFile.exe
    2004-03-12 20:17 . 2005-04-06 14:51 13824 -c--a-w- c:\program files\osconfig.ocm
    2004-03-12 20:17 . 2005-04-06 14:51 39424 -c--a-w- c:\program files\rvapps.ocm
    2004-03-12 20:17 . 2005-04-06 14:51 13312 -c--a-w- c:\program files\popup.ocm
    2004-03-12 20:17 . 2005-04-06 14:51 69632 ----a-w- c:\program files\Patcher.dll
    2002-08-01 00:55 . 2009-07-16 14:44 106 --sh--w- c:\windows\WSYS049.SYS
    .

    ------- Sigcheck -------

    Cryptography Services Error !!
    .
    ((((((((((((((((((((((((((((( SnapShot@2009-09-19_09.55.52 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-09-20 09:10 . 2009-09-20 09:10 16384 c:\windows\Temp\Perflib_Perfdata_554.dat
    - 2009-09-19 09:42 . 2009-09-19 09:42 16384 c:\windows\Temp\Perflib_Perfdata_554.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HughesNetTools_McciTrayApp"="c:\program files\HughesNetTools\1\McciTrayApp_SSR.exe" [2007-11-20 1454592]
    "OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2009-07-09 65240]
    "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
    backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
    backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
    "c:\\WINDOWS\\SYSTEM32\\FXSCLNT.EXE"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
    "c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
    "c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
    "c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
    "c:\\WINDOWS\\SYSTEM32\\DPVSETUP.EXE"=
    "c:\\Program Files\\aim.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\trueplay.exe"=
    "c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\CoffeeCup Software\\CoffeeCup Visual Site Designer\\vsd.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundTimestampRequest"= 1 (0x1)
    "AllowInboundMaskRequest"= 1 (0x1)
    "AllowInboundRouterRequest"= 1 (0x1)
    "AllowOutboundDestinationUnreachable"= 1 (0x1)
    "AllowOutboundSourceQuench"= 1 (0x1)
    "AllowOutboundParameterProblem"= 1 (0x1)
    "AllowOutboundTimeExceeded"= 1 (0x1)
    "AllowRedirect"= 1 (0x1)
    "AllowOutboundPacketTooBig"= 1 (0x1)
    "AllowInboundEchoRequest"= 1 (0x1)

    R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [x]
    R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe [2008-04-14 0]
    R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;g:\programs\Common\Database\bin\fbserver.exe [x]
    R3 samhid;samhid;c:\windows\system32\drivers\samhid.sys [2006-01-07 7548]
    R3 SDVPlus;Pinnacle Studio DVplus WDM Renderer;c:\windows\system32\DRIVERS\SDVPlus.sys [2001-05-15 42102]
    S1 aswSP;avast! Self Protection; [x]
    S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-08-17 20560]
    S2 FlipShare Service;FlipShare Service;c:\program files\Flip Video\FlipShare\FlipShareService.exe [2009-06-04 451904]
    S2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [2009-07-09 26104]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
    c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
    .
    Contents of the 'Scheduled Tasks' folder

    2009-09-13 c:\windows\Tasks\User_Feed_Synchronization-{BABCC35D-64AE-4BD7-9952-16FE21501C3D}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
    IE: Display All Images with Full Quality - "c:\program files\Juno\qsacc\appres.dll/228"
    IE: Display Image with Full Quality - "c:\program files\Juno\qsacc\appres.dll/227"
    IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
    Trusted Zone: musicmatch.com
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
    DPF: {CAEAFE12-7726-4C39-B620-2601216CFBB5} - hxxp://phughescw.hughes.motive.com/wizlet/spaceway/static/controls/Mcci_6-1-0.cab
    FF - ProfilePath - c:\documents and settings\John.HOME\Application Data\Mozilla\Firefox\Profiles\y9u7efrj.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
    FF - plugin: c:\program files\Mozilla Firefox\plugins\nphssb.dll
    FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
    FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-09-20 04:29
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-934335678-3210570196-125882890-1018\RemoteAccess\Profile\x *]
    "EnableAutodisconnect"=dword:00000001
    "EnableExitDisconnect"=dword:00000001
    "DisconnectIdleTime"=dword:00000014

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
    "ThreadingModel"="Apartment"
    @="c:\\WINDOWS\\system32\\OLE32.DLL"
    "cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,7b,1e,4b,ac,24,
    e1,ec,1c,2e,e8,e1,00,eb,16,2b,de,db,e8,ba,44,63,bf,ce,72,e2,63,26,f1,3f,c8,\

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
    "ThreadingModel"="Apartment"
    @="c:\\WINDOWS\\system32\\OLE32.DLL"
    "bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,9d,66,59,76,69,
    bf,ac,5a,46,47,15,b0,92,4b,c7,ef,3f,f1,c8,66,f8,84,06,49,6a,9c,d6,61,af,45,\

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
    "ThreadingModel"="Apartment"
    @="c:\\WINDOWS\\system32\\OLE32.DLL"
    "2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,00,50,1b,1c,cf,
    c4,a6,06,7a,45,05,fd,91,e8,6f,31,04,54,e4,0d,6b,27,29,df,ff,7c,85,e0,43,d4,\

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
    "ThreadingModel"="Apartment"
    @="c:\\WINDOWS\\system32\\OLE32.DLL"
    "2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,58,bf,f5,07,cb,
    52,00,4f,6b,65,49,6a,7e,99,74,f7,f9,cf,61,ea,f1,72,cb,fa,86,8c,21,01,be,91,\

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
    "ThreadingModel"="Apartment"
    @="c:\\WINDOWS\\system32\\OLE32.DLL"
    "caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,67,d6,88,b8,9d,
    38,aa,7f,e9,02,6c,fa,fb,1d,47,57,4d,0d,2a,85,62,38,64,f9,f5,1d,4d,73,a8,13,\

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
    "ThreadingModel"="Apartment"
    @="c:\\WINDOWS\\system32\\OLE32.DLL"
    "a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,00,82,de,ec,3f,
    0a,cc,fb,50,93,e5,ab,ec,6a,4e,ab,e0,97,50,c9,64,28,64,ba,df,20,58,62,78,6b,\

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
    "ThreadingModel"="Apartment"
    @="c:\\WINDOWS\\system32\\OLE32.DLL"
    "4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,07,78,44,eb,71,
    24,be,e1,97,20,4e,9a,c7,f1,35,ee,d0,b1,34,3f,28,c4,69,07,fb,a7,78,e6,12,2f,\

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
    "ThreadingModel"="Apartment"
    @="c:\\WINDOWS\\system32\\OLE32.DLL"
    "1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,6a,f2,d9,dc,ab,
    e5,28,4c,aa,52,c6,00,84,3c,26,64,c8,aa,47,9e,c1,4e,91,48,01,3a,48,fc,e8,04,\

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
    "ThreadingModel"="Apartment"
    @="c:\\WINDOWS\\system32\\OLE32.DLL"
    "1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,c2,24,5b,7d,92,
    55,c3,dc,b2,46,9a,e2,1b,fe,1b,94,9a,f1,00,87,60,47,17,41,f6,0f,4e,58,98,5b,\

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
    "ThreadingModel"="Apartment"
    @="c:\\WINDOWS\\system32\\OLE32.DLL"
    "f5f62a6129303efb32fbe080bb27835b"=hex:37,a4,aa,c3,a6,15,56,0a,d3,c1,88,36,87,
    d6,a5,23,37,a4,aa,c3,a6,15,56,0a,f4,f2,95,01,81,b9,ce,71,3d,ce,ea,26,2d,45,\

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
    "ThreadingModel"="Apartment"
    @="c:\\WINDOWS\\system32\\OLE32.DLL"
    "fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,eb,85,49,eb,1e,
    f2,7b,fd,f8,31,0f,a9,5f,a0,ec,fb,d4,5a,c5,ee,5f,3a,cc,ee,2a,b7,cc,b5,b9,7f,\

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
    "ThreadingModel"="Apartment"
    @="c:\\WINDOWS\\system32\\OLE32.DLL"
    "8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,cf,43,f6,74,c5,
    5a,7d,8f,05,73,21,dd,54,d8,4a,c5,21,8e,7a,9a,25,96,11,4f,6c,43,2d,1e,aa,22,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(740)
    c:\windows\system32\LameACM.acm
    c:\windows\system32\IEFRAME.dll
    c:\windows\system32\MI-SC4.acm
    c:\windows\system32\DivXa32.acm

    - - - - - - - > 'explorer.exe'(192)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    Completion time: 2009-09-20 4:33
    ComboFix-quarantined-files.txt 2009-09-20 09:33
    ComboFix2.txt 2009-09-19 10:37
    ComboFix3.txt 2009-09-19 10:02

    Pre-Run: 23,689,674,752 bytes free
    Post-Run: 23,683,223,552 bytes free

    322 --- E O F --- 2009-09-10 08:45



    DDS (Ver_09-07-30.01) - NTFSx86
    Run by John at 5:09:02.81 on Sun 09/20/2009
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
    uURLSearchHooks: URLSearchHook Class: {37d2cdbf-2af4-44aa-8113-bd0d2da3c2b8} - c:\program files\netzero\SearchEnh.dll
    mURLSearchHooks: H - No File
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
    BHO: Pop-up Blocker: {52706ef7-d7a2-49ad-a615-e903858cf284} - c:\program files\netzero\qsacc\X1IEBHO.dll
    BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
    TB: {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - No File
    TB: ZeroBar: {f0f8ecbe-d460-4b34-b007-56a92e8f84a7} - c:\program files\netzero\Toolbar.dll
    TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
    TB: Veoh Video Compass: {52836eb0-631a-47b1-94a6-61f9d9112dae} - c:\program files\veoh networks\veoh video compass\SearchRecsPlugin.dll
    TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    TB: {A1C18A7B-55E9-4DA3-A880-D112C791A9D8} - No File
    TB: {F5735C15-1FB2-41FE-BA12-242757E69DDE} - No File
    TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
    TB: {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - No File
    TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
    mRun: [HughesNetTools_McciTrayApp] c:\program files\hughesnettools\1\McciTrayApp_SSR.exe
    mRun: [OneCareUI] "c:\program files\microsoft windows onecare live\winssnotify.exe"
    mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
    IE: Display All Images with Full Quality - "c:\program files\juno\qsacc\appres.dll/228"
    IE: Display Image with Full Quality - "c:\program files\juno\qsacc\appres.dll/227"
    IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
    IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim.exe
    IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
    Trusted Zone: musicmatch.com
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {1D082E71-DF20-4AAF-863B-596428C49874} - hxxp://www.worldwinner.com/games/v50/tpir/tpir.cab
    DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1244587224828
    DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
    DPF: {CAEAFE12-7726-4C39-B620-2601216CFBB5} - hxxp://phughescw.hughes.motive.com/wizlet/spaceway/static/controls/Mcci_6-1-0.cab
    DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\john~1.hom\applic~1\mozilla\firefox\profiles\y9u7efrj.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
    FF - plugin: c:\program files\mozilla firefox\plugins\nphssb.dll
    FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
    FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
    FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
    c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
    c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
    c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
    c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

    ============= SERVICES / DRIVERS ===============


    =============== Created Last 30 ================

    2009-09-19 04:18 <DIR> acdshr-- C:\cmdcons
    2009-09-18 07:13 229,888 a------- c:\windows\PEV.exe
    2009-09-18 07:13 161,792 a------- c:\windows\SWREG.exe
    2009-09-18 07:13 98,816 a------- c:\windows\sed.exe
    2009-09-15 03:11 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
    2009-09-15 00:00 <DIR> --d----- c:\program files\COMODO
    2009-09-13 19:33 <DIR> --d----- c:\program files\Trend Micro
    2009-09-13 08:06 1,119,618 ac------ C:\OneCareSupportData.zip
    2009-09-09 16:48 153,088 -------- c:\windows\system32\dllcache\triedit.dll
    2009-09-03 23:43 <DIR> --d----- c:\program files\common files\xara
    2009-09-03 23:43 <DIR> --d----- c:\program files\common files\MAGIX Shared
    2009-09-03 23:43 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\MAGIX
    2009-09-03 23:41 120,200 a------- c:\windows\system32\DLLDEV32i.dll
    2009-09-03 23:39 700,416 a------- c:\windows\system32\mgxoschk.dll
    2009-09-03 23:39 6,211 a------- c:\windows\mgxoschk.ini
    2009-09-03 23:39 <DIR> --d----- c:\windows\system32\MAGIX
    2009-09-03 22:37 <DIR> --d----- c:\program files\3ivx
    2009-09-03 22:37 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\Flip Video
    2009-09-03 22:37 <DIR> --d----- c:\program files\Flip Video
    2009-08-28 16:33 54,156 a---h--- c:\windows\QTFont.qfn
    2009-08-28 16:33 1,409 a------- c:\windows\QTFont.for

    ==================== Find3M ====================

    2009-09-15 19:03 17,920 ac-sh--- c:\program files\Thumbs.db
    2009-09-15 03:20 1,364 a------- c:\program files\CorelApp.ini
    2009-09-15 03:19 2,481 a------- c:\program files\photohse.ini
    2009-09-15 03:19 338 a------- c:\program files\country.ini
    2009-09-15 00:32 1,474,832 a------- c:\windows\system32\drivers\sfi.dat
    2009-09-09 06:21 3,292 ac------ c:\program files\printhse.ini
    2009-09-05 04:34 171 a------- c:\program files\Color.ini
    2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
    2009-08-05 04:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
    2009-07-30 09:44 77,939 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
    2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
    2009-07-19 08:18 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
    2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
    2009-07-17 14:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
    2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
    2009-07-13 10:08 286,720 a------- c:\windows\system32\dllcache\wmpdxm.dll
    2009-07-13 10:08 5,537,792 -------- c:\windows\system32\dllcache\wmp.dll
    2009-07-10 08:27 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
    2009-07-03 12:09 915,456 a------- c:\windows\system32\wininet.dll
    2009-07-03 12:09 915,456 a------- c:\windows\system32\dllcache\wininet.dll
    2009-07-03 12:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
    2009-07-03 12:09 1,208,832 a------- c:\windows\system32\dllcache\urlmon.dll
    2009-07-03 12:09 206,848 a------- c:\windows\system32\dllcache\occache.dll
    2009-07-03 12:09 594,432 -------- c:\windows\system32\dllcache\msfeeds.dll
    2009-07-03 12:09 55,296 -------- c:\windows\system32\dllcache\msfeedsbs.dll
    2009-07-03 12:09 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
    2009-07-03 12:09 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll
    2009-07-03 12:09 184,320 a------- c:\windows\system32\dllcache\iepeers.dll
    2009-07-03 12:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
    2009-07-03 12:09 386,048 -------- c:\windows\system32\dllcache\iedkcs32.dll
    2009-07-03 06:01 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
    2009-06-25 03:25 730,112 a------- c:\windows\system32\lsasrv.dll
    2009-06-25 03:25 301,568 a------- c:\windows\system32\kerberos.dll
    2009-06-25 03:25 147,456 a------- c:\windows\system32\schannel.dll
    2009-06-25 03:25 136,192 a------- c:\windows\system32\msv1_0.dll
    2009-06-25 03:25 56,832 a------- c:\windows\system32\secur32.dll
    2009-06-25 03:25 54,272 a------- c:\windows\system32\wdigest.dll
    2009-06-25 03:25 730,112 -------- c:\windows\system32\dllcache\lsasrv.dll
    2009-06-25 03:25 301,568 -------- c:\windows\system32\dllcache\kerberos.dll
    2009-06-25 03:25 147,456 -------- c:\windows\system32\dllcache\schannel.dll
    2009-06-25 03:25 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
    2009-06-25 03:25 56,832 -------- c:\windows\system32\dllcache\secur32.dll
    2009-06-25 03:25 54,272 -------- c:\windows\system32\dllcache\wdigest.dll
    2009-06-24 06:18 92,928 -------- c:\windows\system32\dllcache\ksecdd.sys
    2009-06-16 22:47 100,261 ac--h--- c:\program files\photohse.GID
    2009-05-29 02:54 494,867 ac------ c:\docume~1\alluse~1\applic~1\phn.dat
    2009-05-14 16:54 69,477 ac--h--- c:\program files\aim95.GID
    2009-03-05 04:35 8,444 ac------ c:\program files\Xpcs Registry.dat
    2009-02-09 18:57 178 ac------ c:\program files\log.txt
    2008-10-30 12:39 2,449 ac------ c:\program files\corelprn.ini
    2006-11-14 12:29 416,304 ac------ c:\windows\inf\programs\mpg4c32.dll
    2006-01-02 00:57 2,788,656 a------- c:\program files\LimeWireWin-full.exe
    2006-01-02 00:30 359,112 a------- c:\program files\LimeWireWin.exe
    2005-05-26 08:32 38,435 ac------ c:\program files\licens32.txt
    2005-05-20 21:00 148,564 ac--h--- c:\program files\Printhse.GID
    2005-04-26 19:34 294,912 ac------ c:\windows\inf\programs\PcleCaptureDC10.dll
    2005-04-13 16:37 352,256 ac------ c:\windows\inf\programs\PcleCaptureMarvin.dll
    2005-04-08 12:40 376,832 ac------ c:\windows\inf\programs\PcleCaptureGenericYUV.dll
    2005-04-08 08:07 611 a------- c:\program files\Uninstall AOL Instant Messenger.lnk
    2005-04-01 18:57 106,496 ac------ c:\windows\inf\programs\PCLEMediaManager.dll
    2005-04-01 16:48 344,064 ac------ c:\windows\inf\programs\PcleCaptureDV.dll
    2005-03-29 21:13 90,112 ac------ c:\windows\inf\programs\ACnvrtX.dll
    2005-02-24 00:11 315,392 ac------ c:\windows\inf\programs\PcleCaptureCirrus2.dll
    2005-01-31 22:58 98,304 ac------ c:\windows\inf\programs\pcleSplice.dll
    2005-01-31 22:49 512,000 ac------ c:\windows\inf\programs\mpegencoderlib.dll
    2005-01-28 17:31 352,256 ac------ c:\windows\inf\programs\PcleCapturePCTV.dll
    2005-01-28 17:31 102,400 ac------ c:\windows\inf\programs\PcleCapture2.dll
    2005-01-21 22:15 323,584 ac------ c:\windows\inf\programs\PcleCaptureZoran.dll
    2005-01-21 22:15 307,200 ac------ c:\windows\inf\programs\PcleCapturePython.dll
    2005-01-21 22:15 352,256 ac------ c:\windows\inf\programs\PcleCaptureProteus.dll
    2005-01-21 22:14 286,720 ac------ c:\windows\inf\programs\PcleCaptureMicroMV.dll
    2005-01-21 22:14 335,872 ac------ c:\windows\inf\programs\PcleCaptureEmuzed.dll
    2005-01-21 22:14 319,488 ac------ c:\windows\inf\programs\PcleCaptureDvxcel.dll
    2005-01-21 22:13 376,832 ac------ c:\windows\inf\programs\PcleCaptureAvDv2.dll
    2005-01-21 22:12 364,544 ac------ c:\windows\inf\programs\PcleCaptureAmoeba.dll
    2005-01-12 09:42 577,536 ac------ c:\windows\inf\programs\AudioCodec.dll
    2005-01-12 09:42 495,616 ac------ c:\windows\inf\programs\4code.dll
    2005-01-12 09:42 294,912 ac------ c:\windows\inf\programs\4codeDecoder.dll
    2005-01-12 09:42 262,144 ac------ c:\windows\inf\programs\dllzAAC.dll
    2005-01-12 09:42 57,344 ac------ c:\windows\inf\programs\StreamIO.dll
    2005-01-05 06:09 188,416 ac------ c:\windows\inf\programs\mpegdecoder2.dll
    2004-12-24 01:44 713 -c------ c:\program files\BOX.REG
    2004-12-24 01:44 2,860 -c------ c:\program files\PHOTOHSE.REG
    2004-12-24 01:44 832 -c------ c:\program files\PRINTHSE.REG
    2004-11-22 21:02 30,208 ac------ c:\windows\inf\programs\pcleUtil.dll
    2004-11-03 21:22 86,016 ac------ c:\windows\inf\programs\CSCSaFX.dll
    2004-09-20 16:39 262,144 ac------ c:\windows\inf\programs\lame_enc.dll
    2004-08-27 18:29 1,935 ac------ c:\program files\icbmftvc.lst
    2004-08-09 06:03 73,728 ac------ c:\windows\inf\programs\pcleDVcd.dll
    2004-08-06 02:23 110,592 ac------ c:\windows\inf\programs\pcleDVdc.dll
    2004-03-12 16:02 116,900 a------- c:\program files\uninstll.exe
    2004-03-12 16:02 1,466,368 a------- c:\program files\AimRes.dll
    2004-03-12 15:22 61,440 a------- c:\program files\aim.exe
    2004-03-12 15:22 131,072 a------- c:\program files\ateima32.dll
    2004-03-12 15:21 61,440 ac------ c:\program files\AlertUI.ocm
    2004-03-12 15:21 25,088 ac------ c:\program files\browse.ocm
    2004-03-12 15:21 208,896 ac------ c:\program files\buddyui.ocm
    2004-03-12 15:21 225,280 a------- c:\program files\AimSecondarySvcs.dll
    2004-03-12 15:21 98,304 ac------ c:\program files\ChatUI.ocm
    2004-03-12 15:21:02 AC------ 6,144 c:\program files\stats.ocm
    2002-07-31 19:55 106 ---sh--- c:\windows\WSYS049.SYS

    ============= FINISH: 5:09:27.25 ===============

  6. #16
    Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,300

    Default

    Hi,

    Do steps in post #10 again (don't have to re-download the tool if you still have it on your desktop).
    Microsoft Windows Insider MVP 2016-2018
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  7. #17
    Member
    Join Date
    Sep 2009
    Posts
    32

    Default

     ■S y s t e m L o o k v 1 . 0 b y j p s h o r t s t u f f ( 2 9 . 0 8 . 0 9 )

    L o g c r e a t e d a t 1 1 : 2 2 o n 2 0 / 0 9 / 2 0 0 9 b y J o h n ( A d m i n i s t r a t o r - E l e v a t i o n s u c c e s s f u l )



    = = = = = = = = = = f i l e f i n d = = = = = = = = = =



    S e a r c h i n g f o r " s v c h o s t . e x e "

    C : \ i 3 8 6 \ S V C H O S T . E X E - - a - - c 1 4 3 3 6 b y t e s [ 1 9 : 2 2 1 5 / 1 2 / 2 0 0 4 ] [ 1 1 : 0 0 0 4 / 0 8 / 2 0 0 4 ] 8 F 0 7 8 A E 4 E D 1 8 7 A A A B C 0 A 3 0 5 1 4 6 D E 6 7 1 6

    C : \ W I N D O W S \ $ N t S e r v i c e P a c k U n i n s t a l l $ \ s v c h o s t . e x e - - - - - c 1 4 3 3 6 b y t e s [ 1 4 : 2 4 3 0 / 0 7 / 2 0 0 9 ] [ 1 1 : 0 0 0 4 / 0 8 / 2 0 0 4 ] 8 F 0 7 8 A E 4 E D 1 8 7 A A A B C 0 A 3 0 5 1 4 6 D E 6 7 1 6

    C : \ W I N D O W S \ S e r v i c e P a c k F i l e s \ i 3 8 6 \ s v c h o s t . e x e - - - - - - 1 4 3 3 6 b y t e s [ 0 0 : 1 2 1 4 / 0 4 / 2 0 0 8 ] [ 0 0 : 1 2 1 4 / 0 4 / 2 0 0 8 ] 2 7 C 6 D 0 3 B C D B 8 C F E B 9 6 B 7 1 6 F 3 D 8 B E 3 E 1 8

    C : \ W I N D O W S \ S Y S T E M 3 2 \ s v c h o s t . e x e - - a - - - 0 b y t e s [ 1 1 : 0 0 0 4 / 0 8 / 2 0 0 4 ] [ 0 0 : 1 2 1 4 / 0 4 / 2 0 0 8 ] D 4 1 D 8 C D 9 8 F 0 0 B 2 0 4 E 9 8 0 0 9 9 8 E C F 8 4 2 7 E



    - = E n d O f F i l e = -

  8. #18
    Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,300

    Default

    Hi,


    Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
    @echo off
    copy C:\WINDOWS\$NtServicePackUninstall$\svchost.exe c:\windows\system32\svchost.exe >c:\Logit.txt
    start c:\Logit.txt
    del %0

    Double-click on fixes.bat file to execute it. Notepad should open up. Please post contents of it.
    Microsoft Windows Insider MVP 2016-2018
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  9. #19
    Member
    Join Date
    Sep 2009
    Posts
    32

    Default

    Hi,
    Here are the contents:

    1 file(s) copied.

  10. #20
    Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,300

    Default

    Ok. Now let's see fresh hjt log (it's more useful than dds log at this point).
    Microsoft Windows Insider MVP 2016-2018
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •