Msa.exe, b.exe, poprock, very persistent cannot get rid of

Hi,

Open notepad and copy/paste the text in the quotebox below into it:

Code: 
File::
C:\Users\God\Desktop\Appl Inst\Alcohol120_1.9.6.5403.rar
C:\Users\God\Documents\download\xvsiriusvx\FruityLoops3\Plugins\Fruity\Generators\Fruity DX10\Fruity DX10.dll
C:\Users\God\Documents\download\xvsiriusvx\Fruityloops3.5\Fruity DX 10 for FruityLoops.exe
C:\Users\God\Documents\download\xvsiriusvx\Fruityloops3.5\Plugins\Fruity\Generators\Fruity DX10\Fruity DX10.dll
Folder::
c:\program files\uTorrent
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{3A7FA16F-BB5F-4830-87C4-3C9873684389}"=-
"{18AD9FB3-1476-4428-8FA7-2484B4428977}"=-


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

CFScriptB-4.gif


Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log. How's the system running now?
 
The system has been running fine since that .dll file got removed. Here is the combofix log -

ComboFix 09-10-01.05 - God 10/08/2009 16:23.23.2 - NTFSx86
Running from: c:\users\God\Desktop\ComboFix.exe
Command switches used :: C:\CFScript.txt
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -

FILE ::
"c:\users\God\Desktop\Appl Inst\Alcohol120_1.9.6.5403.rar"
"c:\users\God\Documents\download\xvsiriusvx\Fruityloops3.5\Fruity DX 10 for FruityLoops.exe"
"c:\users\God\Documents\download\xvsiriusvx\Fruityloops3.5\Plugins\Fruity\Generators\Fruity DX10\Fruity DX10.dll"
"c:\users\God\Documents\download\xvsiriusvx\FruityLoops3\Plugins\Fruity\Generators\Fruity DX10\Fruity DX10.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\God\Desktop\Appl Inst\Alcohol120_1.9.6.5403.rar
c:\users\God\Documents\download\xvsiriusvx\Fruityloops3.5\Fruity DX 10 for FruityLoops.exe
c:\users\God\Documents\download\xvsiriusvx\Fruityloops3.5\Plugins\Fruity\Generators\Fruity DX10\Fruity DX10.dll
c:\users\God\Documents\download\xvsiriusvx\FruityLoops3\Plugins\Fruity\Generators\Fruity DX10\Fruity DX10.dll

.
((((((((((((((((((((((((( Files Created from 2009-09-08 to 2009-10-08 )))))))))))))))))))))))))))))))
.

2009-10-08 23:26 . 2009-10-08 23:26 -------- d-----w- c:\users\God\AppData\Local\temp
2009-10-08 23:26 . 2009-10-08 23:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-06 17:44 . 2009-10-06 17:52 -------- d-----w- C:\Doa2 U
2009-10-06 17:43 . 2009-10-06 17:43 -------- d-----w- c:\program files\MagicISO
2009-10-05 01:19 . 2009-10-06 17:15 -------- d-----w- c:\users\God\AppData\Local\Adobe
2009-10-05 01:04 . 2009-10-05 01:03 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-05 01:03 . 2009-10-05 01:03 -------- d-----w- c:\program files\Java
2009-10-03 08:54 . 2009-10-01 17:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-27 01:03 . 2009-09-27 01:06 680 ----a-w- c:\users\God\AppData\Local\d3d9caps.dat
2009-09-26 04:20 . 2009-09-26 04:54 -------- d-----w- c:\program files\Warcraft III Non-Patched
2009-09-17 23:10 . 2009-09-17 23:10 -------- d-----w- C:\found.001
2009-09-17 18:32 . 2009-09-17 18:32 -------- d-----w- c:\program files\Trend Micro
2009-09-17 18:11 . 2009-09-17 18:11 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-09-17 18:11 . 2009-09-18 13:00 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-17 18:11 . 2009-09-17 18:11 -------- d-----w- c:\users\God\AppData\Roaming\SUPERAntiSpyware.com
2009-09-17 05:28 . 2009-09-17 05:28 -------- d-----w- c:\program files\Alwil Software
2009-09-16 22:28 . 2009-09-16 22:28 -------- d-----w- C:\Autoruns
2009-09-16 21:02 . 2009-10-03 01:28 -------- d-----w- c:\users\God\Tracing
2009-09-16 21:01 . 2009-09-16 21:01 -------- d-----w- c:\program files\Microsoft
2009-09-16 21:01 . 2009-09-16 21:01 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-09-16 21:00 . 2009-09-16 21:01 -------- d-----w- c:\program files\Windows Live
2009-09-16 20:59 . 2009-09-16 20:59 -------- d-----w- c:\program files\Common Files\Windows Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-05 00:50 . 2007-02-09 14:13 -------- d-----w- c:\program files\Common Files\Adobe
2009-09-26 04:23 . 2007-05-01 19:13 95967 ----a-w- c:\windows\War3Unin.dat
2009-09-26 04:23 . 2007-05-01 19:13 2829 ----a-w- c:\windows\War3Unin.pif
2009-09-26 04:23 . 2007-05-01 19:13 126976 ----a-w- c:\windows\War3Unin.exe
2009-09-26 04:16 . 2007-05-01 19:10 -------- d-----w- c:\program files\Warcraft III
2009-09-18 22:50 . 2008-11-12 02:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-17 20:42 . 2007-02-09 14:32 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-17 20:42 . 2007-02-09 14:33 -------- d-----w- c:\programdata\Symantec
2009-09-17 20:41 . 2007-02-09 14:33 -------- d-----w- c:\program files\Symantec
2009-09-17 18:10 . 2009-02-19 01:38 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-11 08:40 . 2008-05-10 09:38 -------- d-----w- c:\program files\DOSBox-0.72
2009-09-10 21:54 . 2008-11-12 02:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2008-11-12 02:28 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-02 06:54 . 2007-02-09 13:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-02 06:53 . 2009-09-02 06:53 -------- d-----w- c:\program files\Linksys
2009-09-02 06:22 . 2009-09-02 06:22 -------- d-----w- c:\program files\Dynex G USB Network Adapter
2009-08-30 01:02 . 2009-08-30 01:02 -------- d-----w- c:\program files\EASEUS
2009-08-21 23:15 . 2009-08-21 23:15 -------- d-----w- c:\users\God\AppData\Roaming\RayV
2009-08-21 23:14 . 2009-08-21 23:14 -------- d-----w- c:\program files\RayV
2009-08-21 02:32 . 2009-08-21 02:32 -------- d-----w- c:\program files\Photo Album
2009-08-18 02:10 . 2008-05-13 09:42 -------- d-----w- c:\program files\Microsoft SQL Server
2009-08-18 02:10 . 2007-02-09 14:15 -------- d-----w- c:\programdata\Microsoft Help
2009-08-18 02:06 . 2009-08-18 02:03 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2009-08-18 02:04 . 2009-08-18 02:03 -------- d-----w- c:\program files\Common Files\Merge Modules
2009-08-18 02:00 . 2009-08-18 02:00 -------- d-----w- c:\program files\Microsoft SDKs
2009-08-18 01:57 . 2009-08-18 01:57 97800 ----a-w- c:\windows\system32\infocardapi.dll
2009-08-18 01:57 . 2009-08-18 01:57 622080 ----a-w- c:\windows\system32\icardagt.exe
2009-08-18 01:57 . 2009-08-18 01:57 11264 ----a-w- c:\windows\system32\icardres.dll
2009-08-18 01:57 . 2009-08-18 01:57 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-08-18 01:57 . 2009-08-18 01:57 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2009-08-18 01:57 . 2009-08-18 01:57 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2009-08-18 01:57 . 2009-08-18 01:57 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2009-08-18 01:45 . 2009-08-18 01:45 96760 ----a-w- c:\windows\system32\dfshim.dll
2009-08-18 01:45 . 2009-08-18 01:45 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-08-18 01:45 . 2009-08-18 01:45 282112 ----a-w- c:\windows\system32\mscoree.dll
2009-08-18 01:45 . 2009-08-18 01:45 83968 ----a-w- c:\windows\system32\mscories.dll
2009-08-18 01:45 . 2009-08-18 01:45 158720 ----a-w- c:\windows\system32\mscorier.dll
2009-08-17 04:43 . 2007-05-17 01:36 -------- d-----w- c:\program files\Starcraft
2009-08-16 18:45 . 2009-08-16 18:45 -------- d-----w- c:\program files\Western Digital Corporation
2009-08-15 08:33 . 2009-08-15 08:20 -------- d-----w- c:\programdata\Blizzard Entertainment
2009-08-11 21:42 . 2009-08-11 21:42 -------- d-----w- c:\program files\PC Inspector File Recovery
2009-08-11 17:07 . 2009-08-11 17:07 -------- d-----w- c:\program files\WinUndelete
.

((((((((((((((((((((((((((((( SnapShot@2009-10-04_12.13.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-02-09 14:44 . 2009-10-05 01:04 31894 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-10-07 06:02 70084 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-04-28 07:10 . 2009-10-07 06:02 10620 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4058141398-2658812619-3498018259-1000_UserData.bin
- 2007-04-28 23:17 . 2009-04-19 00:29 84661 c:\windows\System32\Macromed\Flash\uninstall_plugin.exe
+ 2009-10-05 00:56 . 2009-10-05 08:26 84661 c:\windows\System32\Macromed\Flash\uninstall_plugin.exe
+ 2009-10-05 00:51 . 2009-10-05 00:51 89101 c:\windows\System32\Macromed\Flash\uninstall_activeX.exe
+ 2007-04-28 07:17 . 2009-10-07 06:02 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-04-28 07:17 . 2009-10-04 00:29 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-04-28 07:17 . 2009-10-04 00:29 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-04-28 07:17 . 2009-10-07 06:02 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-04-28 07:17 . 2009-10-04 00:29 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2007-04-28 07:17 . 2009-10-07 06:02 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2007-04-29 01:24 . 2009-09-07 08:51 2682 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2007-04-29 01:24 . 2009-10-04 13:39 2682 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2009-10-05 01:01 . 2009-10-07 05:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-10-05 01:01 . 2009-10-07 05:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 10:33 . 2009-10-07 06:05 457942 c:\windows\System32\perfc009.dat
+ 2009-07-18 03:21 . 2009-07-18 03:21 257440 c:\windows\System32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2009-07-18 03:12 . 2009-07-18 03:12 257440 c:\windows\System32\Macromed\Flash\FlashUtil10c.exe
+ 2009-10-05 01:04 . 2009-10-05 01:03 149280 c:\windows\System32\javaws.exe
+ 2009-10-05 01:04 . 2009-10-05 01:03 145184 c:\windows\System32\javaw.exe
+ 2009-10-05 01:04 . 2009-10-05 01:03 145184 c:\windows\System32\java.exe
+ 2006-11-02 10:33 . 2009-10-07 06:05 1642332 c:\windows\System32\perfh009.dat
+ 2009-07-18 03:21 . 2009-07-18 03:21 3883424 c:\windows\System32\Macromed\Flash\NPSWF32.dll
+ 2009-10-05 00:51 . 2009-10-05 00:51 3938816 c:\windows\Installer\5a281.msi
+ 2009-10-05 01:03 . 2009-10-05 01:03 1757696 c:\windows\Installer\286b0.msi
+ 2009-07-18 03:12 . 2009-07-18 03:12 1962160 c:\windows\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-02-10 90192]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-02-10 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-02-10 81920]
"MSConfig"="c:\windows\System32\msconfig.exe" [2006-11-02 222208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-19 8720384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^GetRight - Tray Icon.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\GetRight - Tray Icon.lnk
backup=c:\windows\pss\GetRight - Tray Icon.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Connections.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Connections.lnk
backup=c:\windows\pss\HP Connections.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\windows\pss\Service Manager.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^God^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Registration Heroes of Might & Magic 5.LNK]
path=c:\users\God\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Registration Heroes of Might & Magic 5.LNK
backup=c:\windows\pss\Registration Heroes of Might & Magic 5.LNK.Startup
backupExtension=.Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"= c:\program files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{26196EA3-C3A5-4E52-8639-378CCD48E919}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{8ED9198E-88E9-4FC6-A175-5D370491351E}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{3E40D532-807E-4817-82AF-9663E6904A7B}"= UDP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{DE06A27E-4C43-4096-BC87-2F3F35BE3663}"= TCP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{517C1DF7-3350-4623-BDD0-A089F7280BB8}"= UDP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{B6907B4A-B2F2-4B9A-8E9F-86A900A77496}"= TCP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{BAACC9BF-2F2D-4B3F-BD97-7943549C16EF}"= c:\program files\HP Connections\6811507\Program\HP Connections:HP Connections
"{C0732967-EBA3-4692-9101-6441CE90F3EC}"= UDP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{92D16FFE-3827-4167-A697-96922BC60EFA}"= TCP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{A974D757-AF29-4889-A452-DA741D2938B3}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{0BE2B827-0842-432D-A6B5-19989399CDF8}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{24EE35E3-1883-439B-A1BF-E16011E8ACEB}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{8538C621-E095-4FA6-8750-47507F1012E7}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{7F377FE4-F98D-42AC-B5D8-EEE41A80F757}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{71EB98AF-4B7D-4682-B743-4E55C7565689}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"TCP Query User{8D16B031-CCC0-4ACA-BDAB-9E67DE736150}c:\\program files\\aim\\aim.exe"= UDP:c:\program files\aim\aim.exe:AOL Instant Messenger
"UDP Query User{8F774461-2148-432A-AD4C-1C4960DBD8C7}c:\\program files\\aim\\aim.exe"= TCP:c:\program files\aim\aim.exe:AOL Instant Messenger
"TCP Query User{0276CBF2-6759-46F2-ADAD-2BC21325D57C}c:\\program files\\leisure suit larry(tm) - magna cum laude trailer\\lslmcmtrailer.exe"= UDP:c:\program files\leisure suit larry(tm) - magna cum laude trailer\lslmcmtrailer.exe:LSLMCMtrailer
"UDP Query User{3174D667-739C-4088-9731-BEB37B025E3A}c:\\program files\\leisure suit larry(tm) - magna cum laude trailer\\lslmcmtrailer.exe"= TCP:c:\program files\leisure suit larry(tm) - magna cum laude trailer\lslmcmtrailer.exe:LSLMCMtrailer
"TCP Query User{9C8EB56E-238A-47FD-B6ED-4E6F55D55E88}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{62C0404B-B635-488E-9407-E97E8FCB53FB}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"{2980634D-BBB1-4C0C-8327-C55CA39F4A01}"= c:\program files\Electronic Arts\Command & Conquer 3\RetailExe\1.0\cnc3game.dat:Command & Conquer 3 Tiberium Wars
"TCP Query User{8D09BB90-2412-41A9-A7CD-E4B774D11A03}c:\\users\\god\\appdata\\local\\temp\\electronicarts_patcher_000.exe"= UDP:c:\users\god\appdata\local\temp\electronicarts_patcher_000.exe:electronicarts_patcher_000.exe
"UDP Query User{64FBB2A3-E4B4-4DEE-AF5C-D5A6E81C8A1F}c:\\users\\god\\appdata\\local\\temp\\electronicarts_patcher_000.exe"= TCP:c:\users\god\appdata\local\temp\electronicarts_patcher_000.exe:electronicarts_patcher_000.exe
"TCP Query User{B355E7D4-36F8-4A85-87F8-E60C5286D796}c:\\program files\\electronic arts\\command & conquer 3\\retailexe\\1.4\\cnc3game.dat"= UDP:c:\program files\electronic arts\command & conquer 3\retailexe\1.4\cnc3game.dat:Command and Conquer 3 Tiberium Wars™
"UDP Query User{DFD3318C-4A61-413E-8584-5240FFE199FA}c:\\program files\\electronic arts\\command & conquer 3\\retailexe\\1.4\\cnc3game.dat"= TCP:c:\program files\electronic arts\command & conquer 3\retailexe\1.4\cnc3game.dat:Command and Conquer 3 Tiberium Wars™
"TCP Query User{9BED35EE-C58A-4F9D-B77C-28F1EE38E555}c:\\westwood\\dune2000\\dune2000.dat"= UDP:c:\westwood\dune2000\dune2000.dat:Dune2000
"UDP Query User{4C415A29-DAF5-4ACE-9C70-9E466A64313E}c:\\westwood\\dune2000\\dune2000.dat"= TCP:c:\westwood\dune2000\dune2000.dat:Dune2000
"TCP Query User{79F6DAC0-A615-4B77-A58B-A81EBE7EAD52}c:\\program files\\starcraft\\starcraft.exe"= UDP:c:\program files\starcraft\starcraft.exe:Starcraft
"UDP Query User{FE2A8E6D-57E7-49D0-8764-533B5739FE92}c:\\program files\\starcraft\\starcraft.exe"= TCP:c:\program files\starcraft\starcraft.exe:Starcraft
"TCP Query User{5A5FF2C5-2AF8-4EA3-961D-C59D281B0A81}c:\\program files\\warcraft iii\\war3.exe"= UDP:c:\program files\warcraft iii\war3.exe:Warcraft III
"UDP Query User{75DEDAE8-304F-439E-9B40-BB795FC0DA5F}c:\\program files\\warcraft iii\\war3.exe"= TCP:c:\program files\warcraft iii\war3.exe:Warcraft III
"{ED462B4F-72A5-418F-A095-4CD413950288}"= UDP:6112:B.net
"{F182C4DC-0749-4E00-8BCB-B03B0375D48B}"= UDP:6113:B.net
"{ED638FC2-26F9-415F-A771-208E013E4BEB}"= UDP:6114:B.net
"{06776857-3006-4012-948C-9DF739117DF0}"= UDP:6115:B.net
"{080171F4-F98B-4B34-9774-7F6259FED636}"= UDP:6116:B.net
"{0EAA7923-29EA-4CBB-9134-790BC026009B}"= UDP:6117:B.net
"{977AA017-F67D-4690-BB09-01BBEC10A0AE}"= UDP:6118:B.net
"{2699B3E2-0E72-4841-B546-B621ED6CFD58}"= UDP:6119:B.net
"{8E59963D-D832-4626-BDCD-D4CDCF717DBF}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{E2E03474-BDDE-420C-BDB4-36AA1E7E7A6D}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{50EC4FC5-181A-46DD-879A-34BD2D3D63E7}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{9C1C0D33-9796-40F6-AA10-4DD82412A33D}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{21F02CC3-8343-4144-89B2-48DDB47055E0}"= UDP:c:\program files\EA Games\The Battle for Middle-earth (tm)\game.dat:The Battle for Middle-earth (tm)
"{28B26B33-D918-4803-BECF-6E03C171BD4F}"= TCP:c:\program files\EA Games\The Battle for Middle-earth (tm)\game.dat:The Battle for Middle-earth (tm)
"{B7B47648-2FFB-4B3F-A133-12BF51510F30}"= UDP:c:\program files\Firefly Studios\Stronghold 2\Stronghold2.exe:Stronghold 2
"{BF1F0559-A45F-47C8-AC45-13A40415B40C}"= TCP:c:\program files\Firefly Studios\Stronghold 2\Stronghold2.exe:Stronghold 2
"TCP Query User{92E69FF4-225C-46AB-ACF0-3AD19046FD89}c:\\program files\\ea games\\the battle for middle-earth (tm)\\patchget.dat"= UDP:c:\program files\ea games\the battle for middle-earth (tm)\patchget.dat:patchgrabber
"UDP Query User{EA65CE03-2EC0-4144-A462-16CE734037C2}c:\\program files\\ea games\\the battle for middle-earth (tm)\\patchget.dat"= TCP:c:\program files\ea games\the battle for middle-earth (tm)\patchget.dat:patchgrabber
"TCP Query User{9D40094E-5988-4AA4-91AD-B392D5E96CD6}c:\\program files\\aim\\aim.exe"= UDP:c:\program files\aim\aim.exe:AOL Instant Messenger
"UDP Query User{7C0300AD-6FDC-41C2-A3F9-FC9A089CCD88}c:\\program files\\aim\\aim.exe"= TCP:c:\program files\aim\aim.exe:AOL Instant Messenger
"TCP Query User{B4C7D793-5666-49DA-8C97-26FCEC48A2D1}c:\\program files\\starcraft\\starcraft.exe"= UDP:c:\program files\starcraft\starcraft.exe:StarCraft
"UDP Query User{9D94ECDC-EA9B-4290-B246-45B5BC2E667F}c:\\program files\\starcraft\\starcraft.exe"= TCP:c:\program files\starcraft\starcraft.exe:StarCraft
"TCP Query User{34F3FBFC-A008-4310-A27E-B15439F5B33D}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{48C4016F-CCCA-4579-9402-B6F5363AB0B8}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"{673D4604-243B-4C43-B44F-A1E9A2A2E59B}"= UDP:c:\program files\Sierra Entertainment\World in Conflict\wic.exe:World in Conflict
"{FF65BDD6-4BF6-4FC0-A1FD-93C32D408410}"= TCP:c:\program files\Sierra Entertainment\World in Conflict\wic.exe:World in Conflict
"{512EAE54-D761-48C3-8CD2-D71441C1599F}"= UDP:c:\program files\Sierra Entertainment\World in Conflict\wic_online.exe:World in Conflict - Online Only
"{7EAE77F3-055A-410D-B847-94F5AA1C7C36}"= TCP:c:\program files\Sierra Entertainment\World in Conflict\wic_online.exe:World in Conflict - Online Only
"{6CC96A6D-EFEC-47C9-B9C1-E4E07EFC49BD}"= UDP:c:\program files\Sierra Entertainment\World in Conflict\wic_ds.exe:World in Conflict - Dedicated Server
"{434C1B63-FD30-43F1-A356-8E6AB88E4D75}"= TCP:c:\program files\Sierra Entertainment\World in Conflict\wic_ds.exe:World in Conflict - Dedicated Server
"{0DF9CFF0-164B-4A48-BD93-2E6D0BEF0990}"= Disabled:UDP:c:\program files\MySpace\IM\MySpaceIM.exe:MySpaceIM
"{66FA5505-E381-41ED-AC85-1EFA5134516B}"= Disabled:TCP:c:\program files\MySpace\IM\MySpaceIM.exe:MySpaceIM
"TCP Query User{B3DBDE79-CBDA-4207-B144-4B706091584C}c:\\program files\\electronic arts\\command & conquer 3\\retailexe\\1.5\\cnc3game.dat"= UDP:c:\program files\electronic arts\command & conquer 3\retailexe\1.5\cnc3game.dat:Command and Conquer 3 Tiberium Wars™
"UDP Query User{C8E858EF-3A3E-47B7-B391-F76942F06436}c:\\program files\\electronic arts\\command & conquer 3\\retailexe\\1.5\\cnc3game.dat"= TCP:c:\program files\electronic arts\command & conquer 3\retailexe\1.5\cnc3game.dat:Command and Conquer 3 Tiberium Wars™
"TCP Query User{947C9B61-CDF0-48D5-850B-290D28469D8E}c:\\users\\god\\appdata\\local\\temp\\electronicarts_patcher_000.exe"= UDP:c:\users\god\appdata\local\temp\electronicarts_patcher_000.exe:Command and Conquer 3 Tiberium Wars™ Launcher
"UDP Query User{F2AF3FB1-846A-48FC-8C70-A27DB3605BA0}c:\\users\\god\\appdata\\local\\temp\\electronicarts_patcher_000.exe"= TCP:c:\users\god\appdata\local\temp\electronicarts_patcher_000.exe:Command and Conquer 3 Tiberium Wars™ Launcher
"{E8CF3913-9046-440B-84DF-42314CC18153}"= TCP:6112:BNET
"TCP Query User{8B8C899B-B1DD-4B3F-BABB-E9B3C1A9F14B}c:\\program files\\njstar communicator\\minismtp.exe"= UDP:c:\program files\njstar communicator\minismtp.exe:NJStar Mini SMTP Server
"UDP Query User{7B73ED02-C529-42EB-ACAB-54BB2E0AAE64}c:\\program files\\njstar communicator\\minismtp.exe"= TCP:c:\program files\njstar communicator\minismtp.exe:NJStar Mini SMTP Server
"{C85D37A4-F163-425F-BC6C-8D72A4AA6302}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{53326890-DDFD-4C3B-83E6-7F322C97EC6C}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{FDE982CC-3FF6-4217-A607-6C0AC6711901}c:\\program files\\ea games\\red alert 3 beta\\retailexe\\1.2\\ra3game.dat"= UDP:c:\program files\ea games\red alert 3 beta\retailexe\1.2\ra3game.dat:Command and Conquer Red Alert 3™
"UDP Query User{76D857FD-DEDE-4451-8C05-B21E5EE5A206}c:\\program files\\ea games\\red alert 3 beta\\retailexe\\1.2\\ra3game.dat"= TCP:c:\program files\ea games\red alert 3 beta\retailexe\1.2\ra3game.dat:Command and Conquer Red Alert 3™
"{DFD69AE9-8EC7-496F-BA97-9B508AB01BE8}"= c:\program files\Electronic Arts\Command & Conquer 3 Kane's Wrath\RetailExe\1.0\cnc3ep1.dat:Command & Conquer(tm) 3: Kane's Wrath
"TCP Query User{E9B84F8C-F03A-4531-9511-9EAEAF5F3BEA}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{0BB8F4DA-1AF5-46F7-B262-C147FB85CCFF}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{BF584BCB-3844-4D11-BD70-033FF72C0B83}"= UDP:c:\users\Public\Documents\Blizzard Entertainment\World of Warcraft\WoW-2.4.3-to-3.0.2-enUS-Win-Final-downloader.exe:Blizzard Downloader
"{D76375EF-7C03-43D6-8244-D258323B8535}"= TCP:c:\users\Public\Documents\Blizzard Entertainment\World of Warcraft\WoW-2.4.3-to-3.0.2-enUS-Win-Final-downloader.exe:Blizzard Downloader
"{B3B70193-33E8-4678-BD30-4DA162DFCC6E}"= UDP:3724:Blizzard Downloader: 3724
"TCP Query User{E1ABFCCE-8E52-4E4E-B2C7-95F8F101E16E}c:\\program files\\electronic arts\\red alert 3\\data\\ra3_1.3.game"= UDP:c:\program files\electronic arts\red alert 3\data\ra3_1.3.game:Command & Conquer™ Red Alert™ 3
"UDP Query User{E877B667-D13D-4914-AFAB-D84C4DB0A9E1}c:\\program files\\electronic arts\\red alert 3\\data\\ra3_1.3.game"= TCP:c:\program files\electronic arts\red alert 3\data\ra3_1.3.game:Command & Conquer™ Red Alert™ 3
"TCP Query User{23F824E7-C03A-4F5E-BEBC-B5468C0F77EE}c:\\program files\\electronic arts\\eadm\\core.exe"= UDP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager
"UDP Query User{2DDB33C0-6E46-41BB-9092-957A7F7495DB}c:\\program files\\electronic arts\\eadm\\core.exe"= TCP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager
"{EC50BF5D-9B86-4CDB-A927-91021458DC8C}"= UDP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe
"{6D376A83-783A-4015-B844-B95544A7FA2B}"= TCP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe
"{E8B56CA2-3095-48AE-BBE6-58CE5878FE41}"= UDP:c:\users\Public\Games\World of Warcraft\BackgroundDownloader.exe:Blizzard Downloader
"{DBB01B00-17C5-4ADA-873C-38BF70128375}"= TCP:c:\users\Public\Games\World of Warcraft\BackgroundDownloader.exe:Blizzard Downloader
"{C3D0CA3A-B4E1-4507-ADFA-73A767520D13}"= UDP:c:\program files\Autodesk\Backburner\monitor.exe:backburner 2.3 monitor
"{7550AD99-DF57-4C40-8084-8AF683D06AFD}"= TCP:c:\program files\Autodesk\Backburner\monitor.exe:backburner 2.3 monitor
"{52DC1ECA-1454-4C8B-A2AB-2E3BE589196A}"= UDP:c:\program files\Autodesk\Backburner\manager.exe:backburner 2.3 manager
"{96C70FE3-2A7B-4637-A4B7-9CC883CBB872}"= TCP:c:\program files\Autodesk\Backburner\manager.exe:backburner 2.3 manager
"{68926876-C642-4F89-9B29-20EA7C23B817}"= UDP:c:\program files\Autodesk\Backburner\server.exe:backburner 2.3 server
"{CA37B39A-32DE-41A3-A646-EB69D6F69D61}"= TCP:c:\program files\Autodesk\Backburner\server.exe:backburner 2.3 server
"{C0572B0B-D866-47D7-8406-265DE452095C}"= UDP:c:\program files\Autodesk\3ds Max 2009\3dsmax.exe:Autodesk 3ds Max 2009 32-bit
"{A1C2F8DE-E250-4656-B932-0D556E0C5881}"= TCP:c:\program files\Autodesk\3ds Max 2009\3dsmax.exe:Autodesk 3ds Max 2009 32-bit
"TCP Query User{647301F6-B2B7-4926-B3E2-4E52FB285E0D}c:\\users\\public\\games\\world of warcraft\\launcher.exe"= UDP:c:\users\public\games\world of warcraft\launcher.exe:Blizzard Launcher
"UDP Query User{11267CD2-4495-43B4-AE53-6BCA294A6EE6}c:\\users\\public\\games\\world of warcraft\\launcher.exe"= TCP:c:\users\public\games\world of warcraft\launcher.exe:Blizzard Launcher
"{377E4EE4-42F7-4A9D-97B6-0E3BBDB44DD9}"= UDP:c:\users\Public\Documents\Blizzard Entertainment\World of Warcraft\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe:Blizzard Downloader
"{08F6C6E2-281B-4FDC-9B80-A0570FC4A320}"= TCP:c:\users\Public\Documents\Blizzard Entertainment\World of Warcraft\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe:Blizzard Downloader
"{84AF128E-CC39-453F-B5D8-D0875F19BA3C}"= UDP:c:\program files\RayV\RayV\RayV.exe:RayV
"{8505BF10-5FA0-4EE1-AD75-3A7EB94F5C19}"= TCP:c:\program files\RayV\RayV\RayV.exe:RayV
"{2350FC20-8D2F-4C32-AA9C-90599F71D985}"= UDP:c:\program files\RayV\RayV\RayV.dll:RayV
"{BE75D9DF-653F-4BB0-BE00-BF841290C1CD}"= TCP:c:\program files\RayV\RayV\RayV.dll:RayV
"{A42FE5EE-A73B-4678-A948-717F22080F8D}"= UDP:c:\program files\RayV\RayV\RayV.exe:RayV
"{3EB6883C-BF3D-42E8-B9C4-CEDA44747A01}"= TCP:c:\program files\RayV\RayV\RayV.exe:RayV
"{7EA00B2A-7CB5-4188-A704-4D757958598C}"= UDP:c:\program files\RayV\RayV\RayV.dll:RayV
"{B83C1EFD-AFD2-4777-8003-3BE2D3BB60AB}"= TCP:c:\program files\RayV\RayV\RayV.dll:RayV
"{25C44D16-E180-4D82-B04E-90C76CDB572C}"= UDP:c:\users\Public\Documents\Blizzard Entertainment\World of Warcraft\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe:Blizzard Downloader
"{0F2BBE2C-4977-4A97-AF10-DEAF7F0612FE}"= TCP:c:\users\Public\Documents\Blizzard Entertainment\World of Warcraft\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe:Blizzard Downloader

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"= c:\program files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3

R3 dhdusb.NTx86;Dynex Wireless G USB Network Adapter Service;c:\windows\system32\DRIVERS\bcmusbdhdlh.sys [2007-09-20 241656]
R3 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\idsdefs\20061025.029\IDSvix86.sys [2006-10-20 202872]
R3 netr28u;Linksys USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2007-12-15 570880]
R3 netr73;RT73 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr73.sys [2008-02-26 493568]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-09-04 7408]
R3 xbreader;MaxDrive XBox Driver (xbreader.sys);c:\windows\system32\Drivers\xbreader.sys [2001-01-03 19677]
R4 gupdate1c990d4364974e0;Google Update Service (gupdate1c990d4364974e0);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-17 133104]
R4 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [2008-03-10 65536]
S0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2007-03-30 38448]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-09-04 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-09-04 74480]
S3 hcw18bda;Hauppauge WinTV 418 Driver;c:\windows\system32\drivers\hcw18bda.sys [2007-01-15 354432]

.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.google.com
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
TCP: {02E6CBA4-8781-47F5-A589-BF56C1769B39} = 205.171.3.65,205.171.2.65
TCP: {4829F261-888A-41AF-B8E6-A3CE273A9ECE} = 205.171.3.65,205.171.2.65
TCP: {661F7C4B-287E-424C-A54C-D9FD73AE460E} = 205.171.3.65,205.171.2.65
FF - ProfilePath - c:\users\God\AppData\Roaming\Mozilla\Firefox\Profiles\sc4c04ev.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npWebLaunch.dll
FF - plugin: c:\program files\RayV\RayV\plugins\nprayvplugin.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-08 16:26
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4058141398-2658812619-3498018259-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:5f,29,67,a9,75,a2,b3,77,65,ad,bf,61,e6,a0,bd,15,62,bc,a2,80,e9,ee,13,
e5,7d,8c,f3,cb,a6,42,a2,b9,36,3e,59,cf,4e,22,b5,70,4e,8e,e7,36,4a,06,21,1d,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d

[HKEY_USERS\S-1-5-21-4058141398-2658812619-3498018259-1000\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:2a,13,5d,6e,ce,57,de,f2,ab,e8,5e,65,61,84,e9,be,f4,ce,de,04,4d,
b5,e4,74,c3,96,33,cd,0b,7d,3e,da,9b,3f,ab,aa,7e,55,a6,b8,27,ab,4f,97,c6,88,\
"rkeysecu"=hex:dd,bc,ad,1e,30,35,24,4f,1a,47,c7,1e,c5,3b,48,c4

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-10-08 16:28
ComboFix-quarantined-files.txt 2009-10-08 23:28
ComboFix2.txt 2009-10-05 00:12
ComboFix3.txt 2009-10-04 12:17

Pre-Run: 14,296,301,568 bytes free
Post-Run: 14,412,931,072 bytes free

372 --- E O F --- 2008-02-23 11:06
 
Good. Looks like the final steps are only remaining now :)


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

A To disable the System Restore feature:

1. Click on the Start button.
2. Hover over the Computer option, right click on it and then click Properties.
3. On the left hand side, click Advanced Settings.
4. If asked to permit the action, click on Allow.
5. Click on the System Protection tab.
6. Uncheck any checkboxes listed for your hard drives.
7. Press OK.


B. Reboot.

C Turn ON System Restore.
Follow the steps like you did when disabling system restore but on step 6. check any checkboxes listed for your hard drives.



Now lets uninstall ComboFix:
  • Click START then RUN
  • Now copy-paste Combofix /u in the runbox and click OK


Please download OTC and save it to desktop.
  • Double-click OTC.exe.
  • Click the CleanUp! button.
  • Select Yes when the
    Begin cleanup Process?
    prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.


UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

  • hosts file:
    • Every version of windows has a hosts file as part of them.
    • In a very basic sense, they are used to locate webpages.
    • We can customize a hosts file so that it blocks certain webpages.
    • However, it can slow down certain computers.
    • This is why using a hosts file is optional!!
    Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
    If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    1. [*]Click the start button (at the lower left hand corner of your screen) [*]Click run [*]In the dialog box, type services.msc [*]hit enter, then locate dns client [*]Highlight it, then double-click it. [*]On the dropdown box, change the setting from automatic to manual. [*]Click ok


Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :cool:
 
Alright, done all the steps above. The system seems to be working fine now; thank you for all your help with containing this issue. Been first time in a number of years that Ive had a problem that I couldn't just figure out on my own.
 
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.
 
You must log in or register to reply here.
Back
Top