GeekPolice
Would you like to react to this message? Create an account in a few clicks or log in to continue.

GeekPoliceLog in

 


descriptionwinifighter Emptywinifighter

more_horiz
Having received a warning of being unprotected I thought I was downloading a windows[Microsoft] file to radicate this. It evidently turned out to be this winifighter software. After having done this it started opening warning pop ups re infections ect. and did a search finding your site.

Prior to this[which I'll also open in a new topic] I have had several bluescreens with the following codes:
230709 23:58 0x50 netid; 170709 10:34 0x7f_d_mfehid......; 13070910:27 0x8e_mpfp+7482...; 080609 13:05 fault bucket IP_misaligned_ntfs.sys; 050609 7:47 0x24_ntfschangeattributevalue_+2GA.... stopping me automatically updating windows, mcafee and backing up files and also stops downloads from web sites including windows and superantispyware

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:09, on 06/08/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\On Demand Distribution\OD2 Music Manager\OD2MediaBar_VistaFileManager.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\WinTV\EPG Services\System\EPGClient.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Trust\Trust R-series Mouse And Keyboard\MouseDrv.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\WiniFighter Software\WiniFighter\WiniFighter.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchFilterHost.exe
c:\Users\Peter\Downloads\winlogon hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [WireLessMouse] C:\Program Files\Trust\Trust R-series Mouse And Keyboard\StartAutorun.exe MouseDrv.exe
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MediaBarFileManager] C:\Program Files\On Demand Distribution\OD2 Music Manager\OD2MediaBar_VistaFileManager.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [EPGServiceTool] C:\PROGRA~1\WinTV\EPG Services\System\EPGClient.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [setup2.exe] C:\Users\Peter\AppData\Local\Temp\setup2.exe
O4 - HKCU\..\Run: [WiniFighter] C:\Program Files\WiniFighter Software\WiniFighter\WiniFighter.exe -min
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (Egg Money Manager Digital Safe) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/VistaMSNPUplden-gb.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{08B5421D-4E6D-4827-BE7E-7CC6CE4F1567}: NameServer = 85.255.112.80,85.255.112.168
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC863B08-197D-4966-BD12-011CE8A56626}: NameServer = 85.255.112.80,85.255.112.168
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.80,85.255.112.168
O17 - HKLM\System\CS1\Services\Tcpip\..\{08B5421D-4E6D-4827-BE7E-7CC6CE4F1567}: NameServer = 85.255.112.80,85.255.112.168
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.80,85.255.112.168
O17 - HKLM\System\CS2\Services\Tcpip\..\{08B5421D-4E6D-4827-BE7E-7CC6CE4F1567}: NameServer = 85.255.112.80,85.255.112.168
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.112.80,85.255.112.168
O17 - HKLM\System\CS5\Services\Tcpip\..\{08B5421D-4E6D-4827-BE7E-7CC6CE4F1567}: NameServer = 85.255.112.80,85.255.112.168
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.80,85.255.112.168
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPGService - Hauppauge Computer Works - C:\PROGRA~1\WinTV\EPG Services\System\EPGService.exe
O23 - Service: Google Update Service (gupdate1c9b388460b2a0) (gupdate1c9b388460b2a0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Keyboard And Mouse Communication Service (KMWDSERVICE) - UASSOFT.COM - C:\Program Files\Trust\Trust R-series Mouse And Keyboard\KMWDSrv.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: WiniFighter Security Service (WiniFighterSvc) - Unknown owner - C:\Program Files\WiniFighter Software\WiniFighter\WiniFighterSvc.exe

--
End of file - 9371 bytes

descriptionwinifighter EmptyRe: winifighter

more_horiz
Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKCU\..\Run: [setup2.exe] C:\Users\Peter\AppData\Local\Temp\setup2.exe
    O4 - HKCU\..\Run: [WiniFighter] C:\Program Files\WiniFighter Software\WiniFighter\WiniFighter.exe -min
    O17 - HKLM\System\CCS\Services\Tcpip\..\{08B5421D-4E6D-4827-BE7E-7CC6CE4F1567}: NameServer = 85.255.112.80,85.255.112.168
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FC863B08-197D-4966-BD12-011CE8A56626}: NameServer = 85.255.112.80,85.255.112.168
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.80,85.255.112.168
    O17 - HKLM\System\CS1\Services\Tcpip\..\{08B5421D-4E6D-4827-BE7E-7CC6CE4F1567}: NameServer = 85.255.112.80,85.255.112.168
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.80,85.255.112.168
    O17 - HKLM\System\CS2\Services\Tcpip\..\{08B5421D-4E6D-4827-BE7E-7CC6CE4F1567}: NameServer = 85.255.112.80,85.255.112.168
    O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.112.80,85.255.112.168
    O17 - HKLM\System\CS5\Services\Tcpip\..\{08B5421D-4E6D-4827-BE7E-7CC6CE4F1567}: NameServer = 85.255.112.80,85.255.112.168
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.80,85.255.112.168
    O23 - Service: WiniFighter Security Service (WiniFighterSvc) - Unknown owner - C:\Program Files\WiniFighter Software\WiniFighter\WiniFighterSvc.exe


  • Press "Fix Checked"
  • Close Hijack This.

Next,
1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:

winifighter CF_download_FF

winifighter CF_download_rename

3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See HERE for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall.

descriptionwinifighter Emptywinifighter reply part 3 of 3

more_horiz
THREE

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MSIVXserv.sys
-------\Service_WiniFighterSvc


((((((((((((((((((((((((( Files Created from 2009-07-06 to 2009-08-06 )))))))))))))))))))))))))))))))
.

2009-08-06 16:53 . 2009-08-06 16:57 -------- d-----w- c:\users\Peter\AppData\Local\temp
2009-08-06 16:53 . 2009-08-06 16:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-08-06 16:53 . 2009-08-06 16:53 -------- d-----w- c:\users\Family\AppData\Local\temp
2009-07-20 23:40 . 2009-07-20 23:40 -------- d-----w- c:\program files\iPod
2009-07-20 23:40 . 2009-07-20 23:40 -------- d-----w- c:\program files\iTunes
2009-07-20 22:56 . 2009-07-20 22:56 75040 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-17 10:29 . 2009-07-17 10:29 -------- d-----w- c:\program files\Coupon Printer
2009-07-17 10:29 . 2009-07-17 10:29 31 ---ha-w- c:\windows\UKCpInfo.sys
2009-07-07 21:58 . 2009-07-07 21:58 -------- d-----w- c:\users\Peter\AppData\Roaming\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
2009-07-07 21:57 . 2009-07-07 21:57 -------- d-----w- c:\program files\BBC iPlayer Desktop

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-06 16:54 . 2008-12-04 15:23 12 ----a-w- c:\windows\bthservsdp.dat
2009-08-06 10:11 . 2008-11-13 10:48 1 ----a-w- c:\users\Peter\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-07-30 15:21 . 2008-07-29 13:11 1356 ----a-w- c:\users\Peter\AppData\Local\d3d9caps.dat
2009-07-23 16:39 . 2008-07-30 17:09 41662 ----a-w- c:\users\Peter\AppData\Roaming\nvModes.dat
2009-07-20 23:40 . 2008-12-05 00:32 -------- d-----w- c:\program files\Common Files\Apple
2009-07-20 23:40 . 2008-12-05 00:32 -------- d-----w- c:\programdata\Apple Computer
2009-07-13 19:47 . 2008-07-30 19:48 -------- d-----w- c:\program files\Java
2009-07-10 08:57 . 2008-09-14 22:03 -------- d-----w- c:\program files\Virticon Millennium
2009-06-16 15:34 . 2008-07-31 19:44 -------- d-----w- c:\program files\Google
2009-06-15 14:48 . 2009-01-30 17:42 -------- d-----w- c:\program files\QuickTime
2009-06-13 08:32 . 2009-06-13 08:32 456304 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb509E.tmp.exe
2009-06-08 13:06 . 2009-06-08 13:06 -------- d-----w- c:\users\Peter\AppData\Roaming\Malwarebytes
2009-06-08 13:06 . 2009-06-08 13:06 -------- d-----w- c:\programdata\Malwarebytes
2009-05-21 10:33 . 2008-12-03 11:13 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-09 05:50 . 2009-06-11 16:52 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-09 05:34 . 2009-06-11 16:52 71680 ----a-w- c:\windows\system32\iesetup.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WireLessMouse"="c:\program files\Trust\Trust R-series Mouse And Keyboard\StartAutorun.exe" [2007-03-06 212992]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-11-07 86016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-07 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-07 8534560]
"MediaBarFileManager"="c:\program files\On Demand Distribution\OD2 Music Manager\OD2MediaBar_VistaFileManager.exe" [2007-06-25 30024]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-29 46632]
"EPGServiceTool"="c:\progra~1\WinTV\EPG Services\System\EPGClient.exe" [2008-05-15 688128]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 65536]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-12 663552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]

c:\users\Peter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
AutoStart IR.lnk - c:\program files\WinTV\Ir.exe [2009-4-7 110647]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux3"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{E48E695E-757F-45E7-9E26-5DAD893558E1}"= UDP:c:\program files\VoipCheapCom\VoipCheapCom.exe:VoipCheapCom
"{7DB69C50-14CD-4CF5-8D0A-50029A85BD89}"= TCP:c:\program files\VoipCheapCom\VoipCheapCom.exe:VoipCheapCom
"{06D92161-69F3-448D-8E10-A8966C41E30C}"= UDP:c:\program files\VoipCheap\VoipCheap.exe:VoipCheap
"{6F3B96D2-E51A-4861-9921-6697A01DCCE9}"= TCP:c:\program files\VoipCheap\VoipCheap.exe:VoipCheap
"{7966196E-A629-4817-A36D-C9EE02A6E850}"= UDP:c:\program files\VoipCheap\VoipCheap.exe:VoipCheap
"{BD1DE243-98B1-4505-91A5-22717675F17A}"= TCP:c:\program files\VoipCheap\VoipCheap.exe:VoipCheap
"{869342DA-9BF6-43FF-8244-89666691AA1B}"= UDP:990:LocalSubnet:LocalSubnet|IF={EC3A455E-04C2-4EA5-96D4-A7AFE9DF8041}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdSync.exe,-4001
"{A5E43CC7-4066-48F2-B1A8-DE8A781D878D}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{C60CDA06-71D5-4D8E-A8BA-BC5059F60939}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{E5E07D79-1C59-4F62-A4A6-BFA9D4C1EBD0}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{E80E6618-C9D3-4658-81C6-99900925393B}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{DD82058B-0CDF-4D45-9896-64DAB2C0D405}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{8D1CB9E1-496D-4844-BDAE-273F221C9B4D}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R2 EPGService;EPGService;c:\progra~1\WinTV\EPG Services\System\EPGService.exe [07/04/2009 11:09 437248]
R2 KMWDSERVICE;Keyboard And Mouse Communication Service;c:\program files\Trust\Trust R-series Mouse And Keyboard\KMWDSrv.exe [28/02/2007 19:12 208896]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [17/03/2009 13:00 210216]
S2 gupdate1c9b388460b2a0;Google Update Service (gupdate1c9b388460b2a0);c:\program files\Google\Update\GoogleUpdate.exe [02/04/2009 12:41 133104]
S3 hcw66xxx;WinTV HVR-900H;c:\windows\System32\drivers\hcw66xxx.sys [07/04/2009 11:01 420096]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-02 11:41]

2009-08-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-02 11:41]

2009-03-19 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-17 10:53]

2009-03-19 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-17 10:53]

2009-08-06 c:\windows\Tasks\User_Feed_Synchronization-{1923B4D2-3EC8-476A-BB45-325A84424E6C}.job
- c:\windows\system32\msfeedssync.exe [2009-05-13 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
Trusted Zone: microsoft.com\support
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-06 17:57
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2160)
c:\program files\McAfee\SiteAdvisor\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\windows\System32\rundll32.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
.
**************************************************************************
.
Completion time: 2009-08-06 18:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-06 17:04

Pre-Run: 62,967,402,496 bytes free
Post-Run: 64,168,984,576 bytes free

931 --- E O F --- 2009-06-21 18:47

descriptionwinifighter EmptyRe: winifighter

more_horiz
TWO

c:\windows\system32\1z3ethreat31695.ocx
c:\windows\system32\1z75995rm5a4.ocx
c:\windows\system32\1zdc9ddwa5e1869.bin
c:\windows\system32\1zf5vir479.ocx
c:\windows\system32\20b2s5y9are19z0.cpl
c:\windows\system32\21099wozm655.ocx
c:\windows\system32\212315ro91ez.dll
c:\windows\system32\2153zot-a-vir9s3f.cpl
c:\windows\system32\2189not-a-vi5us719z.ocx
c:\windows\system32\21c55hreatz58639.bin
c:\windows\system32\2282b5czdoor397.dll
c:\windows\system32\22894spy5z9.exe
c:\windows\system32\22956tzoj539.exe
c:\windows\system32\22z8hackto5l5999.ocx
c:\windows\system32\233449pazbot5b9.dll
c:\windows\system32\23658hzcktool7529.ocx
c:\windows\system32\239z9s9y6775.cpl
c:\windows\system32\2424ztro965f.cpl
c:\windows\system32\2458th5e950z.dll
c:\windows\system32\24694no5-a-virus6ez.ocx
c:\windows\system32\2476z9pambo5205.exe
c:\windows\system32\25318troz5729.cpl
c:\windows\system32\253z59orm44c.bin
c:\windows\system32\254z1wo9m58a.exe
c:\windows\system32\25600spam5ot4z49.cpl
c:\windows\system32\2599tzoj75f.exe
c:\windows\system32\25f7threatz095.cpl
c:\windows\system32\26025woz9477.dll
c:\windows\system32\26418wz5m769.dll
c:\windows\system32\26520wormz389.bin
c:\windows\system32\26z58virus3759.exe
c:\windows\system32\27156not-a-virusz99.exe
c:\windows\system32\27309hack5oolz17.cpl
c:\windows\system32\2731h5cktzol59.ocx
c:\windows\system32\27375troj39az.dll
c:\windows\system32\27418not-a-vi5us7z79.ocx
c:\windows\system32\275z2not-a-vi5us49d.dll
c:\windows\system32\277359roj47z.ocx
c:\windows\system32\2799worm5az5.ocx
c:\windows\system32\279z4sp5mbot59e.exe
c:\windows\system32\28199spa5bzt2d2.ocx
c:\windows\system32\290z5not-a-vi9us54c.cpl
c:\windows\system32\294zspa59e1483.ocx
c:\windows\system32\295415zoj7fa.exe
c:\windows\system32\2956back9oor1500z.cpl
c:\windows\system32\29575s5y997z.bin
c:\windows\system32\2975z9roj3e1.ocx
c:\windows\system32\2990sz9ware1555.ocx
c:\windows\system32\29951spambot6f5z.ocx
c:\windows\system32\299zaddware2535.cpl
c:\windows\system32\29c7adz59re2348.ocx
c:\windows\system32\29z59ir378.bin
c:\windows\system32\2a2et9izf925.ocx
c:\windows\system32\2a95add9ar577z.bin
c:\windows\system32\2bc3spar9e567z.exe
c:\windows\system32\2cacba9kdzor8195.cpl
c:\windows\system32\2d119hi5fz05.exe
c:\windows\system32\2eb5zir13239.ocx
c:\windows\system32\2ee6s5ywarz1695.exe
c:\windows\system32\2z597spy3b5.ocx
c:\windows\system32\2z95spy3d9.dll
c:\windows\system32\2z98495ojf9.cpl
c:\windows\system32\2zf5vir169.bin
c:\windows\system32\30z4addw59e715.exe
c:\windows\system32\31250w9r53z6.dll
c:\windows\system32\31751not-z5vi9us307.dll
c:\windows\system32\31819no5-a-vir9s1zd.cpl
c:\windows\system32\31910not-az59rus5c.bin
c:\windows\system32\31z45virus795.exe
c:\windows\system32\32269zroj275.cpl
c:\windows\system32\325019ackzool5d6.ocx
c:\windows\system32\3259hizf2425.bin
c:\windows\system32\328azac9do5r2059.exe
c:\windows\system32\33185zarse1999.bin
c:\windows\system32\3398zd5ware9293.bin
c:\windows\system32\33aethre9tz5434.dll
c:\windows\system32\3516s5arze1793.bin
c:\windows\system32\353ztro958a.ocx
c:\windows\system32\3568vi541z9.exe
c:\windows\system32\35936spambot4zc.bin
c:\windows\system32\359509ozmb8.bin
c:\windows\system32\3666downl9ader3z645.bin
c:\windows\system32\3868stz9l5756.bin
c:\windows\system32\38z5vir39.exe
c:\windows\system32\3990bacz5oor1671.dll
c:\windows\system32\3993ad5ware2z56.bin
c:\windows\system32\39eeszar5e2909.bin
c:\windows\system32\39efsz9war51624.cpl
c:\windows\system32\39z9tr5j22d.bin
c:\windows\system32\3ad0t5ief9690z.exe
c:\windows\system32\3z0275p9mbot75b.dll
c:\windows\system32\3z2245rojb39.exe
c:\windows\system32\3z88do9nloader2352.exe
c:\windows\system32\3za4ba9kdoor2550.ocx
c:\windows\system32\4007v9ru5zb.dll
c:\windows\system32\41z59hief1396.exe
c:\windows\system32\4289th5ef7z6.exe
c:\windows\system32\432ddownload9r253z.ocx
c:\windows\system32\4382ad95arz1762.cpl
c:\windows\system32\449ebackz5or2908.dll
c:\windows\system32\45089parse298z.cpl
c:\windows\system32\45259pzrse1510.bin
c:\windows\system32\4831h9zkt5ol7ab.dll
c:\windows\system32\484zad5ware3039.bin
c:\windows\system32\4909tzief2551.dll
c:\windows\system32\4979thi5f296z.cpl
c:\windows\system32\499zaddw5re2690.bin
c:\windows\system32\49zadownloade51573.bin
c:\windows\system32\4d5threatz52039.bin
c:\windows\system32\4d9fv9r3z215.bin
c:\windows\system32\4f5fspzrse9409.ocx
c:\windows\system32\50334zroj3889.cpl
c:\windows\system32\50669acktzol575.cpl
c:\windows\system32\507289orm63z.dll
c:\windows\system32\5079dow9loazer3078.ocx
c:\windows\system32\50dest9zl1688.exe
c:\windows\system32\50e5zhreat24659.bin
c:\windows\system32\50z2hackto9l45.exe
c:\windows\system32\519zth5eat28519.bin
c:\windows\system32\51c3bzckdoor5190.exe
c:\windows\system32\51z5vi92962.exe
c:\windows\system32\52379pazbot6b35.exe
c:\windows\system32\52385ownloazer94.bin
c:\windows\system32\52459not9a-vizusef.ocx
c:\windows\system32\5259t59efz505.exe
c:\windows\system32\529c9zyware5334.exe
c:\windows\system32\52c2azdw5re2590.bin
c:\windows\system32\52cdt9izf1645.cpl
c:\windows\system32\5345s9y336z.ocx
c:\windows\system32\5359thiez24899.dll
c:\windows\system32\53805not-a-vi9usz1.cpl
c:\windows\system32\5395troj7ze.ocx
c:\windows\system32\53aeaddware1895z.exe
c:\windows\system32\53c7t5iez2297.dll
c:\windows\system32\53dcspars92578z.bin
c:\windows\system32\53e9szea9877.cpl
c:\windows\system32\544z9hi5f866.ocx
c:\windows\system32\545ez5r996.dll
c:\windows\system32\5507zot-a-viru91fc.exe
c:\windows\system32\5519spyz99.dll
c:\windows\system32\55429pazse273.bin
c:\windows\system32\5559addware269z5.dll
c:\windows\system32\5595thief5z2.exe
c:\windows\system32\55b29hreat31z40.ocx
c:\windows\system32\55z09hreat21850.exe
c:\windows\system32\55zbsteal1093.cpl
c:\windows\system32\563f9ir12z9.exe
c:\windows\system32\5651spar9e2z50.bin
c:\windows\system32\5655sparse9561z.ocx
c:\windows\system32\5679n5tza-virusf2.ocx
c:\windows\system32\56cthief1z9.ocx
c:\windows\system32\572559izus605.dll
c:\windows\system32\57409tr9z79.cpl
c:\windows\system32\57z4sp92cf.bin
c:\windows\system32\58428spambot92z.cpl
c:\windows\system32\585b5tez92105.bin
c:\windows\system32\58677szy5f9.cpl
c:\windows\system32\58789hacktooz62c.bin
c:\windows\system32\58z4s95al1987.bin
c:\windows\system32\592zthief2768.ocx
c:\windows\system32\59622hazktool778.ocx
c:\windows\system32\59baspyzare25.exe
c:\windows\system32\59fathie5292z.ocx
c:\windows\system32\59zbackdoor708.exe
c:\windows\system32\5a14zpywar5769.dll
c:\windows\system32\5azv9r7255.ocx
c:\windows\system32\5ba9threat9152z.cpl
c:\windows\system32\5c49addware1z98.ocx
c:\windows\system32\5c69downloadzr5459.dll
c:\windows\system32\5c8bsza9se5520.exe
c:\windows\system32\5cfzdow9loader1823.bin
c:\windows\system32\5d01vir89z.ocx
c:\windows\system32\5d4895eaz1913.bin
c:\windows\system32\5db0spywzre9231.dll
c:\windows\system32\5e06stea91484z.cpl
c:\windows\system32\5e469ackd5or16z7.exe
c:\windows\system32\5fdzsparse3599.cpl
c:\windows\system32\5zb5thie922435.cpl
c:\windows\system32\60fcspaz591152.bin
c:\windows\system32\617bz9a5se221.exe
c:\windows\system32\6241not-a-vi9zs7105.cpl
c:\windows\system32\629backzoo914185.bin
c:\windows\system32\6379down9zader8165.ocx
c:\windows\system32\63e9bzckdoor577.bin
c:\windows\system32\6498t5ief1z99.cpl
c:\windows\system32\64z2th5eat19489.bin
c:\windows\system32\6596ste5l21z1.cpl
c:\windows\system32\65b8s9eaz5953.cpl
c:\windows\system32\65zcthief977.dll
c:\windows\system32\6691azdware17335.bin
c:\windows\system32\68e25ackdoo9203z.ocx
c:\windows\system32\6989downlozder584.ocx
c:\windows\system32\69eesp5rse1z01.cpl
c:\windows\system32\6bdcthrea916995z.bin
c:\windows\system32\6c49downloader3z95.dll
c:\windows\system32\6z8bdownlo9de51131.dll
c:\windows\system32\701sparse15z59.exe
c:\windows\system32\7090thi5fz245.bin
c:\windows\system32\70ffaddwa951857z.exe
c:\windows\system32\7165zorm7a9.exe
c:\windows\system32\7295v9rzs69.ocx
c:\windows\system32\74bzs5arse953.dll
c:\windows\system32\7522sz5ware69.ocx
c:\windows\system32\7542troz960.ocx
c:\windows\system32\7559ba5kdoorz95.ocx
c:\windows\system32\7571hazkt9ol3725.bin
c:\windows\system32\75979zrm5c6.exe
c:\windows\system32\7599zackdoor948.dll
c:\windows\system32\7628hzcktoo9652.cpl
c:\windows\system32\76efthzea925681.exe
c:\windows\system32\7791zo5m6a9.ocx
c:\windows\system32\7803wo9552z.ocx
c:\windows\system32\7949spyw9re50z8.exe
c:\windows\system32\79535hief8z3.bin
c:\windows\system32\7955stzal930.exe
c:\windows\system32\795bback9oor1725z.dll
c:\windows\system32\7963z5rus549.cpl
c:\windows\system32\79z4steal2715.ocx
c:\windows\system32\7aa8dow5lzade91342.ocx
c:\windows\system32\7dbcback9o5z1626.ocx
c:\windows\system32\7dz5back9o5r3211.exe
c:\windows\system32\7f3bbackdoz9524.cpl
c:\windows\system32\7f65threaz29659.exe
c:\windows\system32\806zh9ckt5ol581.ocx
c:\windows\system32\81109o5m79z.bin
c:\windows\system32\8381vz5us429.cpl
c:\windows\system32\841sparze55039.bin
c:\windows\system32\8596sp9mbot6z35.cpl
c:\windows\system32\8597not-azvirus5b1.ocx
c:\windows\system32\90d5azdwa5e2476.dll
c:\windows\system32\913threa9252z0.bin
c:\windows\system32\9175downl5adez1730.ocx
c:\windows\system32\92263nzt-5-virus34d.exe
c:\windows\system32\9235hazktoola8.cpl
c:\windows\system32\927z2spambot1955.dll
c:\windows\system32\93121wzr576e.dll
c:\windows\system32\9481downloazer595.ocx
c:\windows\system32\94z5troj757.dll
c:\windows\system32\94zest5al2017.bin
c:\windows\system32\95278vzrus52a.exe
c:\windows\system32\953athief1z66.cpl
c:\windows\system32\95543spzmbot1bd.cpl
c:\windows\system32\9559zhack5ool625.dll
c:\windows\system32\95fbdownloadzr1604.dll
c:\windows\system32\95vi59s6z3.ocx
c:\windows\system32\9605vi9us2z8.dll
c:\windows\system32\9941zhackt5ol4a5.dll
c:\windows\system32\9a5thr95z29360.exe
c:\windows\system32\9f9bac9door352z.ocx
c:\windows\system32\9z244sp5mbot726.cpl
c:\windows\system32\9z5threa931288.cpl
c:\windows\system32\a359pazse683.bin
c:\windows\system32\c1fd5wnloa9er25z6.dll
c:\windows\system32\c6z9p5ware76.cpl
c:\windows\system32\cdc9hief53z1.cpl
c:\windows\system32\d3dth5eat13z98.dll
c:\windows\system32\dc5b59kdoor2012z.bin
c:\windows\system32\ddf5pywar92z39.exe
c:\windows\system32\drivers\MSIVXdpqbcsmqsitfdmpimiitovpwixytxtkv.sys
c:\windows\system32\e3aste9l159z.dll
c:\windows\system32\ezcbac9door5830.ocx
c:\windows\system32\MSIVXcount
c:\windows\system32\MSIVXcrjdvhxvebuflvsrnoufeojopbwvisfm.dll
c:\windows\system32\MSIVXebwqeilcreenaenpxvjomwqtxwhtreob.dll
c:\windows\system32\setup2.exe
c:\windows\system32\z0568hackt95l2c4.cpl
c:\windows\system32\z0958troj24b.bin
c:\windows\system32\z17539ro57fc.dll
c:\windows\system32\z1905spy597.ocx
c:\windows\system32\z1905worm7489.bin
c:\windows\system32\z1vir31995.bin
c:\windows\system32\z2309wo5m459.ocx
c:\windows\system32\z23spy9are5713.dll
c:\windows\system32\z24abackdoo52909.bin
c:\windows\system32\z259vir1733.exe
c:\windows\system32\z27759roj3d9.exe
c:\windows\system32\z4555wor9332.dll
c:\windows\system32\z4594virus753.exe
c:\windows\system32\z479thief1354.exe
c:\windows\system32\z50dspy9a5e546.dll
c:\windows\system32\z554worm2d9.cpl
c:\windows\system32\z5735no9-a-virus35e.exe
c:\windows\system32\z5950troj729.exe
c:\windows\system32\z5c1vir91925.bin
c:\windows\system32\z819h5cktool2bb.ocx
c:\windows\system32\z82915roj31a.bin
c:\windows\system32\z8598hack5o9l9c.dll
c:\windows\system32\z89vir957.ocx
c:\windows\system32\z91495eal1276.cpl
c:\windows\system32\z9753w5rm594.bin
c:\windows\system32\z9995ir884.cpl
c:\windows\system32\z9e4thi5f2959.bin
c:\windows\system32\za71sparse5009.exe
c:\windows\system32\zc20vir9351.bin
c:\windows\system32\zf1csp5ware9031.bin
c:\windows\system32\zf39steal8555.dll
c:\windows\system32\zf49back5oor996.exe
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
c:\windows\z0409pywa5e593.bin
c:\windows\z050virus5d9.ocx
c:\windows\z1601troj259.bin
c:\windows\z19avir21395.dll
c:\windows\z286hack9o5lfc.ocx
c:\windows\z3856vi9us753.exe
c:\windows\z3b49hre5t12311.cpl
c:\windows\z452addware1903.dll
c:\windows\z499v5rus1d2.bin
c:\windows\z6289not5a-virus556.bin
c:\windows\z67415iru9287.ocx
c:\windows\z723tro9685.bin
c:\windows\z7435pars92579.exe
c:\windows\z7754spam9ot556.exe
c:\windows\z799spar5e1468.ocx
c:\windows\z7bbackdoo93150.ocx
c:\windows\z8264not-5-v9rus2bf.bin
c:\windows\z895s9y4f05.cpl
c:\windows\z9090troj25.bin
c:\windows\z939ro5394.bin
c:\windows\z959steal1533.exe
c:\windows\z9a7vi95542.ocx
c:\windows\zbdaddware25579.exe
c:\windows\zc33b9ckdoor2548.dll
c:\windows\zde5addware8839.ocx

descriptionwinifighter EmptyRe: winifighter

more_horiz
ONE of Three

Thanks Belahzur - I followed the above instructiona and ran combofix which found first three errors in c:\windows\system32\MSIVX and leters of various tipes to a .sys and two .dll extensions -- then it got into the winifighter files

Hope this is the end of the winifighter!!
Thanks again

I'll split this accross two posts

ONE
ComboFix 09-08-04.04 - Peter 06/08/2009 17:36.1.2 - NTFSx86
Microsoft®️ Windows Vista™️ Home Premium 6.0.6001.1.1252.44.1033.18.958.426 [GMT 1:00]
Running from: c:\users\Peter\Downloads\Combo-Fix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\program files\WiniFighter Software
c:\program files\WiniFighter Software\WiniFighter\data.bin
c:\program files\WiniFighter Software\WiniFighter\license.txt
c:\program files\WiniFighter Software\WiniFighter\uninstall.exe
c:\program files\WiniFighter Software\WiniFighter\WiniFighter.exe
c:\program files\WiniFighter Software\WiniFighter\WiniFighterSvc.exe
c:\programdata\Microsoft\Windows\Start Menu\Programs\WiniFighter
c:\programdata\Microsoft\Windows\Start Menu\Programs\WiniFighter\1 WiniFighter.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\WiniFighter\2 Homepage.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\WiniFighter\3 Uninstall.lnk
c:\users\Public\Desktop\WiniFighter.lnk
c:\windows\1020zspy95b.dll
c:\windows\10f79a5kdoor593z.dll
c:\windows\10z7not-a-9irus395.cpl
c:\windows\110athzef30915.dll
c:\windows\1119ztroj548.dll
c:\windows\11579wzrm62e.ocx
c:\windows\11zas95al309.bin
c:\windows\12049tzoj6c5.ocx
c:\windows\125z59p57e0.exe
c:\windows\12736ha5ktzo94e9.bin
c:\windows\13349hzckt5oled.cpl
c:\windows\1359zvir9s154.ocx
c:\windows\135zsparse2889.dll
c:\windows\139295ackt9ol51z.bin
c:\windows\140z5h9cktool57f.ocx
c:\windows\1455159z4cc.dll
c:\windows\1474back9oorz7755.exe
c:\windows\15255szy79f.exe
c:\windows\15285no9-z-virus551.cpl
c:\windows\15295sp935z.bin
c:\windows\15449v9zusc15.exe
c:\windows\1550zhackto9l550.exe
c:\windows\15544not-a-virus95cz.exe
c:\windows\1557b5ckdoo9z34.cpl
c:\windows\15696s9zmbot507.bin
c:\windows\156bv9r542z.cpl
c:\windows\158ebackdoz91799.bin
c:\windows\1591zworm2b9.ocx
c:\windows\159925zrus167.cpl
c:\windows\15994spyzd9.ocx
c:\windows\15bzspar9e1182.ocx
c:\windows\15z509roj56e.exe
c:\windows\15z66vir5s1079.bin
c:\windows\16955zroj96.exe
c:\windows\16989tr5j4fez.ocx
c:\windows\16997t9oj5z.exe
c:\windows\16z80vir596e7.dll
c:\windows\17594hackzool317.dll
c:\windows\17748viz9s55e.ocx
c:\windows\179tzief2495.ocx
c:\windows\179z3spy1d5.exe
c:\windows\17dz9ir2555.exe
c:\windows\1815acktool9zf.bin
c:\windows\18181w95m1zd.ocx
c:\windows\184z3tr9j58.cpl
c:\windows\186695ywarez628.dll
c:\windows\18dcd5w9zoader528.dll
c:\windows\18z58sp9mbot51e.exe
c:\windows\19119spz14b5.exe
c:\windows\19321h5cktozl23e.exe
c:\windows\19432z592aa.dll
c:\windows\19514szy266.dll
c:\windows\19532trzj5879.ocx
c:\windows\1975zspambot581.exe
c:\windows\1979hacktoo521z.exe
c:\windows\19948spambo598z.ocx
c:\windows\19987not-9-vzrus548.dll
c:\windows\19z0thief2735.cpl
c:\windows\19z90worm185.bin
c:\windows\1b49z5dware30269.exe
c:\windows\1b56vir323z9.bin
c:\windows\1c8z5pyware996.bin
c:\windows\1z1sp9rse2956.exe
c:\windows\1z224viru5559.bin
c:\windows\1z352viru965c.exe
c:\windows\1z453spam5ot589.ocx
c:\windows\1z503ha9ktool1de.exe
c:\windows\1z556v9rus7ff.exe
c:\windows\1z8dstea9955.dll
c:\windows\2056zp9rse2826.cpl
c:\windows\20639wzrm1035.dll
c:\windows\20847sp95zot316.cpl
c:\windows\20z129irus245.bin
c:\windows\21185spambzt5919.ocx
c:\windows\21848no5-a-vi9usze.ocx
c:\windows\21d09ackdoorz065.exe
c:\windows\21db9t5alz24.cpl
c:\windows\22439ackdoor2z52.bin
c:\windows\2319sparse5z59.bin
c:\windows\2335zparse4079.bin
c:\windows\23390ha5ktooz95c.exe
c:\windows\23558not-a-zir5s96d.cpl
c:\windows\23f9v9z5756.exe
c:\windows\24051spzmbo9635.dll
c:\windows\240ct5rzat90699.bin
c:\windows\24345ddwa9e299z.exe
c:\windows\248559azktool503.exe
c:\windows\24899ackdoor50z.ocx
c:\windows\24929virus15az.bin
c:\windows\24z63tr9j589.ocx
c:\windows\25010zorm9975.bin
c:\windows\2524zworm35a9.ocx
c:\windows\25347not-5-v9zus312.cpl
c:\windows\2535zn9t-a-virus69b.ocx
c:\windows\254z4v9ru51be.dll
c:\windows\26200zi9u5367.bin
c:\windows\2627stea950z3.dll
c:\windows\26512zir5sf9.exe
c:\windows\26592zacktool5eb9.dll
c:\windows\268579izus5405.cpl
c:\windows\268bzpy9are925.exe
c:\windows\26971not-9-virusz45.ocx
c:\windows\26992zi5us438.cpl
c:\windows\27718t9oj58ez.cpl
c:\windows\279899roz55f.exe
c:\windows\27bbs5zware32439.dll
c:\windows\28075viruz493.cpl
c:\windows\2824z9py5f85.exe
c:\windows\288dspyw9ze2575.dll
c:\windows\2911zworm4549.ocx
c:\windows\295dszars5971.cpl
c:\windows\29869w9zm551.dll
c:\windows\29937not-a-ziru59e.exe
c:\windows\29cab5ckzoo91964.dll
c:\windows\2b1bthr9at15z945.exe
c:\windows\2dfadownloaderz529.bin
c:\windows\2z549spy24e9.ocx
c:\windows\2z99download5r2513.dll
c:\windows\30251z9y721.cpl
c:\windows\30490hack5zol32b.ocx
c:\windows\30690viru541z9.bin
c:\windows\3072not95-zirus64c.bin
c:\windows\3083b9ckdoor755z.bin
c:\windows\3105s9560ez.ocx
c:\windows\31459hacktozl698.ocx
c:\windows\31491haczto5lee.exe
c:\windows\3175z9orm2b9.cpl
c:\windows\31z91v5ru9b3.exe
c:\windows\32234w9rz215.exe
c:\windows\32392n5t9azvirus75c.dll
c:\windows\32504spam9oz53f.exe
c:\windows\3425v9z331.ocx
c:\windows\3508spywa9e32z1.cpl
c:\windows\351espar9e155z.bin
c:\windows\353bt9rzat54908.ocx
c:\windows\35d3dzwnl9ader422.cpl
c:\windows\35faspy9are9z6.dll
c:\windows\36d95tzal592.bin
c:\windows\37ez5ir9235.dll
c:\windows\3902no5-9-vzrus440.exe
c:\windows\3912t5reat253z8.dll
c:\windows\3949z9dware3504.dll
c:\windows\3955downloade519z2.exe
c:\windows\395bszyware2153.cpl
c:\windows\3994wo5mzf9.cpl
c:\windows\39d95hief2z47.bin
c:\windows\39z0vir2259.ocx
c:\windows\3be6t9rzat25345.cpl
c:\windows\3c9fzparse1965.ocx
c:\windows\3d62ste95705z.cpl
c:\windows\3dbeb5ckzoo9978.ocx
c:\windows\3de39ackzoo52285.dll
c:\windows\3z001wor9459.ocx
c:\windows\3z25s9y4fe.bin
c:\windows\3zd4downloade98135.cpl
c:\windows\4052wozm491.exe
c:\windows\40d5st9zl2640.bin
c:\windows\4109thi5f2934z.cpl
c:\windows\410esp95zre49.bin
c:\windows\42z8vir30559.ocx
c:\windows\431addw9ze1520.exe
c:\windows\4391spz257.dll
c:\windows\4535hac9tool25z.bin
c:\windows\4551downloa9ez2879.bin
c:\windows\4594zi5456.dll
c:\windows\4595steal15z8.bin
c:\windows\460zd9wnloade53116.exe
c:\windows\4639spazse1395.cpl
c:\windows\4673thze59436.exe
c:\windows\4955spambzt629.exe
c:\windows\49acbzc59oor888.bin
c:\windows\49b0adzwar924555.bin
c:\windows\49z7vir589.dll
c:\windows\49z9virus458.cpl
c:\windows\49zbsparse5000.cpl
c:\windows\4bfbzckdo9r251.ocx
c:\windows\4d159zr765.cpl
c:\windows\4d95vir9859z.ocx
c:\windows\4f04bac9zoor395.dll
c:\windows\4f25addw9rz5034.exe
c:\windows\4f935pywarz3259.ocx
c:\windows\500dthr5at1z759.dll
c:\windows\5017doz5loader2967.ocx
c:\windows\50735pzrse10959.cpl
c:\windows\5078az5war92165.ocx
c:\windows\507z6spam9ot523.dll
c:\windows\5089notza-9irus576.ocx
c:\windows\509bsparze1776.ocx
c:\windows\509cbaczdoor9658.cpl
c:\windows\50d9addware9z6.dll
c:\windows\50ebth59fz76.exe
c:\windows\5148stz9l326.dll
c:\windows\51dt95eat284z9.dll
c:\windows\52379spambzt90e.cpl
c:\windows\52619tr9jzb.cpl
c:\windows\53a9spyware9z4.dll
c:\windows\5419spyw9re8z4.ocx
c:\windows\54226z9y6b0.cpl
c:\windows\544z29acktool19f.cpl
c:\windows\54d2stez9688.ocx
c:\windows\5509thizf955.ocx
c:\windows\5576v9zus786.cpl
c:\windows\55dzvir5359.ocx
c:\windows\55eeza9kdoor5623.dll
c:\windows\55f0dz9n5oader2607.exe
c:\windows\560zackd9or2068.ocx
c:\windows\56916zroj25e.cpl
c:\windows\56982vizus98.cpl
c:\windows\56a5spywar92971z.ocx
c:\windows\56c2azdwar59739.dll
c:\windows\5785wor940cz.cpl
c:\windows\57959zpy765.ocx
c:\windows\5806zro9418.cpl
c:\windows\58345ir1z559.exe
c:\windows\5866st5az2972.ocx
c:\windows\5879steal53z4.exe
c:\windows\58f9spyw5re286z.exe
c:\windows\590z6spambot6b3.exe
c:\windows\591vi5uz780.bin
c:\windows\59266viruszfb.bin
c:\windows\59274z9ojef.exe
c:\windows\5939threat59z79.dll
c:\windows\593czackdoor992.exe
c:\windows\5951zhreat20848.exe
c:\windows\5959sparse25z4.exe
c:\windows\595z5spy75a.exe
c:\windows\596z9ackdoor1562.bin
c:\windows\5990azdware5225.bin
c:\windows\59923trojz6.ocx
c:\windows\5993hacztool35a9.exe
c:\windows\599bspzware356.dll
c:\windows\59a0baczd9or1328.ocx
c:\windows\59ccv5z2085.ocx
c:\windows\5a5fbackzo9r1751.dll
c:\windows\5b95virz848.cpl
c:\windows\5c52szarse229.cpl
c:\windows\5c78ad9wa5e112z.bin
c:\windows\5c7z9parse2838.cpl
c:\windows\5ca7st9al55z.cpl
c:\windows\5cc6sza9se159.bin
c:\windows\5cez9teal940.exe
c:\windows\5cfzthief1399.exe
c:\windows\5e24downloader192z9.exe
c:\windows\5e7zspywar9722.bin
c:\windows\5ed99hreat53z23.exe
c:\windows\5f2dthi5f95z7.cpl
c:\windows\5f70dow9loader137z.dll
c:\windows\5z3ds9yware1585.dll
c:\windows\5z41s9arse587.bin
c:\windows\5z56s9eal29405.ocx
c:\windows\5z9st9al1755.ocx
c:\windows\5zc9sparse292.cpl
c:\windows\5zdfthrea91372.dll
c:\windows\6070bac5d9zr3062.cpl
c:\windows\60f75ow9loader828z.dll
c:\windows\6122spar5z2759.exe
c:\windows\6196downlo5der3z74.bin
c:\windows\6212th9eat59z1.bin
c:\windows\62f2sp95sez91.ocx
c:\windows\6394do9nlozd5r2621.exe
c:\windows\644d5hre9t5z21.exe
c:\windows\652zhief4359.exe
c:\windows\6544t5zj289.ocx
c:\windows\6571sparze9595.exe
c:\windows\658spazse499.cpl
c:\windows\65fa9parsez652.exe
c:\windows\66z9downloade52207.dll
c:\windows\6920wz5me6.exe
c:\windows\6937zparse29045.dll
c:\windows\69z6spywar52540.cpl
c:\windows\6a0edo9nl5aderz509.ocx
c:\windows\6a54spywarz5989.ocx
c:\windows\6azest9al16645.ocx
c:\windows\6c6b9zarse653.dll
c:\windows\6dc55ownloadz93082.dll
c:\windows\6z49spyware1588.dll
c:\windows\6z59thief2659.dll
c:\windows\6z87thie53029.bin
c:\windows\6zf7b95kdoor2564.ocx
c:\windows\709cvir1355z.ocx
c:\windows\70z99d5ware590.bin
c:\windows\7111th9z52784.bin
c:\windows\71289pazb5t1a.exe
c:\windows\715zteal9800.exe
c:\windows\7229wor5z79.bin
c:\windows\74f59dd5are1711z.dll
c:\windows\751d9ackdooz2753.cpl
c:\windows\7536vzr9s466.exe
c:\windows\759d9ownloaderz93.exe
c:\windows\75bbthre9t17z56.exe
c:\windows\7795stezl2155.dll
c:\windows\77e9do9nl5zder1840.exe
c:\windows\785zt9oj525.exe
c:\windows\78desz9r5e958.exe
c:\windows\793a5parse2z00.exe
c:\windows\7959thzef1060.cpl
c:\windows\7995azd5are2646.cpl
c:\windows\79e3spywa5e712z.cpl
c:\windows\79fbs5arse1z829.dll
c:\windows\79fes5ez9722.ocx
c:\windows\79zb9te5l965.dll
c:\windows\7b09stez52525.cpl
c:\windows\7b0zh9ef2675.exe
c:\windows\7b125te9lz01.bin
c:\windows\7cf1thzeat25494.bin
c:\windows\7fa59ownl5adzr2560.ocx
c:\windows\809spamb5t182z.dll
c:\windows\852vzr956.dll
c:\windows\8559virzs207.bin
c:\windows\9091worm3z55.ocx
c:\windows\9125zy526.ocx
c:\windows\91559spzmbot3a1.bin
c:\windows\922175iruz558.ocx
c:\windows\934azir5891.ocx
c:\windows\94539trojz5a.ocx
c:\windows\945esparse316z.exe
c:\windows\94869ir5s4fz.dll
c:\windows\95055vzrus89.ocx
c:\windows\9507sparse841z.cpl
c:\windows\9515zrm7c6.dll
c:\windows\95375spy42z.cpl
c:\windows\9575spazse2914.cpl
c:\windows\95z7backdoor3561.cpl
c:\windows\960stzal597.cpl
c:\windows\9612vzr5698.bin
c:\windows\96e1downlzad5r336.dll
c:\windows\97529szy595.bin
c:\windows\97793zpy522.dll
c:\windows\9794not-a-virzs7885.bin
c:\windows\97z7steal1156.exe
c:\windows\9851not-z-vir5sc6.cpl
c:\windows\9942hac9t5olzf5.bin
c:\windows\99599troj31z.cpl
c:\windows\99815spyz34.ocx
c:\windows\9d98adzware24115.exe
c:\windows\9e72downlo5der2957z.bin
c:\windows\9z6dthief959.exe
c:\windows\a3ddownzoa9er3595.dll
c:\windows\c79v9r4z5.cpl
c:\windows\c85backdo9rz515.dll
c:\windows\cd2spywar9315z.cpl
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\e86spywarz5599.bin
c:\windows\fa9stezl2995.dll
c:\windows\fe29ownzoader345.dll
c:\windows\Installer\1744810.msi
c:\windows\system32\10735wo9m184z.bin
c:\windows\system32\10a59ownloadzr282.bin
c:\windows\system32\10z9ste5l1940.ocx
c:\windows\system32\11519hacztoo97e5.cpl
c:\windows\system32\1157not-a-v9r5z3da.exe
c:\windows\system32\11881tro95z5.exe
c:\windows\system32\11e9azdwa5e1443.dll
c:\windows\system32\11ecspy59rez40.exe
c:\windows\system32\11z78spamb5ta9.cpl
c:\windows\system32\12259z-a-virus3d8.ocx
c:\windows\system32\12525vi9uz220.cpl
c:\windows\system32\1254th9eat598z.dll
c:\windows\system32\12595zp59bot349.cpl
c:\windows\system32\12960spzmbo5613.exe
c:\windows\system32\12z795p91e2.bin
c:\windows\system32\12z9spa5bot54.exe
c:\windows\system32\13265virus99cz.exe
c:\windows\system32\13459sp9az5.exe
c:\windows\system32\13490spambot45z.exe
c:\windows\system32\13558zo9m37.bin
c:\windows\system32\13982s9ambzt355.bin
c:\windows\system32\14099v9zus5d65.exe
c:\windows\system32\14495not-azvir5s495.ocx
c:\windows\system32\14598not-5-vzrus9db.exe
c:\windows\system32\146z1tro53f79.dll
c:\windows\system32\147zs59mbot795.exe
c:\windows\system32\14893trzj56a.bin
c:\windows\system32\1499sp5ware11z0.ocx
c:\windows\system32\1506z9a5ktool754.cpl
c:\windows\system32\151385r9j7d1z.exe
c:\windows\system32\15276hac5tool9a2z.bin
c:\windows\system32\15518z9amb5tee.cpl
c:\windows\system32\15604ha5ktool3za9.dll
c:\windows\system32\1561zpy9are2271.ocx
c:\windows\system32\15638spambo96z5.ocx
c:\windows\system32\15688s5ambzt7d79.dll
c:\windows\system32\1588s9ywa5e28z.ocx
c:\windows\system32\158z15or95b3.dll
c:\windows\system32\1593z5orm94e.dll
c:\windows\system32\1594zspy42.bin
c:\windows\system32\15z80no9-a-virus1e2.exe
c:\windows\system32\1605zhackt9ol485.dll
c:\windows\system32\16068z9y17a5.cpl
c:\windows\system32\16072not5a9virusz8.dll
c:\windows\system32\1657thzeat95904.dll
c:\windows\system32\17655t5z96e5.ocx
c:\windows\system32\18528vz9us98.dll
c:\windows\system32\18604wo5m59z.dll
c:\windows\system32\18715hreat9z759.exe
c:\windows\system32\18736s5zmbot998.bin
c:\windows\system32\18964virus5z1.ocx
c:\windows\system32\18e9vir30z5.exe
c:\windows\system32\1929vi5usz11.exe
c:\windows\system32\19453spambzt659.bin
c:\windows\system32\19540w5rm4dz.ocx
c:\windows\system32\195z4worm56e.exe
c:\windows\system32\19657not-a-ziru5400.ocx
c:\windows\system32\19662zroj751.cpl
c:\windows\system32\196695irzs7039.exe
c:\windows\system32\1972spywarez315.dll
c:\windows\system32\19733virzs675.exe
c:\windows\system32\19803zroj51.exe
c:\windows\system32\1czds5yware9170.ocx
c:\windows\system32\1dezvir19405.ocx
c:\windows\system32\1e1aaddw9rz2005.ocx
c:\windows\system32\1e955parze204.cpl

descriptionwinifighter EmptyRe: winifighter

more_horiz
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

winifighter CF_Cleanup

This will also reset your restore points.

How is the machine running now?

descriptionwinifighter EmptyRe: winifighter

more_horiz
On Typing combofix /u in the 'start search window' [= to run in vista I think?] and clicking on the file listed combofix /u it opens the following window saying "windows cannot find 'Combo -fix.exe'. Make sure you typed the name correctly, and then try again". I eventually right clicked the file name and on open as administrator which opened the combo-fix.exe window which I abandoned.

Should I have let it run?
I have re- enabled the firewall and virus checker, If I run the file will I have to diable them?
Thanks

descriptionwinifighter EmptyRe: winifighter

more_horiz
Leave it for now, the malware is gone, lets not fix what isn't broken. Smile...

descriptionwinifighter EmptyRe: winifighter

more_horiz
I think your right - I've had no more bluescreens either.

Thanks for all your help belahzur Thank You!

descriptionwinifighter EmptyRe: winifighter

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum