Hi
There is also a possibilty to use this tool to remove it from your machine onBoot:
http://www.snapfiles.com/reviews/MoveOnBoot/moveonboot.html (free)
Install it, right click on the malware file, chose to delete it next boot, reboot, it is gone.
Also remove each of the files in those folders the same way, after they are gone the folders can be deleted, then you should be able to clean the entries in the registry once the files are gone (you may need to take ownership of the keys).
1. Detected Files:
2. Detected Files with variable Filenames: MD5: CE40153B4A732FDEB214B00D4C1B123F Size: 474682 d:\Program Files\Funshion Online\Funshion\XPSP2Patch\funshion010.exe e:\½l\XPSP2Patch\funshion010.exe %PROGRAMFILES%\Funshion Online\Funshion\XPSP2Patch\funshion010.exe %SystemDiskRoot%\System Volume Information\_restore{D4259519-9A98-4CB3-A9A9-7C40618633AA}\RP30\A0014092.exe
Detecting items list:
1. Files by MD5 MD5: CE40153B4A732FDEB214B00D4C1B123F Size: 474682
FileName McAfee Supported
%WINDIR%\dcbdcatys32_090608a.dll
Spy-Agent.br.dll
%WINDIR%\system\sgcxcxxaspf090608.exe
Downloader-AZN
%WINDIR%\system32\inf\scsys16_090608.dll
Downloader-AZN
System Changes
These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files
The following files were analyzed:
# %USERPROFILE%\local settings\temp\0248.exe
The following files have been added to the system:
# %WINDIR%\dcbdcatys32_090608a.dll
# %WINDIR%\system\sgcxcxxaspf090608.exe
# %WINDIR%\system32\inf\
# %WINDIR%\system32\inf\scsys16_090608.dll
# %WINDIR%\system32\inf\sppdcrs090608.scr
# %WINDIR%\system32\inf\svchoct.exe
# %WINDIR%\tawisys.ini
# %WINDIR%\wftadfi16_090608a.dll
The following registry elements have been created:
# HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\currentversion\policies\explorer\run\
* maineyucst = c:\windows\system32\inf\svchoct.exe c:\windows
\wftadfi16_090608a.dll d16tan
The following registry elements have been changed:
# HKEY_CURRENT_USER\Software\Microsoft\internet explorer\main\
* check_associations = no
# HKEY_CURRENT_USER\Software\Microsoft\Windows\currentversion\internet settings\
* enableautodial = 0
Symptoms
Symptoms -
This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section. Removal considerations:
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.aspxpolonus