Solved My Security Shield Malware Rascal!

FuzMic · 2010/09/21

[Resolved] My Security Shield Malware Rascal!

Hi forum friends

The 'My Security Shield' enter into my PC with Xpwin.sp3 and manifest itself as reported in various web postings.

With msconfig i can see the rouge .exe at the Documents & Settings > All Users > Application Data > ##??# folder. By disabling, it will not start at reboot. With rkill.exe the same is identified and shown as stopped; however remains on reboot, disabling via msconfig is required that it does not restart.

The PC don't have Malwarebyte's anti malware installed but have a free version of AVG antivirus & spybot before the invasion.

The PROBLEM
After the entry of this rouge, 1) AVG anti virus & spybot will not run 2) Malwarebyte's installed but won't start. This remains the same even after uninstallation and reinstallation. This also applies to Avira antivirus. Task Manager shows that mbam and spybot is not running.

Any proposals to this challenge? Some tinkering at the registry is required to stop the rascal from high jacking the OS from running the various antivirus problems. Interesting!!

PeteC · 2010/09/21

Please read this as indicated at the head of the forum and post the logs requested in this thread.

FuzMic · 2010/09/21

Thanks Pete, i did read the forum head but the DSS escape my quick scan. So here are the DSS & ATTACH. I notice the disallow but removing them did not work. When i try to reinstall it fail as still noted the presence of the rouge inspite of removing from the hard disk.

DDS (Ver_10-03-17.01) - NTFSx86
Run by user at 12:11:01.48 on 22-09-10
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.51 [GMT -7:00]

AV: My Security Shield *On-access scanning enabled* (Updated) {38896EB5-E99B-4FA5-8880-96C6C76AE6B3}
FW: My Security Shield *enabled* {3AD52EC3-9183-4F67-BE87-753AE3C27821}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Sharp\Sharpdesk\IndexTray.exe
C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Sharp\SHARPD~1\Indexer.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\taskmgr.exe
C:\mydocs\Downloads\avg_free_stb_en_9_117_free.exe
C:\DOCUME~1\user\LOCALS~1\Temp\7zS10.tmp\stub.exe
C:\DOCUME~1\user\LOCALS~1\Temp\AVGDownloadManager\packages\setup\setup.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\mydocs\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Yahooo Search Protection: {25bc7718-0bfa-40ea-b381-4b2d9732d686} - c:\program files\yahoo!\search protection\ysp.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [IndexTray] "c:\program files\sharp\sharpdesk\IndexTray.exe "
mRun: [SharpTray] "c:\program files\sharp\sharpdesk\SharpTray.exe "
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe "
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
dRunOnce: [IE7-11] rundll32 advpack.dll,LaunchINFSection NR_IE7en.inf,AfterUserStart
uPolicies-explorer: DisallowRun = 1 (0x1)
uPolicies-disallowrun: 0 = msseces.exe
uPolicies-disallowrun: 1 = MSASCui.exe
uPolicies-disallowrun: 2 = ekrn.exe
uPolicies-disallowrun: 3 = egui.exe
uPolicies-disallowrun: 4 = avgnt.exe
uPolicies-disallowrun: 5 = avcenter.exe
uPolicies-disallowrun: 6 = avscan.exe
uPolicies-disallowrun: 7 = avgfrw.exe
uPolicies-disallowrun: 8 = avgui.exe
uPolicies-disallowrun: 9 = avgtray.exe
uPolicies-disallowrun: 10 = avgscanx.exe
uPolicies-disallowrun: 11 = avgcfgex.exe
uPolicies-disallowrun: 12 = avgemc.exe
uPolicies-disallowrun: 13 = avgchsvx.exe
uPolicies-disallowrun: 14 = avgcmgr.exe
uPolicies-disallowrun: 15 = avgwdsvc.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - c:\program files\yahoo!\search protection\ysp.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: NameServer = 93.188.163.181,93.188.166.181
TCP: {6CD8894D-E5BF-4F23-82B5-0911F0899F2B} = 202.188.0.133,202.57.220.222
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: sds - {79E0F14C-9C52-4218-89A7-7C4B0563D121} - c:\program files\sharp\sharpdesk\ExplorerExtensions.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
IFEO: image file execution options - svchost.exe
IFEO: a.exe - svchost.exe
IFEO: aAvgApi.exe - svchost.exe
IFEO: AAWTray.exe - svchost.exe
IFEO: About.exe - svchost.exe

Note: multiple IFEO entries found. Please refer to Attach.txt
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 secure-plus-payments.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\q8b4kudb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\documents and settings\user\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============

R4 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys --> c:\windows\system32\drivers\avgtdix.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-9-7 136176]
S2 SSHNAS;SSHNAS;c:\windows\system32\svchost.exe -k netsvcs [2004-8-3 14336]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2010-9-7 30192]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 SllProNT_Ldr;SllProNT_Ldr;c:\ubsnet\SLNTLDR.EXE [2010-9-1 35840]

=============== Created Last 30 ================

2010-09-22 18:43:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-22 18:43:01 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-22 18:43:01 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-21 19:44:28 0 d-----w- c:\windows\Downloaded Installations
2010-09-21 18:53:24 81920 ----a-w- c:\windows\system32\Startup.cpl
2010-09-20 20:27:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-20 20:15:46 0 d-sh--w- c:\docume~1\user\applic~1\My Security Shield
2010-09-20 20:15:41 0 d-sh--w- c:\docume~1\alluse~1\applic~1\MSXUHOMAS
2010-09-20 19:35:05 0 d-----w- c:\program files\AVG
2010-09-20 19:34:47 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-09-17 18:37:18 131 ----a-w- c:\windows\system32\BTReg57.DLL
2010-09-17 18:30:35 0 d-----w- c:\program files\Lock
2010-09-15 20:16:58 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-09-15 20:16:58 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-09-15 19:37:48 0 d-----w- c:\docume~1\user\applic~1\TeamViewer
2010-09-15 19:37:04 0 d-----w- c:\program files\TeamViewer
2010-09-14 19:36:21 0 d--h--w- c:\windows\system32\GroupPolicy
2010-09-14 18:40:36 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-09-14 18:40:36 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-09-09 19:47:03 186368 ----a-w- c:\windows\Hneged.exe
2010-09-09 19:37:32 186368 ----a-w- c:\windows\Hnegeb.exe
2010-09-09 19:37:15 186368 ----a-w- c:\windows\Hnegea.exe
2010-09-09 19:21:03 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2010-09-09 19:21:02 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2010-09-09 19:21:02 440352 ----a-w- c:\windows\system32\MSHFLXGD.OCX
2010-09-09 19:21:02 415504 ----a-w- c:\windows\system32\MSREPL35.DLL
2010-09-09 19:21:02 252176 ----a-w- c:\windows\system32\MSRD2X35.DLL
2010-09-09 19:21:02 24848 ----a-w- c:\windows\system32\MSJTER35.DLL
2010-09-09 19:21:02 123664 ----a-w- c:\windows\system32\MSJINT35.DLL
2010-09-09 19:21:02 1046288 ----a-w- c:\windows\system32\MSJET35.DLL
2010-09-09 19:13:35 204907 ----a-w- c:\windows\system32\hibit_ser.dll
2010-09-09 19:13:35 0 d-----w- c:\windows\system32\NtfsDriver
2010-09-07 20:20:18 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-09-01 19:56:13 7328 ----a-w- c:\windows\system32\drivers\SLLPSVDR.SYS
2010-09-01 19:25:38 0 d-----w- C:\UBSNET
2010-09-01 18:32:31 0 d-----w- C:\c2z

==================== Find3M ====================

2010-09-07 19:49:32 113576 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-07-22 18:37:30 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-28 00:32:18 16384 --sha-w- c:\windows\system32\config\systemprofile\cookies\index.dat
2010-05-28 00:32:18 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2010-05-28 00:32:12 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010052720100528\index.dat
2010-05-28 00:32:18 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 12:13:15.45 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 20-01-10 01:58:45
System Uptime: 22-09-10 11:40:17 (1 hours ago)

Motherboard: ECS | | Iris8
Processor: AMD Sempron(tm) Processor LE-1150 | Socket M2 | 2009/201mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 27 GiB total, 8.439 GiB free.
D: is FIXED (NTFS) - 47 GiB total, 38.295 GiB free.
E: is CDROM ()
Z: is NetworkDisk (NTFS) - 24 GiB total, 2.634 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Image File Execution Options =============

IFEO: image file execution options - svchost.exe
IFEO: a.exe - svchost.exe
IFEO: aAvgApi.exe - svchost.exe
IFEO: AAWTray.exe - svchost.exe
IFEO: About.exe - svchost.exe
IFEO: ackwin32.exe - svchost.exe
IFEO: Ad-Aware.exe - svchost.exe
IFEO: adaware.exe - svchost.exe
IFEO: advxdwin.exe - svchost.exe
IFEO: AdwarePrj.exe - svchost.exe
IFEO: agent.exe - svchost.exe
IFEO: agentsvr.exe - svchost.exe
IFEO: agentw.exe - svchost.exe
IFEO: alertsvc.exe - svchost.exe
IFEO: alevir.exe - svchost.exe
IFEO: alogserv.exe - svchost.exe
IFEO: AlphaAV - svchost.exe
IFEO: AlphaAV.exe - svchost.exe
IFEO: AluSchedulerSvc.exe - svchost.exe
IFEO: amon9x.exe - svchost.exe
IFEO: anti-trojan.exe - svchost.exe
IFEO: Anti-Virus Professional.exe - svchost.exe
IFEO: AntispywarXP2009.exe - svchost.exe
IFEO: antivirus.exe - svchost.exe
IFEO: AntivirusPlus - svchost.exe
IFEO: AntivirusPlus.exe - svchost.exe
IFEO: AntivirusPro_2010.exe - svchost.exe
IFEO: AntivirusXP - svchost.exe
IFEO: AntivirusXP.exe - svchost.exe
IFEO: antivirusxppro2009.exe - svchost.exe
IFEO: AntiVirus_Pro.exe - svchost.exe
IFEO: ants.exe - svchost.exe
IFEO: apimonitor.exe - svchost.exe
IFEO: aplica32.exe - svchost.exe
IFEO: apvxdwin.exe - svchost.exe
IFEO: arr.exe - svchost.exe
IFEO: Arrakis3.exe - svchost.exe
IFEO: ashAvast.exe - svchost.exe
IFEO: ashBug.exe - svchost.exe
IFEO: ashChest.exe - svchost.exe
IFEO: ashCnsnt.exe - svchost.exe
IFEO: ashDisp.exe - svchost.exe
IFEO: ashLogV.exe - svchost.exe
IFEO: ashMaiSv.exe - svchost.exe
IFEO: ashPopWz.exe - svchost.exe
IFEO: ashQuick.exe - svchost.exe
IFEO: ashServ.exe - svchost.exe
IFEO: ashSimp2.exe - svchost.exe
IFEO: ashSimpl.exe - svchost.exe
IFEO: ashSkPcc.exe - svchost.exe
IFEO: ashSkPck.exe - svchost.exe
IFEO: ashUpd.exe - svchost.exe
IFEO: ashWebSv.exe - svchost.exe
IFEO: aswChLic.exe - svchost.exe
IFEO: aswRegSvr.exe - svchost.exe
IFEO: aswRunDll.exe - svchost.exe
IFEO: aswUpdSv.exe - svchost.exe
IFEO: atcon.exe - svchost.exe
IFEO: atguard.exe - svchost.exe
IFEO: atro55en.exe - svchost.exe
IFEO: atupdater.exe - svchost.exe
IFEO: atwatch.exe - svchost.exe
IFEO: au.exe - svchost.exe
IFEO: aupdate.exe - svchost.exe
IFEO: auto-protect.nav80try.exe - svchost.exe
IFEO: autodown.exe - svchost.exe
IFEO: autotrace.exe - svchost.exe
IFEO: autoupdate.exe - svchost.exe
IFEO: av360.exe - svchost.exe
IFEO: avadmin.exe - svchost.exe
IFEO: AVCare.exe - svchost.exe
IFEO: avcenter.exe - svchost.exe
IFEO: avciman.exe - svchost.exe
IFEO: avconfig.exe - svchost.exe
IFEO: avconsol.exe - svchost.exe
IFEO: ave32.exe - svchost.exe
IFEO: AVENGINE.EXE - svchost.exe
IFEO: avgcc32.exe - svchost.exe
IFEO: avgchk.exe - svchost.exe
IFEO: avgcmgr.exe - svchost.exe
IFEO: avgcsrvx.exe - svchost.exe
IFEO: avgctrl.exe - svchost.exe
IFEO: avgdumpx.exe - svchost.exe
IFEO: avgemc.exe - svchost.exe
IFEO: avgiproxy.exe - svchost.exe
IFEO: avgnsx.exe - svchost.exe
IFEO: avgnt.exe - svchost.exe
IFEO: avgrsx.exe - svchost.exe
IFEO: avgscanx.exe - svchost.exe
IFEO: avgserv.exe - svchost.exe
IFEO: avgserv9.exe - svchost.exe
IFEO: avgsrmax.exe - svchost.exe
IFEO: avgtray.exe - svchost.exe
IFEO: avgui.exe - svchost.exe
IFEO: avgupd.exe - svchost.exe
IFEO: avgw.exe - svchost.exe
IFEO: avgwdsvc.exe - svchost.exe
IFEO: avkpop.exe - svchost.exe
IFEO: avkserv.exe - svchost.exe
IFEO: avkservice.exe - svchost.exe
IFEO: avkwctl9.exe - svchost.exe
IFEO: avltmain.exe - svchost.exe
IFEO: avmailc.exe - svchost.exe
IFEO: avmcdlg.exe - svchost.exe
IFEO: avnotify.exe - svchost.exe
IFEO: avnt.exe - svchost.exe
IFEO: avp32.exe - svchost.exe
IFEO: avpcc.exe - svchost.exe
IFEO: avpdos32.exe - svchost.exe
IFEO: avpm.exe - svchost.exe
IFEO: avptc32.exe - svchost.exe
IFEO: avpupd.exe - svchost.exe
IFEO: avsched32.exe - svchost.exe
IFEO: avsynmgr.exe - svchost.exe
IFEO: avupgsvc.exe - svchost.exe
IFEO: AVWEBGRD.EXE - svchost.exe
IFEO: avwin.exe - svchost.exe
IFEO: avwin95.exe - svchost.exe
IFEO: avwinnt.exe - svchost.exe
IFEO: avwsc.exe - svchost.exe
IFEO: avwupd.exe - svchost.exe
IFEO: avwupd32.exe - svchost.exe
IFEO: avwupsrv.exe - svchost.exe
IFEO: avxmonitor9x.exe - svchost.exe
IFEO: avxmonitornt.exe - svchost.exe
IFEO: avxquar.exe - svchost.exe
IFEO: b.exe - svchost.exe
IFEO: backweb.exe - svchost.exe
IFEO: bargains.exe - svchost.exe
IFEO: bdagent.exe - svchost.exe
IFEO: bdfvcl.exe - svchost.exe
IFEO: bdfvwiz.exe - svchost.exe
IFEO: BDInProcPatch.exe - svchost.exe
IFEO: bdmcon.exe - svchost.exe
IFEO: BDMsnScan.exe - svchost.exe
IFEO: bdreinit.exe - svchost.exe
IFEO: bdsubwiz.exe - svchost.exe
IFEO: BDSurvey.exe - svchost.exe
IFEO: bdtkexec.exe - svchost.exe
IFEO: bdwizreg.exe - svchost.exe
IFEO: bd_professional.exe - svchost.exe
IFEO: beagle.exe - svchost.exe
IFEO: belt.exe - svchost.exe
IFEO: bidef.exe - svchost.exe
IFEO: bidserver.exe - svchost.exe
IFEO: bipcp.exe - svchost.exe
IFEO: bipcpevalsetup.exe - svchost.exe
IFEO: bisp.exe - svchost.exe
IFEO: blackd.exe - svchost.exe
IFEO: blackice.exe - svchost.exe
IFEO: blink.exe - svchost.exe
IFEO: blss.exe - svchost.exe
IFEO: bootconf.exe - svchost.exe
IFEO: bootwarn.exe - svchost.exe
IFEO: borg2.exe - svchost.exe
IFEO: bpc.exe - svchost.exe
IFEO: brasil.exe - svchost.exe
IFEO: brastk.exe - svchost.exe
IFEO: brw.exe - svchost.exe
IFEO: bs120.exe - svchost.exe
IFEO: bspatch.exe - svchost.exe
IFEO: bundle.exe - svchost.exe
IFEO: bvt.exe - svchost.exe
IFEO: c.exe - svchost.exe
IFEO: cavscan.exe - svchost.exe
IFEO: ccapp.exe - svchost.exe
IFEO: ccevtmgr.exe - svchost.exe
IFEO: ccpxysvc.exe - svchost.exe
IFEO: ccSvcHst.exe - svchost.exe
IFEO: cdp.exe - svchost.exe
IFEO: cfd.exe - svchost.exe
IFEO: cfgwiz.exe - svchost.exe
IFEO: cfiadmin.exe - svchost.exe
IFEO: cfiaudit.exe - svchost.exe
IFEO: cfinet.exe - svchost.exe
IFEO: cfinet32.exe - svchost.exe
IFEO: cfp.exe - svchost.exe
IFEO: cfpconfg.exe - svchost.exe
IFEO: cfplogvw.exe - svchost.exe
IFEO: cfpupdat.exe - svchost.exe
IFEO: Cl.exe - svchost.exe
IFEO: claw95.exe - svchost.exe
IFEO: claw95cf.exe - svchost.exe
IFEO: clean.exe - svchost.exe
IFEO: cleaner.exe - svchost.exe
IFEO: cleaner3.exe - svchost.exe
IFEO: cleanIELow.exe - svchost.exe
IFEO: cleanpc.exe - svchost.exe
IFEO: click.exe - svchost.exe
IFEO: cmd32.exe - svchost.exe
IFEO: cmdagent.exe - svchost.exe
IFEO: cmesys.exe - svchost.exe
IFEO: cmgrdian.exe - svchost.exe
IFEO: cmon016.exe - svchost.exe
IFEO: connectionmonitor.exe - svchost.exe
IFEO: control - svchost.exe
IFEO: cpd.exe - svchost.exe
IFEO: cpf9x206.exe - svchost.exe
IFEO: cpfnt206.exe - svchost.exe
IFEO: crashrep.exe - svchost.exe
IFEO: csc.exe - svchost.exe
IFEO: cssconfg.exe - svchost.exe
IFEO: cssupdat.exe - svchost.exe
IFEO: cssurf.exe - svchost.exe
IFEO: ctrl.exe - svchost.exe
IFEO: cv.exe - svchost.exe
IFEO: cwnb181.exe - svchost.exe
IFEO: cwntdwmo.exe - svchost.exe
IFEO: d.exe - svchost.exe
IFEO: datemanager.exe - svchost.exe
IFEO: dcomx.exe - svchost.exe
IFEO: defalert.exe - svchost.exe
IFEO: defscangui.exe - svchost.exe
IFEO: defwatch.exe - svchost.exe
IFEO: deloeminfs.exe - svchost.exe
IFEO: deputy.exe - svchost.exe
IFEO: divx.exe - svchost.exe
IFEO: dllcache.exe - svchost.exe
IFEO: dllreg.exe - svchost.exe
IFEO: doors.exe - svchost.exe
IFEO: dop.exe - svchost.exe
IFEO: dpf.exe - svchost.exe
IFEO: dpfsetup.exe - svchost.exe
IFEO: dpps2.exe - svchost.exe
IFEO: driverctrl.exe - svchost.exe
IFEO: drwatson.exe - svchost.exe
IFEO: drweb32.exe - svchost.exe
IFEO: drwebupw.exe - svchost.exe
IFEO: dssagent.exe - svchost.exe
IFEO: dvp95.exe - svchost.exe
IFEO: dvp95_0.exe - svchost.exe
IFEO: ecengine.exe - svchost.exe
IFEO: efpeadm.exe - svchost.exe
IFEO: egui.exe - svchost.exe
IFEO: ekrn.exe - svchost.exe
IFEO: emsw.exe - svchost.exe
IFEO: ent.exe - svchost.exe
IFEO: esafe.exe - svchost.exe
IFEO: escanhnt.exe - svchost.exe
IFEO: escanv95.exe - svchost.exe
IFEO: espwatch.exe - svchost.exe
IFEO: ethereal.exe - svchost.exe
IFEO: etrustcipe.exe - svchost.exe
IFEO: evpn.exe - svchost.exe
IFEO: exantivirus-cnet.exe - svchost.exe
IFEO: exe.avxw.exe - svchost.exe
IFEO: expert.exe - svchost.exe
IFEO: explore.exe - svchost.exe
IFEO: f-agnt95.exe - svchost.exe
IFEO: f-prot.exe - svchost.exe
IFEO: f-prot95.exe - svchost.exe
IFEO: f-stopw.exe - svchost.exe
IFEO: fact.exe - svchost.exe
IFEO: fameh32.exe - svchost.exe
IFEO: fast.exe - svchost.exe
IFEO: fch32.exe - svchost.exe
IFEO: fih32.exe - svchost.exe
IFEO: findviru.exe - svchost.exe
IFEO: firewall.exe - svchost.exe
IFEO: fixcfg.exe - svchost.exe
IFEO: fixfp.exe - svchost.exe
IFEO: fnrb32.exe - svchost.exe
IFEO: fp-win.exe - svchost.exe
IFEO: fp-win_trial.exe - svchost.exe
IFEO: fprot.exe - svchost.exe
IFEO: frmwrk32.exe - svchost.exe
IFEO: frw.exe - svchost.exe
IFEO: fsaa.exe - svchost.exe
IFEO: fsav.exe - svchost.exe
IFEO: fsav32.exe - svchost.exe
IFEO: fsav530stbyb.exe - svchost.exe
IFEO: fsav530wtbyb.exe - svchost.exe
IFEO: fsav95.exe - svchost.exe
IFEO: fsgk32.exe - svchost.exe
IFEO: fsm32.exe - svchost.exe
IFEO: fsma32.exe - svchost.exe
IFEO: fsmb32.exe - svchost.exe
IFEO: gator.exe - svchost.exe
IFEO: gav.exe - svchost.exe
IFEO: gbmenu.exe - svchost.exe
IFEO: gbn976rl.exe - svchost.exe
IFEO: gbpoll.exe - svchost.exe
IFEO: generics.exe - svchost.exe
IFEO: gmt.exe - svchost.exe
IFEO: guard.exe - svchost.exe
IFEO: guarddog.exe - svchost.exe
IFEO: guardgui.exe - svchost.exe
IFEO: hacktracersetup.exe - svchost.exe
IFEO: hbinst.exe - svchost.exe
IFEO: hbsrv.exe - svchost.exe
IFEO: History.exe - svchost.exe
IFEO: homeav2010.exe - svchost.exe
IFEO: hotactio.exe - svchost.exe
IFEO: hotpatch.exe - svchost.exe
IFEO: htlog.exe - svchost.exe
IFEO: htpatch.exe - svchost.exe
IFEO: hwpe.exe - svchost.exe
IFEO: hxdl.exe - svchost.exe
IFEO: hxiul.exe - svchost.exe
IFEO: iamapp.exe - svchost.exe
IFEO: iamserv.exe - svchost.exe
IFEO: iamstats.exe - svchost.exe
IFEO: ibmasn.exe - svchost.exe
IFEO: ibmavsp.exe - svchost.exe
IFEO: icload95.exe - svchost.exe
IFEO: icloadnt.exe - svchost.exe
IFEO: icmon.exe - svchost.exe
IFEO: icsupp95.exe - svchost.exe
IFEO: icsuppnt.exe - svchost.exe
IFEO: Identity.exe - svchost.exe
IFEO: idle.exe - svchost.exe
IFEO: iedll.exe - svchost.exe
IFEO: iedriver.exe - svchost.exe
IFEO: IEShow.exe - svchost.exe
IFEO: iface.exe - svchost.exe
IFEO: ifw2000.exe - svchost.exe
IFEO: inetlnfo.exe - svchost.exe
IFEO: infus.exe - svchost.exe
IFEO: infwin.exe - svchost.exe
IFEO: init.exe - svchost.exe
IFEO: init32.exe - svchost.exe
IFEO: install.exe - svchost.exe
IFEO: install[1].exe - svchost.exe
IFEO: install[2].exe - svchost.exe
IFEO: install[3].exe - svchost.exe
IFEO: install[4].exe - svchost.exe
IFEO: install[5].exe - svchost.exe
IFEO: intdel.exe - svchost.exe
IFEO: intren.exe - svchost.exe
IFEO: iomon98.exe - svchost.exe
IFEO: istsvc.exe - svchost.exe
IFEO: jammer.exe - svchost.exe
IFEO: jdbgmrg.exe - svchost.exe
IFEO: jedi.exe - svchost.exe
IFEO: JsRcGen.exe - svchost.exe
IFEO: kavlite40eng.exe - svchost.exe
IFEO: kavpers40eng.exe - svchost.exe
IFEO: kavpf.exe - svchost.exe
IFEO: kazza.exe - svchost.exe
IFEO: keenvalue.exe - svchost.exe
IFEO: kerio-pf-213-en-win.exe - svchost.exe
IFEO: kerio-wrl-421-en-win.exe - svchost.exe
IFEO: kerio-wrp-421-en-win.exe - svchost.exe
IFEO: killprocesssetup161.exe - svchost.exe
IFEO: launcher.exe - svchost.exe
IFEO: ldnetmon.exe - svchost.exe
IFEO: ldpro.exe - svchost.exe
IFEO: ldpromenu.exe - svchost.exe
IFEO: ldscan.exe - svchost.exe
IFEO: licmgr.exe - svchost.exe
IFEO: livesrv.exe - svchost.exe
IFEO: lnetinfo.exe - svchost.exe
IFEO: loader.exe - svchost.exe
IFEO: localnet.exe - svchost.exe
IFEO: lockdown.exe - svchost.exe
IFEO: lockdown2000.exe - svchost.exe
IFEO: lookout.exe - svchost.exe
IFEO: lordpe.exe - svchost.exe
IFEO: lsetup.exe - svchost.exe
IFEO: luall.exe - svchost.exe
IFEO: luau.exe - svchost.exe
IFEO: lucomserver.exe - svchost.exe
IFEO: luinit.exe - svchost.exe
IFEO: luspt.exe - svchost.exe
IFEO: MalwareRemoval.exe - svchost.exe
IFEO: mapisvc32.exe - svchost.exe
IFEO: mcagent.exe - svchost.exe
IFEO: mcmnhdlr.exe - svchost.exe
IFEO: mcmscsvc.exe - svchost.exe
IFEO: mcnasvc.exe - svchost.exe
IFEO: mcproxy.exe - svchost.exe
IFEO: McSACore.exe - svchost.exe
IFEO: mcshell.exe - svchost.exe
IFEO: mcshield.exe - svchost.exe
IFEO: mcsysmon.exe - svchost.exe
IFEO: mctool.exe - svchost.exe
IFEO: mcupdate.exe - svchost.exe
IFEO: mcvsrte.exe - svchost.exe
IFEO: mcvsshld.exe - svchost.exe
IFEO: md.exe - svchost.exe
IFEO: mfin32.exe - svchost.exe
IFEO: mfw2en.exe - svchost.exe
IFEO: mfweng3.02d30.exe - svchost.exe
IFEO: mgavrtcl.exe - svchost.exe
IFEO: mgavrte.exe - svchost.exe
IFEO: mghtml.exe - svchost.exe
IFEO: mgui.exe - svchost.exe
IFEO: minilog.exe - svchost.exe
IFEO: mmod.exe - svchost.exe
IFEO: monitor.exe - svchost.exe
IFEO: moolive.exe - svchost.exe
IFEO: mostat.exe - svchost.exe
IFEO: mpfagent.exe - svchost.exe
IFEO: mpfservice.exe - svchost.exe
IFEO: MPFSrv.exe - svchost.exe
IFEO: mpftray.exe - svchost.exe
IFEO: mrflux.exe - svchost.exe
IFEO: mrt.exe - svchost.exe
IFEO: msa.exe - svchost.exe
IFEO: msapp.exe - svchost.exe
IFEO: MSASCui.exe - svchost.exe
IFEO: msbb.exe - svchost.exe
IFEO: msblast.exe - svchost.exe
IFEO: mscache.exe - svchost.exe
IFEO: msccn32.exe - svchost.exe
IFEO: mscman.exe - svchost.exe
IFEO: msconfig - svchost.exe
IFEO: msdm.exe - svchost.exe
IFEO: msdos.exe - svchost.exe
IFEO: msfwsvc.exe - svchost.exe
IFEO: msiexec16.exe - svchost.exe
IFEO: mslaugh.exe - svchost.exe
IFEO: msmgt.exe - svchost.exe
IFEO: MsMpEng.exe - svchost.exe
IFEO: msmsgri32.exe - svchost.exe
IFEO: msseces.exe - svchost.exe
IFEO: mssmmc32.exe - svchost.exe
IFEO: mssys.exe - svchost.exe
IFEO: msvxd.exe - svchost.exe
IFEO: mu0311ad.exe - svchost.exe
IFEO: mwatch.exe - svchost.exe
IFEO: n32scanw.exe - svchost.exe
IFEO: nav.exe - svchost.exe
IFEO: navap.navapsvc.exe - svchost.exe
IFEO: navapsvc.exe - svchost.exe
IFEO: navapw32.exe - svchost.exe
IFEO: navdx.exe - svchost.exe
IFEO: navlu32.exe - svchost.exe
IFEO: navnt.exe - svchost.exe
IFEO: navstub.exe - svchost.exe
IFEO: navw32.exe - svchost.exe
IFEO: navwnt.exe - svchost.exe
IFEO: nc2000.exe - svchost.exe
IFEO: ncinst4.exe - svchost.exe
IFEO: ndd32.exe - svchost.exe
IFEO: neomonitor.exe - svchost.exe
IFEO: neowatchlog.exe - svchost.exe
IFEO: netarmor.exe - svchost.exe
IFEO: netd32.exe - svchost.exe
IFEO: netinfo.exe - svchost.exe
IFEO: netmon.exe - svchost.exe
IFEO: netscanpro.exe - svchost.exe
IFEO: netspyhunter-1.2.exe - svchost.exe
IFEO: netutils.exe - svchost.exe
IFEO: nisserv.exe - svchost.exe
IFEO: nisum.exe - svchost.exe
IFEO: nmain.exe - svchost.exe
IFEO: nod32.exe - svchost.exe
IFEO: normist.exe - svchost.exe
IFEO: norton_internet_secu_3.0_407.exe - svchost.exe
IFEO: notstart.exe - svchost.exe
IFEO: npf40_tw_98_nt_me_2k.exe - svchost.exe
IFEO: npfmessenger.exe - svchost.exe
IFEO: nprotect.exe - svchost.exe
IFEO: npscheck.exe - svchost.exe
IFEO: npssvc.exe - svchost.exe
IFEO: nsched32.exe - svchost.exe
IFEO: nssys32.exe - svchost.exe
IFEO: nstask32.exe - svchost.exe
IFEO: nsupdate.exe - svchost.exe
IFEO: nt.exe - svchost.exe
IFEO: ntrtscan.exe - svchost.exe
IFEO: ntvdm.exe - svchost.exe
IFEO: ntxconfig.exe - svchost.exe
IFEO: nui.exe - svchost.exe
IFEO: nupgrade.exe - svchost.exe
IFEO: nvarch16.exe - svchost.exe
IFEO: nvc95.exe - svchost.exe
IFEO: nvsvc32.exe - svchost.exe
IFEO: nwinst4.exe - svchost.exe
IFEO: nwservice.exe - svchost.exe
IFEO: nwtool16.exe - svchost.exe
IFEO: OAcat.exe - svchost.exe
IFEO: OAhlp.exe - svchost.exe
IFEO: OAReg.exe - svchost.exe
IFEO: oasrv.exe - svchost.exe
IFEO: oaui.exe - svchost.exe
IFEO: oaview.exe - svchost.exe
IFEO: OcHealthMon.exe - svchost.exe
IFEO: ODSW.exe - svchost.exe
IFEO: ollydbg.exe - svchost.exe
IFEO: onsrvr.exe - svchost.exe
IFEO: optimize.exe - svchost.exe
IFEO: ostronet.exe - svchost.exe
IFEO: otfix.exe - svchost.exe
IFEO: outpost.exe - svchost.exe
IFEO: outpostinstall.exe - svchost.exe
IFEO: outpostproinstall.exe - svchost.exe
IFEO: ozn695m5.exe - svchost.exe
IFEO: padmin.exe - svchost.exe
IFEO: panixk.exe - svchost.exe
IFEO: patch.exe - svchost.exe
IFEO: pav.exe - svchost.exe
IFEO: pavcl.exe - svchost.exe
IFEO: PavFnSvr.exe - svchost.exe
IFEO: pavproxy.exe - svchost.exe
IFEO: pavprsrv.exe - svchost.exe
IFEO: pavsched.exe - svchost.exe
IFEO: pavsrv51.exe - svchost.exe
IFEO: pavw.exe - svchost.exe
IFEO: pc.exe - svchost.exe
IFEO: pccwin98.exe - svchost.exe
IFEO: pcfwallicon.exe - svchost.exe
IFEO: pcip10117_0.exe - svchost.exe
IFEO: pcscan.exe - svchost.exe
IFEO: pctsAuxs.exe - svchost.exe
IFEO: pctsGui.exe - svchost.exe
IFEO: pctsSvc.exe - svchost.exe
IFEO: pctsTray.exe - svchost.exe
IFEO: PC_Antispyware2010.exe - svchost.exe
IFEO: pdfndr.exe - svchost.exe
IFEO: pdsetup.exe - svchost.exe
IFEO: PerAvir.exe - svchost.exe
IFEO: periscope.exe - svchost.exe
IFEO: persfw.exe - svchost.exe
IFEO: personalguard - svchost.exe
IFEO: personalguard.exe - svchost.exe
IFEO: perswf.exe - svchost.exe
IFEO: pf2.exe - svchost.exe
IFEO: pfwadmin.exe - svchost.exe
IFEO: pgmonitr.exe - svchost.exe
IFEO: pingscan.exe - svchost.exe
IFEO: platin.exe - svchost.exe
IFEO: pop3trap.exe - svchost.exe
IFEO: poproxy.exe - svchost.exe
IFEO: popscan.exe - svchost.exe
IFEO: portdetective.exe - svchost.exe
IFEO: portmonitor.exe - svchost.exe
IFEO: powerscan.exe - svchost.exe
IFEO: ppinupdt.exe - svchost.exe
IFEO: pptbc.exe - svchost.exe
IFEO: ppvstop.exe - svchost.exe
IFEO: prizesurfer.exe - svchost.exe
IFEO: prmt.exe - svchost.exe
IFEO: prmvr.exe - svchost.exe
IFEO: procdump.exe - svchost.exe
IFEO: processmonitor.exe - svchost.exe
IFEO: procexplorerv1.0.exe - svchost.exe
IFEO: programauditor.exe - svchost.exe
IFEO: proport.exe - svchost.exe
IFEO: protector.exe - svchost.exe
IFEO: protectx.exe - svchost.exe
IFEO: PSANCU.exe - svchost.exe
IFEO: PSANHost.exe - svchost.exe
IFEO: PSANToManager.exe - svchost.exe
IFEO: PsCtrls.exe - svchost.exe
IFEO: PsImSvc.exe - svchost.exe
IFEO: PskSvc.exe - svchost.exe
IFEO: pspf.exe - svchost.exe
IFEO: PSUNMain.exe - svchost.exe
IFEO: purge.exe - svchost.exe
IFEO: qconsole.exe - svchost.exe
IFEO: qh.exe - svchost.exe
IFEO: qserver.exe - svchost.exe
IFEO: Quick Heal.exe - svchost.exe
IFEO: QuickHealCleaner.exe - svchost.exe
IFEO: rapapp.exe - svchost.exe
IFEO: rav7.exe - svchost.exe
IFEO: rav7win.exe - svchost.exe
IFEO: rav8win32eng.exe - svchost.exe
IFEO: ray.exe - svchost.exe
IFEO: rb32.exe - svchost.exe
IFEO: rcsync.exe - svchost.exe
IFEO: realmon.exe - svchost.exe
IFEO: reged.exe - svchost.exe
IFEO: regedt32.exe - svchost.exe
IFEO: rescue.exe - svchost.exe
IFEO: rescue32.exe - svchost.exe
IFEO: rrguard.exe - svchost.exe
IFEO: rscdwld.exe - svchost.exe
IFEO: rshell.exe - svchost.exe
IFEO: rtvscan.exe - svchost.exe
IFEO: rtvscn95.exe - svchost.exe
IFEO: rulaunch.exe - svchost.exe
IFEO: rwg - svchost.exe
IFEO: rwg.exe - svchost.exe
IFEO: SafetyKeeper.exe - svchost.exe
IFEO: safeweb.exe - svchost.exe
IFEO: sahagent.exe - svchost.exe
IFEO: Save.exe - svchost.exe
IFEO: SaveArmor.exe - svchost.exe
IFEO: SaveDefense.exe - svchost.exe
IFEO: SaveKeep.exe - svchost.exe
IFEO: savenow.exe - svchost.exe
IFEO: sbserv.exe - svchost.exe
IFEO: sc.exe - svchost.exe
IFEO: scam32.exe - svchost.exe
IFEO: scan32.exe - svchost.exe
IFEO: scan95.exe - svchost.exe
IFEO: scanpm.exe - svchost.exe
IFEO: scrscan.exe - svchost.exe
IFEO: seccenter.exe - svchost.exe
IFEO: Secure Veteran.exe - svchost.exe
IFEO: secureveteran.exe - svchost.exe
IFEO: Security Center.exe - svchost.exe
IFEO: SecurityFighter.exe - svchost.exe
IFEO: securitysoldier.exe - svchost.exe
IFEO: serv95.exe - svchost.exe
IFEO: setloadorder.exe - svchost.exe
IFEO: setupvameeval.exe - svchost.exe
IFEO: setup_flowprotector_us.exe - svchost.exe
IFEO: sgssfw32.exe - svchost.exe
IFEO: sh.exe - svchost.exe
IFEO: shellspyinstall.exe - svchost.exe
IFEO: shield.exe - svchost.exe
IFEO: shn.exe - svchost.exe
IFEO: showbehind.exe - svchost.exe
IFEO: signcheck.exe - svchost.exe
IFEO: smart.exe - svchost.exe
IFEO: smartprotector.exe - svchost.exe
IFEO: smc.exe - svchost.exe
IFEO: smrtdefp.exe - svchost.exe
IFEO: sms.exe - svchost.exe
IFEO: smss32.exe - svchost.exe
IFEO: snetcfg.exe - svchost.exe
IFEO: soap.exe - svchost.exe
IFEO: sofi.exe - svchost.exe
IFEO: SoftSafeness.exe - svchost.exe
IFEO: sperm.exe - svchost.exe
IFEO: spf.exe - svchost.exe
IFEO: sphinx.exe - svchost.exe
IFEO: spoler.exe - svchost.exe
IFEO: spoolcv.exe - svchost.exe
IFEO: spoolsv32.exe - svchost.exe
IFEO: spywarexpguard.exe - svchost.exe
IFEO: spyxx.exe - svchost.exe
IFEO: srexe.exe - svchost.exe
IFEO: srng.exe - svchost.exe
IFEO: ss3edit.exe - svchost.exe
IFEO: ssgrate.exe - svchost.exe
IFEO: ssg_4104.exe - svchost.exe
IFEO: st2.exe - svchost.exe
IFEO: start.exe - svchost.exe
IFEO: stcloader.exe - svchost.exe
IFEO: supftrl.exe - svchost.exe
IFEO: support.exe - svchost.exe
IFEO: supporter5.exe - svchost.exe
IFEO: svc.exe - svchost.exe
IFEO: svchostc.exe - svchost.exe
IFEO: svchosts.exe - svchost.exe
IFEO: svshost.exe - svchost.exe
IFEO: sweep95.exe - svchost.exe
IFEO: sweepnet.sweepsrv.sys.swnetsup.exe - svchost.exe
IFEO: symlcsvc.exe - svchost.exe
IFEO: symproxysvc.exe - svchost.exe
IFEO: symtray.exe - svchost.exe
IFEO: system.exe - svchost.exe
IFEO: system32.exe - svchost.exe
IFEO: sysupd.exe - svchost.exe
IFEO: tapinstall.exe - svchost.exe
IFEO: taumon.exe - svchost.exe
IFEO: tbscan.exe - svchost.exe
IFEO: tc.exe - svchost.exe
IFEO: tca.exe - svchost.exe
IFEO: tcm.exe - svchost.exe
IFEO: tds-3.exe - svchost.exe
IFEO: tds2-98.exe - svchost.exe
IFEO: tds2-nt.exe - svchost.exe
IFEO: teekids.exe - svchost.exe
IFEO: tfak.exe - svchost.exe
IFEO: tfak5.exe - svchost.exe
IFEO: tgbob.exe - svchost.exe
IFEO: titanin.exe - svchost.exe
IFEO: titaninxp.exe - svchost.exe
IFEO: TPSrv.exe - svchost.exe
IFEO: trickler.exe - svchost.exe
IFEO: trjscan.exe - svchost.exe
IFEO: trjsetup.exe - svchost.exe
IFEO: trojantrap3.exe - svchost.exe
IFEO: TrustWarrior.exe - svchost.exe
IFEO: tsadbot.exe - svchost.exe
IFEO: tsc.exe - svchost.exe
IFEO: tvmd.exe - svchost.exe
IFEO: tvtmd.exe - svchost.exe
IFEO: uiscan.exe - svchost.exe
IFEO: undoboot.exe - svchost.exe
IFEO: updat.exe - svchost.exe
IFEO: upgrad.exe - svchost.exe
IFEO: upgrepl.exe - svchost.exe
IFEO: utpost.exe - svchost.exe
IFEO: vbcmserv.exe - svchost.exe
IFEO: vbcons.exe - svchost.exe
IFEO: vbust.exe - svchost.exe
IFEO: vbwin9x.exe - svchost.exe
IFEO: vbwinntw.exe - svchost.exe
IFEO: vcsetup.exe - svchost.exe
IFEO: vet32.exe - svchost.exe
IFEO: vet95.exe - svchost.exe
IFEO: vettray.exe - svchost.exe
IFEO: vfsetup.exe - svchost.exe
IFEO: vir-help.exe - svchost.exe
IFEO: virusmdpersonalfirewall.exe - svchost.exe
IFEO: VisthAux.exe - svchost.exe
IFEO: VisthLic.exe - svchost.exe
IFEO: VisthUpd.exe - svchost.exe
IFEO: vnlan300.exe - svchost.exe
IFEO: vnpc3000.exe - svchost.exe
IFEO: vpc32.exe - svchost.exe
IFEO: vpc42.exe - svchost.exe
IFEO: vpfw30s.exe - svchost.exe
IFEO: vptray.exe - svchost.exe
IFEO: vscan40.exe - svchost.exe
IFEO: vscenu6.02d30.exe - svchost.exe
IFEO: vsched.exe - svchost.exe
IFEO: vsecomr.exe - svchost.exe
IFEO: vshwin32.exe - svchost.exe
IFEO: vsisetup.exe - svchost.exe
IFEO: vsmain.exe - svchost.exe
IFEO: vsmon.exe - svchost.exe
IFEO: vsserv.exe - svchost.exe
IFEO: vsstat.exe - svchost.exe
IFEO: vswin9xe.exe - svchost.exe
IFEO: vswinntse.exe - svchost.exe
IFEO: vswinperse.exe - svchost.exe
IFEO: w32dsm89.exe - svchost.exe
IFEO: W3asbas.exe - svchost.exe
IFEO: w9x.exe - svchost.exe
IFEO: watchdog.exe - svchost.exe
IFEO: webdav.exe - svchost.exe
IFEO: WebProxy.exe - svchost.exe
IFEO: webscanx.exe - svchost.exe
IFEO: webtrap.exe - svchost.exe
IFEO: wfindv32.exe - svchost.exe
IFEO: whoswatchingme.exe - svchost.exe
IFEO: wimmun32.exe - svchost.exe
IFEO: win-bugsfix.exe - svchost.exe
IFEO: win32.exe - svchost.exe
IFEO: win32us.exe - svchost.exe
IFEO: winactive.exe - svchost.exe
IFEO: winav.exe - svchost.exe
IFEO: windll32.exe - svchost.exe
IFEO: window.exe - svchost.exe
IFEO: windows Police Pro.exe - svchost.exe
IFEO: windows.exe - svchost.exe
IFEO: wininetd.exe - svchost.exe
IFEO: wininitx.exe - svchost.exe
IFEO: winlogin.exe - svchost.exe
IFEO: winmain.exe - svchost.exe
IFEO: winppr32.exe - svchost.exe
IFEO: winrecon.exe - svchost.exe
IFEO: winservn.exe - svchost.exe
IFEO: winss.exe - svchost.exe
IFEO: winssk32.exe - svchost.exe
IFEO: winssnotify.exe - svchost.exe
IFEO: WinSSUI.exe - svchost.exe
IFEO: winstart.exe - svchost.exe
IFEO: winstart001.exe - svchost.exe
IFEO: wintsk32.exe - svchost.exe
IFEO: winupdate.exe - svchost.exe
IFEO: wkufind.exe - svchost.exe
IFEO: wnad.exe - svchost.exe
IFEO: wnt.exe - svchost.exe
IFEO: wradmin.exe - svchost.exe
IFEO: wrctrl.exe - svchost.exe
IFEO: wsbgate.exe - svchost.exe
IFEO: wscfxas.exe - svchost.exe
IFEO: wscfxav.exe - svchost.exe
IFEO: wscfxfw.exe - svchost.exe
IFEO: wsctool.exe - svchost.exe
IFEO: wupdater.exe - svchost.exe
IFEO: wupdt.exe - svchost.exe
IFEO: wyvernworksfirewall.exe - svchost.exe
IFEO: xpdeluxe.exe - svchost.exe
IFEO: xpf202en.exe - svchost.exe
IFEO: xp_antispyware.exe - svchost.exe
IFEO: zapro.exe - svchost.exe
IFEO: zapsetup3001.exe - svchost.exe
IFEO: zatutor.exe - svchost.exe
IFEO: zonalm2601.exe - svchost.exe
IFEO: zonealarm.exe - svchost.exe
IFEO: _avp32.exe - svchost.exe
IFEO: _avpcc.exe - svchost.exe
IFEO: _avpm.exe - svchost.exe
IFEO: ~1.exe - svchost.exe
IFEO: ~2.exe - svchost.exe

==== Hosts File Hijack ======================

Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 secure-plus-payments.com
Hosts: 74.125.45.100 www.secure-plus-payments.com
Hosts: 74.125.45.100 safebrowsing-cache.google.com
Hosts: 74.125.45.100 urs.microsoft.com
Hosts: 74.125.45.100 www.securesoftwarebill.com
Hosts: 74.125.45.100 secure.paysecuresystem.com
Hosts: 74.125.45.100 paysoftbillsolution.com
Hosts: 74.125.45.100 protected.maxisoftwaremart.com
Hosts: 98.142.243.64 www.google.com
Hosts: 98.142.243.64 google.com
Hosts: 98.142.243.64 google.com.au
Hosts: 98.142.243.64 www.google.com.au
Hosts: 98.142.243.64 google.be
Hosts: 98.142.243.64 www.google.be
Hosts: 98.142.243.64 google.com.br
Hosts: 98.142.243.64 www.google.com.br
Hosts: 98.142.243.64 google.ca
Hosts: 98.142.243.64 www.google.ca
Hosts: 98.142.243.64 google.ch
Hosts: 98.142.243.64 www.google.ch
Hosts: 98.142.243.64 google.de
Hosts: 98.142.243.64 www.google.de
Hosts: 98.142.243.64 google.dk
Hosts: 98.142.243.64 www.google.dk
Hosts: 98.142.243.64 google.fr
Hosts: 98.142.243.64 www.google.fr
Hosts: 98.142.243.64 google.ie
Hosts: 98.142.243.64 www.google.ie
Hosts: 98.142.243.64 google.it
Hosts: 98.142.243.64 www.google.it
Hosts: 98.142.243.64 google.co.jp
Hosts: 98.142.243.64 www.google.co.jp
Hosts: 98.142.243.64 google.nl
Hosts: 98.142.243.64 www.google.nl
Hosts: 98.142.243.64 google.no
Hosts: 98.142.243.64 www.google.no
Hosts: 98.142.243.64 google.co.nz
Hosts: 98.142.243.64 www.google.co.nz
Hosts: 98.142.243.64 google.pl
Hosts: 98.142.243.64 www.google.pl
Hosts: 98.142.243.64 google.se
Hosts: 98.142.243.64 www.google.se
Hosts: 98.142.243.64 google.co.uk
Hosts: 98.142.243.64 www.google.co.uk
Hosts: 98.142.243.64 google.co.za
Hosts: 98.142.243.64 www.google.co.za
Hosts: 98.142.243.64 www.google-analytics.com
Hosts: 98.142.243.64 www.bing.com
Hosts: 98.142.243.64 search.yahoo.com
Hosts: 98.142.243.64 www.search.yahoo.com
Hosts: 98.142.243.64 uk.search.yahoo.com
Hosts: 98.142.243.64 ca.search.yahoo.com
Hosts: 98.142.243.64 de.search.yahoo.com
Hosts: 98.142.243.64 fr.search.yahoo.com
Hosts: 98.142.243.64 au.search.yahoo.com

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 2 (SP2)
Add or Remove Adobe Creative Suite 3 Master Collection
Adobe Acrobat 8 Professional
Adobe After Effects CS3 Presets
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Creative Suite 3 Master Collection
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Setup
Adobe SING CS3
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Video Profiles
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
AHV content for Acrobat and Flash
Google Apps
Google Chrome
Google Desktop
Google Update Helper
Google Updater
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows XP (KB954550-v5)
Java Auto Updater
Java(TM) 6 Update 20
Java(TM) SE Runtime Environment 6 Update 1
K-Lite Mega Codec Pack 4.7.0
Level Lock 5.0(DEMO)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Access Runtime 2010
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Runtime 2010
Microsoft Office Access Runtime MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.0.19)
MSVCRT
Network Print Monitor for Windows 2000/XP/2003/Vista
NVIDIA Drivers
PANASONIC KX-T336/500 software
PDF Settings
PowerDVD
PPStream V2.6.86.9038 Final
Programmator Panasonic KX-TA/KX-TE
PS-Utility
PS Monitor
Realtek High Definition Audio Driver
Scrapbook Factory Deluxe 4.0
Security Update for Windows XP (KB958644)
Segoe UI
Sharpdesk
Skypeâ„¢ 4.0
Smart Hotel Lock And Lift System v5.7
Software Update for Web Folders
Spybot - Search & Destroy
TeamViewer 5
Total Commander (Remove or Repair)
Visual FoxPro ODBC Driver
vuBrief
WebFldrs XP
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows XP Service Pack 3
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0
Yahoo! Messenger
Yahoo! Search Protection
Yahoo! Software Update
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

20-09-10 13:59:19, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX Fips IPSec MRxSmb NetBIOS NetBT Processor RasAcd Rdbss Tcpip
20-09-10 13:59:19, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
20-09-10 13:59:19, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
20-09-10 13:59:19, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
20-09-10 13:59:19, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
20-09-10 13:59:19, error: Service Control Manager [7001] - The ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
20-09-10 13:58:23, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments " " in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
20-09-10 13:58:16, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
20-09-10 13:38:09, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the NVIDIA Display Driver Service service to connect.
20-09-10 13:38:09, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the AVG Free WatchDog service to connect.
20-09-10 13:38:09, error: Service Control Manager [7000] - The NVIDIA Display Driver Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
20-09-10 13:38:09, error: Service Control Manager [7000] - The AVG Free WatchDog service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
20-09-10 13:14:24, error: Service Control Manager [7031] - The AVG Free WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
20-09-10 12:29:32, error: Service Control Manager [7023] - The SSHNAS service terminated with the following error: The specified module could not be found.
20-09-10 12:29:19, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
20-09-10 12:29:19, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
15-09-10 12:06:06, error: W32Time [34] - The time service has detected that the system time needs to be changed by -54044 seconds. The time service will not change the system time by more than -54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com (ntp.m|0x1|192.168.1.23:123->207.46.232.182:123) is working properly.

==== End Of File ===========================

broni · 2010/09/21

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.pif
* Rkill.exe

* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or Windows 7 right-click on it and choose Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* If not, delete the file, then download and use the one provided in Link 2.
* If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run the following.

Now download and run exeHelper.

* Please download exeHelper from Raktor to your desktop.
* Double-click on exeHelper.com to run the fix.
* A black window should pop up, press any key to close once the fix is completed.
* A log file named log.txt will be created in the directory where you ran exeHelper.com
* Attach the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file ", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

=============================================================

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

[color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

[color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

FuzMic · 2010/09/21

Thanks broni for the quick response

I did the rkill & exhelper & the .txt files read ok, I can't send it to u yet as i am now on another machine.

The PROBLEM is when i try to run Combofix, nothing happens (recheck at taskmgr). I had used Combofix before taking note of absence of browser, mouse movements but not script issues.

I try combofix on on safe mode also nothing happens. What's up mate?

broni · 2010/09/22

I can see, that your computer is very seriously infected, so it may take some tries to make it more stable.

Delete your Combofix file, download fresh one, but rename combofix.exe to broni.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Restart computer in Safe Mode.

Run rKill and exehelper and then attempt to run broni.exe

FuzMic · 2010/09/22

I did use the latest version of combofix but short of renaming to you, will do and response. Cheers have a drink on me.

PS The rouge is blocking the combofix name and it don't know abt you yet and so it is now running. HAHA

broni · 2010/09/22

Ok

FuzMic · 2010/09/22

Broni.exe runs ok and the log.txt is appended below. Thereafter Malwarebyte can update and scan showing 7 malware. Yet to check if AVG antiV will run ok, i think it will.

Would appreciate you enlighten where in the registry this rouge is doing all that.

Bye now and again thank you Broni

ComboFix 10-09-21.01 - user 22-09-10 13:17:14.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.220 [GMT -7:00]
Running from: c:\mydocs\Downloads\broni.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\user\Application Data\Microsoft\Internet Explorer\Quick Launch\My Security Shield.lnk
c:\documents and settings\user\Application Data\My Security Shield
c:\documents and settings\user\Application Data\My Security Shield\cookies.sqlite
c:\documents and settings\user\Application Data\My Security Shield\Instructions.ini
c:\documents and settings\user\Recent\ANTIGEN.exe
c:\documents and settings\user\Recent\cb.dll
c:\documents and settings\user\Recent\cb.drv
c:\documents and settings\user\Recent\DBOLE.tmp
c:\documents and settings\user\Recent\exec.dll
c:\documents and settings\user\Recent\fan.tmp
c:\documents and settings\user\Recent\fix.sys
c:\documents and settings\user\Recent\FS.dll
c:\documents and settings\user\Recent\FS.tmp
c:\documents and settings\user\Recent\PE.drv
c:\documents and settings\user\Recent\PE.exe
c:\documents and settings\user\Recent\PE.tmp
c:\documents and settings\user\Recent\runddlkey.exe
c:\documents and settings\user\Recent\SM.exe
c:\documents and settings\user\Recent\tjd.dll
c:\documents and settings\user\Recent\tjd.tmp
c:\documents and settings\user\Start Menu\My Security Shield.lnk
c:\windows\system32\BTReg57.DLL
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

Infected copy of c:\windows\system32\drivers\ftdisk.sys was found and disinfected
Restored copy from - Kitty had a snack
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSHNAS
-------\Service_SSHNAS

((((((((((((((((((((((((( Files Created from 2010-08-22 to 2010-09-22 )))))))))))))))))))))))))))))))
.

2010-09-22 18:43 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-22 18:43 . 2010-09-22 18:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-22 18:43 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-21 19:44 . 2010-09-21 19:44 -------- d-----w- c:\windows\Downloaded Installations
2010-09-20 20:50 . 2010-09-21 19:29 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-09-20 20:27 . 2010-09-20 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-20 20:15 . 2010-09-20 20:15 -------- d-sh--w- c:\documents and settings\All Users\Application Data\MSXUHOMAS
2010-09-20 19:35 . 2010-09-20 19:35 -------- d-----w- c:\program files\AVG
2010-09-20 19:34 . 2010-09-22 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-09-17 18:30 . 2010-09-17 18:30 -------- d-----w- c:\program files\Lock
2010-09-15 20:16 . 2008-04-14 07:09 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-09-15 20:16 . 2008-04-14 07:09 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-09-15 19:37 . 2010-09-15 20:07 -------- d-----w- c:\documents and settings\user\Application Data\TeamViewer
2010-09-15 19:37 . 2010-09-15 19:37 -------- d-----w- c:\program files\TeamViewer
2010-09-14 19:36 . 2010-09-14 19:36 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-09-14 18:40 . 2008-04-14 07:17 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-09-14 18:40 . 2008-04-14 07:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-09-09 19:47 . 2010-09-09 19:37 186368 ----a-w- c:\windows\Hneged.exe
2010-09-09 19:37 . 2010-09-09 19:37 186368 ----a-w- c:\windows\Hnegeb.exe
2010-09-09 19:37 . 2010-09-09 19:37 186368 ----a-w- c:\windows\Hnegea.exe
2010-09-09 19:23 . 2010-09-09 19:23 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-70b99254-n\msvcp71.dll
2010-09-09 19:23 . 2010-09-09 19:23 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-70b99254-n\jmc.dll
2010-09-09 19:23 . 2010-09-09 19:23 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-70b99254-n\msvcr71.dll
2010-09-09 19:23 . 2010-09-09 19:23 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-728ae786-n\decora-sse.dll
2010-09-09 19:23 . 2010-09-09 19:23 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-728ae786-n\decora-d3d.dll
2010-09-09 19:21 . 2000-07-15 07:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2010-09-09 19:21 . 2000-06-13 07:00 415504 ----a-w- c:\windows\system32\MSREPL35.DLL
2010-09-09 19:21 . 2000-06-13 07:00 1046288 ----a-w- c:\windows\system32\MSJET35.DLL
2010-09-09 19:21 . 1998-06-18 07:00 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2010-09-09 19:21 . 1998-04-24 07:00 252176 ----a-w- c:\windows\system32\MSRD2X35.DLL
2010-09-09 19:21 . 1998-04-24 07:00 24848 ----a-w- c:\windows\system32\MSJTER35.DLL
2010-09-09 19:21 . 1998-04-24 07:00 123664 ----a-w- c:\windows\system32\MSJINT35.DLL
2010-09-09 19:13 . 2010-09-09 19:54 -------- d-----w- c:\windows\system32\NtfsDriver
2010-09-09 19:13 . 2007-08-07 00:32 204907 ----a-w- c:\windows\system32\hibit_ser.dll
2010-09-07 20:19 . 2010-09-21 18:41 -------- d-----w- c:\documents and settings\mwadmin
2010-09-07 19:53 . 2010-09-07 19:53 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-09-07 19:49 . 2010-09-07 19:49 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-09-07 19:47 . 2010-09-07 20:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-09-07 19:47 . 2010-09-07 19:54 -------- d-----w- c:\program files\Google
2010-09-01 19:56 . 2002-07-25 08:12 7328 ----a-w- c:\windows\system32\drivers\SLLPSVDR.SYS
2010-09-01 19:25 . 2010-09-01 19:58 -------- d-----w- C:\UBSNET
2010-09-01 18:32 . 2010-09-01 19:30 -------- d-----w- C:\c2z

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-17 18:30 . 2010-01-22 07:48 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-14 19:00 . 2010-01-23 17:46 -------- d-----w- c:\program files\PS Utility
2010-09-07 20:20 . 2010-09-07 20:20 166912 ----a-r- c:\documents and settings\mwadmin\Application Data\Microsoft\Installer\{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}\places.exe
2010-09-07 19:49 . 2010-06-10 20:00 113576 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-08-24 18:54 . 2010-06-14 23:56 -------- d-----w- c:\documents and settings\user\Application Data\PPStream
2010-08-24 18:49 . 2010-06-14 23:56 -------- d-----w- c:\program files\PPStream
2010-08-24 18:30 . 2010-06-14 18:58 -------- d-----w- c:\program files\Level Lock(Demo)
2010-08-04 18:25 . 2010-08-04 18:25 503808 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-184f03f3-n\msvcp71.dll
2010-08-04 18:25 . 2010-08-04 18:25 499712 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-184f03f3-n\jmc.dll
2010-08-04 18:25 . 2010-08-04 18:25 348160 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-184f03f3-n\msvcr71.dll
2010-08-04 18:25 . 2010-08-04 18:25 12800 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5e134e9b-n\decora-d3d.dll
2010-08-04 18:25 . 2010-08-04 18:25 61440 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5e134e9b-n\decora-sse.dll
2010-07-22 18:38 . 2010-07-22 18:38 503808 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-309a3e03-n\msvcp71.dll
2010-07-22 18:38 . 2010-07-22 18:38 499712 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-309a3e03-n\jmc.dll
2010-07-22 18:38 . 2010-07-22 18:38 348160 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-309a3e03-n\msvcr71.dll
2010-07-22 18:38 . 2010-07-22 18:38 61440 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6c5fd502-n\decora-sse.dll
2010-07-22 18:38 . 2010-07-22 18:38 12800 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6c5fd502-n\decora-d3d.dll
2010-07-22 18:37 . 2010-05-14 18:14 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-07 19:47 . 2010-09-07 19:47 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!) "= "c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-03-20 5248312]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-09-07 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1 "= "c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2007-03-21 208952]
"PHIME2002ASync "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"IndexTray "= "c:\program files\Sharp\Sharpdesk\IndexTray.exe" [2003-01-22 106496]
"SharpTray "= "c:\program files\Sharp\Sharpdesk\SharpTray.exe" [2003-01-22 28672]
"SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Google Desktop Search "= "c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-09-07 30192]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix "= "shell32" [X]
"IE7-11 "= "advpack.dll" [2007-03-21 124928]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PS Monitor 1.30.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PS Monitor 1.30.lnk
backup=c:\windows\pss\PS Monitor 1.30.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2007-05-11 06:46 624248 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-10-22 20:22 7700480 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-10-22 20:22 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ReminderApp]
2007-06-08 17:40 161864 ----a-w- c:\program files\Nova Development\Scrapbook Factory Deluxe 4.0\ReminderApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-01-29 22:01 23975720 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-06 00:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
2010-04-01 03:34 243000 ----a-w- c:\program files\Yahoo!\Search Protection\YspService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv "=2 (0x2)
"wscsvc "=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\Skype\\Phone\\Skype.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\PS Monitor\\PsMon.exe "=
"c:\\Program Files\\Sharp\\Sharpdesk\\SharpDesk.exe "=
"c:\\Program Files\\PPStream\\PPStream.exe "=
"c:\\Program Files\\PPStream\\PPSAP.exe "=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCPxpsp2res.dll,-22009

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [07-09-10 12:48 136176]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [07-09-10 12:47 30192]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09-01-10 21:37 4640000]
S3 SllProNT_Ldr;SllProNT_Ldr;c:\ubsnet\SLNTLDR.EXE [01-09-10 12:26 35840]
.
Contents of the 'Scheduled Tasks' folder

2010-09-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-09-07 19:47]

2010-09-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-07 19:48]

2010-09-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-07 19:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {6CD8894D-E5BF-4F23-82B5-0911F0899F2B} = 202.188.0.133,202.57.220.222
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\q8b4kudb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\progra~1\MICROS~2\Office14\NPAUTHZ.DLL
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
MSConfigStartUp-cdoosoft - c:\docume~1\user\LOCALS~1\Temp\herss.exe
MSConfigStartUp-Google Update - c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
MSConfigStartUp-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-22 13:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101 "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@= "IFlashBroker4 "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@= "{00020424-0000-0000-C000-000000000046} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2588)
c:\windows\system32\ieframe.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\Sharp\SHARPD~1\Indexer.exe
c:\progra~1\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2010-09-22 13:27:54 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-22 20:27

Pre-Run: 8,924,336,128 bytes free
Post-Run: 9,158,082,560 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug= "do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 70F511CBFED212A3D9DC2F225454132F

broni · 2010/09/22

Would appreciate you enlighten where in the registry this rouge is doing all that.
Click to expand...

I'm not prepared to write a book....LOL
It's not that easy as you think.
That's why, we have have to use all kind of tool written by super smart people

Do NOT do anything else, than what I ask you to do.

Hold on there until I go through Combofix log.

broni · 2010/09/22

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
File::
c:\windows\Hneged.exe
c:\windows\Hnegeb.exe
c:\windows\Hnegea.exe


Folder::
c:\documents and settings\All Users\Application Data\MSXUHOMAS


Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
 "ShowDeskFix "=-
3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

FuzMic · 2010/09/22

Broni, agreed fully with u that even writing a book can't resolve all the issues with the ever changing IT environment.

I follow yr last instructions involving c:\windows\Hneged,b,a.exe
and the rouge Folder c:\documents and settings\All Users\Application Data\MSXUHOMAS. In fact i had stopped the rouge earlier when i found a similar folder in the beginning of this thread, hence rkill is not necessary.

I was hoping u can tell me where the 2nd layer is. From the latest cmbfix.txt, the file seems to be c:\windows\system32\drivers\ftldcx.sys. Anyway this a tinker's wild shot at the problem.

I normally save the registry with erunt but not on this pc, if not normally by restoring, i can use combofix to check the os.

I had spybot on but the problem started when i uninstall avira and start instal avg. But who knows if this is the cause.

Now with all done, avg is working fine.

Before i go, thanks again and following is the latest log from combofix. See u soon!!

ComboFix 10-09-21.01 - user 22-09-10 14:14:05.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.137 [GMT -7:00]
Running from: c:\mydocs\Downloads\broni.exe
Command switches used :: c:\mydocs\Downloads\cfscript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\Hnegea.exe "
"c:\windows\Hnegeb.exe "
"c:\windows\Hneged.exe "
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\MSXUHOMAS
c:\documents and settings\All Users\Application Data\MSXUHOMAS\MSPJPS.cfg
c:\windows\system32\drivers\ftldcx.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_lsonhk

((((((((((((((((((((((((( Files Created from 2010-08-22 to 2010-09-22 )))))))))))))))))))))))))))))))
.

2010-09-22 20:59 . 2010-09-22 20:59 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-09-22 20:59 . 2010-09-22 20:59 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-09-22 20:59 . 2010-09-22 20:59 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-09-22 20:59 . 2010-09-22 20:59 -------- d-----w- c:\windows\system32\drivers\Avg
2010-09-22 20:59 . 2010-09-22 20:59 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-09-22 20:59 . 2010-09-22 20:59 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-09-22 20:29 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-22 20:29 . 2010-09-22 20:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-22 20:29 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-22 20:28 . 2010-09-22 20:28 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2010-09-21 19:44 . 2010-09-21 19:44 -------- d-----w- c:\windows\Downloaded Installations
2010-09-20 20:50 . 2010-09-21 19:29 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-09-20 20:27 . 2010-09-20 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-20 19:35 . 2010-09-20 19:35 -------- d-----w- c:\program files\AVG
2010-09-20 19:34 . 2010-09-22 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-09-17 18:30 . 2010-09-17 18:30 -------- d-----w- c:\program files\Lock
2010-09-15 20:16 . 2008-04-14 07:09 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-09-15 20:16 . 2008-04-14 07:09 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-09-15 19:37 . 2010-09-15 20:07 -------- d-----w- c:\documents and settings\user\Application Data\TeamViewer
2010-09-15 19:37 . 2010-09-15 19:37 -------- d-----w- c:\program files\TeamViewer
2010-09-14 19:36 . 2010-09-14 19:36 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-09-14 18:40 . 2008-04-14 07:17 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-09-14 18:40 . 2008-04-14 07:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-09-09 19:23 . 2010-09-09 19:23 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-70b99254-n\msvcp71.dll
2010-09-09 19:23 . 2010-09-09 19:23 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-70b99254-n\jmc.dll
2010-09-09 19:23 . 2010-09-09 19:23 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-70b99254-n\msvcr71.dll
2010-09-09 19:23 . 2010-09-09 19:23 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-728ae786-n\decora-sse.dll
2010-09-09 19:23 . 2010-09-09 19:23 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-728ae786-n\decora-d3d.dll
2010-09-09 19:21 . 2000-07-15 07:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2010-09-09 19:21 . 2000-06-13 07:00 415504 ----a-w- c:\windows\system32\MSREPL35.DLL
2010-09-09 19:21 . 2000-06-13 07:00 1046288 ----a-w- c:\windows\system32\MSJET35.DLL
2010-09-09 19:21 . 1998-06-18 07:00 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2010-09-09 19:21 . 1998-04-24 07:00 252176 ----a-w- c:\windows\system32\MSRD2X35.DLL
2010-09-09 19:21 . 1998-04-24 07:00 24848 ----a-w- c:\windows\system32\MSJTER35.DLL
2010-09-09 19:21 . 1998-04-24 07:00 123664 ----a-w- c:\windows\system32\MSJINT35.DLL
2010-09-09 19:13 . 2010-09-09 19:54 -------- d-----w- c:\windows\system32\NtfsDriver
2010-09-09 19:13 . 2007-08-07 00:32 204907 ----a-w- c:\windows\system32\hibit_ser.dll
2010-09-07 20:19 . 2010-09-22 21:00 -------- d-----w- c:\documents and settings\mwadmin
2010-09-07 19:53 . 2010-09-07 19:53 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-09-07 19:49 . 2010-09-07 19:49 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-09-07 19:47 . 2010-09-07 20:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-09-07 19:47 . 2010-09-07 19:54 -------- d-----w- c:\program files\Google
2010-09-01 19:56 . 2002-07-25 08:12 7328 ----a-w- c:\windows\system32\drivers\SLLPSVDR.SYS
2010-09-01 19:25 . 2010-09-01 19:58 -------- d-----w- C:\UBSNET
2010-09-01 18:32 . 2010-09-01 19:30 -------- d-----w- C:\c2z

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-17 18:30 . 2010-01-22 07:48 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-14 19:00 . 2010-01-23 17:46 -------- d-----w- c:\program files\PS Utility
2010-09-07 20:20 . 2010-09-07 20:20 166912 ----a-r- c:\documents and settings\mwadmin\Application Data\Microsoft\Installer\{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}\places.exe
2010-09-07 19:49 . 2010-06-10 20:00 113576 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-08-24 18:54 . 2010-06-14 23:56 -------- d-----w- c:\documents and settings\user\Application Data\PPStream
2010-08-24 18:49 . 2010-06-14 23:56 -------- d-----w- c:\program files\PPStream
2010-08-24 18:30 . 2010-06-14 18:58 -------- d-----w- c:\program files\Level Lock(Demo)
2010-08-04 18:25 . 2010-08-04 18:25 503808 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-184f03f3-n\msvcp71.dll
2010-08-04 18:25 . 2010-08-04 18:25 499712 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-184f03f3-n\jmc.dll
2010-08-04 18:25 . 2010-08-04 18:25 348160 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-184f03f3-n\msvcr71.dll
2010-08-04 18:25 . 2010-08-04 18:25 12800 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5e134e9b-n\decora-d3d.dll
2010-08-04 18:25 . 2010-08-04 18:25 61440 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5e134e9b-n\decora-sse.dll
2010-07-22 18:38 . 2010-07-22 18:38 503808 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-309a3e03-n\msvcp71.dll
2010-07-22 18:38 . 2010-07-22 18:38 499712 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-309a3e03-n\jmc.dll
2010-07-22 18:38 . 2010-07-22 18:38 348160 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-309a3e03-n\msvcr71.dll
2010-07-22 18:38 . 2010-07-22 18:38 61440 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6c5fd502-n\decora-sse.dll
2010-07-22 18:38 . 2010-07-22 18:38 12800 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6c5fd502-n\decora-d3d.dll
2010-07-22 18:37 . 2010-05-14 18:14 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-07 19:47 . 2010-09-07 19:47 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-09-22_20.24.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-22 21:27 . 2010-09-22 21:27 16384 c:\windows\Temp\Perflib_Perfdata_3c4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C} "= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-06-30 2102600]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-06-30 21:22 2102600 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829} "= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-06-30 2102600]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!) "= "c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-03-20 5248312]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-09-07 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1 "= "c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2007-03-21 208952]
"PHIME2002ASync "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"IndexTray "= "c:\program files\Sharp\Sharpdesk\IndexTray.exe" [2003-01-22 106496]
"SharpTray "= "c:\program files\Sharp\Sharpdesk\SharpTray.exe" [2003-01-22 28672]
"SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Google Desktop Search "= "c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-09-07 30192]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"AVG9_TRAY "= "c:\progra~1\AVG\AVG9\avgtray.exe" [2010-09-22 2065760]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"IE7-11 "= "advpack.dll" [2007-03-21 124928]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-09-22 20:59 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PS Monitor 1.30.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PS Monitor 1.30.lnk
backup=c:\windows\pss\PS Monitor 1.30.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2007-05-11 06:46 624248 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-10-22 20:22 7700480 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-10-22 20:22 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ReminderApp]
2007-06-08 17:40 161864 ----a-w- c:\program files\Nova Development\Scrapbook Factory Deluxe 4.0\ReminderApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-01-29 22:01 23975720 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-06 00:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
2010-04-01 03:34 243000 ----a-w- c:\program files\Yahoo!\Search Protection\YspService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv "=2 (0x2)
"wscsvc "=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\Skype\\Phone\\Skype.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\PS Monitor\\PsMon.exe "=
"c:\\Program Files\\Sharp\\Sharpdesk\\SharpDesk.exe "=
"c:\\Program Files\\PPStream\\PPStream.exe "=
"c:\\Program Files\\PPStream\\PPSAP.exe "=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe "=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe "=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCPxpsp2res.dll,-22009

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [22-09-10 13:59 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [22-09-10 13:59 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [22-09-10 13:58 308136]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [07-09-10 12:48 136176]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [22-09-10 13:59 431432]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [07-09-10 12:47 30192]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09-01-10 21:37 4640000]
S3 SllProNT_Ldr;SllProNT_Ldr;c:\ubsnet\SLNTLDR.EXE [01-09-10 12:26 35840]
.
Contents of the 'Scheduled Tasks' folder

2010-09-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-09-07 19:47]

2010-09-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-07 19:48]

2010-09-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-07 19:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {6CD8894D-E5BF-4F23-82B5-0911F0899F2B} = 202.188.0.133,202.57.220.222
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\q8b4kudb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-22 14:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101 "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@= "IFlashBroker4 "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@= "{00020424-0000-0000-C000-000000000046} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3760)
c:\windows\system32\ieframe.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\Sharp\SHARPD~1\Indexer.exe
c:\progra~1\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2010-09-22 14:32:11 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-22 21:32
ComboFix2.txt 2010-09-22 20:27

Pre-Run: 8,867,504,128 bytes free
Post-Run: 8,956,952,576 bytes free

- - End Of File - - 758CD6016E838814C3D84CEBB87A4AA6

broni · 2010/09/22

Good news

Download HostsXpert ( http://www.majorgeeks.com/Hoster_d4626.html ) and then follow the steps below:

* Unzip HostsXpert.zip
* It will create a folder named HostsXpert in whatever folder you extract it to.
* Run HostsXpert.exe by double clicking on it (Vista and Windows 7 users, right click and click "Run As Administrator ").
* click Restore MS Hosts File and then click OK.
* Click the X to exit the program

Restart computer.

===============================================================

STEP 1. Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick Scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

STEP 2. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
Do NOT use the computer while GMER is running!
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

STEP 3. Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

FuzMic · 2010/09/22

Thanks Broni for the perpetual help. With your continued guidance, will certainly expand my learning curve in this area when i get back to the wounded pc in 48 hours time.

broni · 2010/09/22

....

FuzMic · 2010/09/23

GMER scan is taking hours and also PC suddenly shut down during the scan. Hence will take a few more days to give you the fuller picture all the scans. Interesting to read about the RootKit issues.

broni · 2010/09/24

Skip GMER for now. Run 3 other tools.

FuzMic · 2010/09/24

Ok this is the txt from MBRCheck
As for Malware i will send later.

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0200001c

Kernel Drivers (total 113):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D0000 \WINDOWS\system32\hal.dll
0xF7987000 \WINDOWS\system32\KDCOM.DLL
0xF7897000 \WINDOWS\system32\BOOTVID.dll
0xF7358000 ACPI.sys
0xF7989000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7347000 pci.sys
0xF7487000 isapnp.sys
0xF7A4F000 pciide.sys
0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7497000 MountMgr.sys
0xF7328000 ftdisk.sys
0xF798B000 dmload.sys
0xF7302000 dmio.sys
0xF770F000 PartMgr.sys
0xF74A7000 VolSnap.sys
0xF72EA000 atapi.sys
0xF74B7000 disk.sys
0xF74C7000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF72CA000 fltmgr.sys
0xF72B8000 sr.sys
0xF72A1000 KSecDD.sys
0xF7214000 Ntfs.sys
0xF71E7000 NDIS.sys
0xF71CD000 Mup.sys
0xF7627000 \SystemRoot\system32\DRIVERS\processr.sys
0xF7637000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF77CF000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF77D7000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF77DF000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF7161000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF77E7000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF713C000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF7647000 \SystemRoot\system32\DRIVERS\nvnetbus.sys
0xF7063000 \SystemRoot\system32\DRIVERS\NVNRM.SYS
0xF794F000 \SystemRoot\system32\drivers\pfc.sys
0xF7657000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7667000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF7040000 \SystemRoot\system32\DRIVERS\ks.sys
0xF6C70000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xF6C5C000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF795B000 \SystemRoot\system32\DRIVERS\fsvga.sys
0xF7B4F000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7677000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF795F000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6C45000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7687000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7697000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF77EF000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6A95000 \SystemRoot\system32\DRIVERS\psched.sys
0xF76A7000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF77F7000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF77FF000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF6A43000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF76B7000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF79AF000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF69BD000 \SystemRoot\system32\DRIVERS\update.sys
0xF797B000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF76C7000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF76D7000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF79B5000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF76E7000 \SystemRoot\system32\DRIVERS\NVENETFD.sys
0xF2EE8000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xF2EC4000 \SystemRoot\system32\drivers\portcls.sys
0xF74F7000 \SystemRoot\system32\drivers\drmk.sys
0xF79B9000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7A66000 \SystemRoot\System32\Drivers\Null.SYS
0xF79BB000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7837000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF783F000 \SystemRoot\System32\drivers\vga.sys
0xF79BD000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79BF000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7847000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF784F000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7947000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF2E69000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF2E10000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF2DD6000 \SystemRoot\System32\Drivers\avgtdix.sys
0xF2DB0000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF7507000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF6A33000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF7517000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF6A2F000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF2D60000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF2D3E000 \SystemRoot\System32\drivers\afd.sys
0xF7557000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF2D13000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF2CA3000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF7577000 \SystemRoot\System32\Drivers\Fips.SYS
0xF785F000 \SystemRoot\System32\Drivers\avgmfx86.sys
0xF2C6F000 \SystemRoot\System32\Drivers\avgldx86.sys
0xF75A7000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF2C57000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7A05000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF2D8C000 \SystemRoot\System32\drivers\Dxapi.sys
0xF788F000 \SystemRoot\System32\watchdog.sys
0xBF9C3000 \SystemRoot\System32\drivers\dxg.sys
0xF7B90000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF9D5000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xBABE2000 \SystemRoot\system32\DRIVERS\nwlnkipx.sys
0xF7537000 \SystemRoot\system32\DRIVERS\nwlnknb.sys
0xBACF4000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xF7547000 \SystemRoot\system32\DRIVERS\rspndr.sys
0xBA985000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xBA7CB000 \SystemRoot\system32\DRIVERS\srv.sys
0xBAC68000 \SystemRoot\system32\DRIVERS\nwlnkspx.sys
0xBA93D000 \SystemRoot\system32\DRIVERS\secdrv.sys
0xB9ADE000 \SystemRoot\system32\drivers\wdmaud.sys
0xBA77B000 \SystemRoot\system32\drivers\sysaudio.sys
0xB99AF000 \SystemRoot\System32\Drivers\HTTP.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 39):
0 System Idle Process
4 System
632 C:\WINDOWS\system32\smss.exe
696 csrss.exe
720 C:\WINDOWS\system32\winlogon.exe
764 C:\WINDOWS\system32\services.exe
784 C:\WINDOWS\system32\lsass.exe
940 C:\WINDOWS\system32\svchost.exe
1016 svchost.exe
1104 C:\WINDOWS\system32\svchost.exe
1228 C:\Program Files\AVG\AVG9\avgchsvx.exe
1272 C:\Program Files\AVG\AVG9\avgrsx.exe
1340 svchost.exe
1436 svchost.exe
1500 C:\Program Files\AVG\AVG9\avgcsrvx.exe
1820 C:\WINDOWS\system32\spoolsv.exe
2020 C:\Program Files\AVG\AVG9\avgwdsvc.exe
2032 C:\Program Files\Bonjour\mDNSResponder.exe
444 C:\Program Files\Java\jre6\bin\jqs.exe
564 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
620 C:\Program Files\AVG\AVG9\avgnsx.exe
680 C:\WINDOWS\system32\nvsvc32.exe
1176 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
2460 alg.exe
2832 C:\WINDOWS\system32\wscntfy.exe
3052 C:\WINDOWS\explorer.exe
3680 C:\WINDOWS\system32\svchost.exe
3804 C:\Program Files\Sharp\Sharpdesk\IndexTray.exe
3812 C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
3824 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3856 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
3896 C:\PROGRA~1\Sharp\SHARPD~1\Indexer.exe
3904 C:\PROGRA~1\AVG\AVG9\avgtray.exe
4072 C:\WINDOWS\system32\ctfmon.exe
2688 C:\PROGRA~1\Yahoo!\Messenger\Ymsgr_tray.exe
1400 C:\pgrm\tcmd\totalcmd.exe
2516 C:\pgrm\tcmd\totalcmd.exe
700 C:\Program Files\Common Files\Java\Java Update\jucheck.exe
3200 C:\mydocs\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000006`d63f6200 (NTFS)

PhysicalDrive0 Model Number: ST380815AS, Rev: 3.CHF

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Done!

broni · 2010/09/24

This one looks good

FuzMic · 2010/09/24

Hi Doc, the prognosis should be good
Here is the result from Malware, one more to come

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4667

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

24-09-10 13:20:55
mbam-log-2010-09-24 (13-20-55).txt

Scan type: Quick scan
Objects scanned: 152015
Time elapsed: 10 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Log in or Sign up

Solved My Security Shield Malware Rascal!

FuzMic Well-Known Member Thread Starter

PeteC SuperGeek Staff

FuzMic Well-Known Member Thread Starter

broni Moderator Malware Analyst

FuzMic Well-Known Member Thread Starter

broni Moderator Malware Analyst

FuzMic Well-Known Member Thread Starter

broni Moderator Malware Analyst

FuzMic Well-Known Member Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

FuzMic Well-Known Member Thread Starter

broni Moderator Malware Analyst

FuzMic Well-Known Member Thread Starter

broni Moderator Malware Analyst

FuzMic Well-Known Member Thread Starter

broni Moderator Malware Analyst

FuzMic Well-Known Member Thread Starter

broni Moderator Malware Analyst

FuzMic Well-Known Member Thread Starter

Share This Page

Log in or Sign up

Solved My Security Shield Malware Rascal!

FuzMic Well-Known Member Thread Starter

PeteC SuperGeek Staff

FuzMic Well-Known Member Thread Starter

broni Moderator Malware Analyst

FuzMic Well-Known Member Thread Starter

broni Moderator Malware Analyst

FuzMic Well-Known Member Thread Starter

broni Moderator Malware Analyst

FuzMic Well-Known Member Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

FuzMic Well-Known Member Thread Starter

broni Moderator Malware Analyst

FuzMic Well-Known Member Thread Starter

broni Moderator Malware Analyst

FuzMic Well-Known Member Thread Starter

broni Moderator Malware Analyst

FuzMic Well-Known Member Thread Starter

broni Moderator Malware Analyst

FuzMic Well-Known Member Thread Starter

Share This Page

Useful Searches