Welcome Guest ( Log In | Register )

      
Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Spyware, virus, trojan, fake security or privacy alerts? Read the malware cleaning guide.
2 Pages V   1 2 >  
 Closed TopicStart new topic
Keyloggers Et Al, Win8.exe etc, WinF.exe and many more [CLOSED], Returned from business trip, teenagers welcomed me home with malware
ZZ Zimm
post Aug 17 2008, 06:28 PM
Post #1


New Member
*
Posts: 9
OS: XP
Hi fellow geeks,

My wife and I left last week for separate business trips leaving a 20 year old and 15 year old at home by themselves (with the internet). We arrived home to find "Risky Business 2008."

No mangled house from excessive partying but computer is doing crazy things like my desktop is showing a background image that tells me I have spyware and need to install a spyware remover- this is a new one for me.

Please help, hijackthis log follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:17:06 PM, on 8/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [\Win8.exe] C:\Windows\system32\Win8.exe
O4 - HKLM\..\Run: [\WinB.exe] C:\Windows\system32\WinB.exe
O4 - HKLM\..\Run: [\WinC.exe] C:\Windows\system32\WinC.exe
O4 - HKLM\..\Run: [\WinD.exe] C:\Windows\system32\WinD.exe
O4 - HKLM\..\Run: [\WinF.exe] C:\Windows\system32\WinF.exe
O4 - HKLM\..\Run: [lphc5d9j0eeod] C:\WINDOWS\system32\lphc5d9j0eeod.exe
O4 - HKLM\..\Run: [SMrhc1d9j0eeod] C:\Program Files\rhc1d9j0eeod\rhc1d9j0eeod.exe
O4 - HKLM\..\Run: [Antivirus] C:\Program Files\VAV\vav.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [\Win8.exe] C:\Windows\system32\Win8.exe
O4 - HKCU\..\Run: [\WinB.exe] C:\Windows\system32\WinB.exe
O4 - HKCU\..\Run: [\WinC.exe] C:\Windows\system32\WinC.exe
O4 - HKCU\..\Run: [\WinD.exe] C:\Windows\system32\WinD.exe
O4 - HKCU\..\Run: [\WinF.exe] C:\Windows\system32\WinF.exe
O4 - HKCU\..\Run: [Antivirus] C:\Program Files\VAV\vav.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/oas/ActiveX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/180solut...e/bridge-c3.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189466180346
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189466167778
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: NSsbdPDcr - {5B7790D4-F1DD-3A7E-476E-75E87751CB3C} - C:\WINDOWS\system32\mhgcb.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

--
End of file - 6417 bytes
Go to the top of the page
 
+Quote Post
andrewuk
post Aug 17 2008, 09:36 PM
Post #2


Trusted Helper
Group Icon
Posts: 2,900
From: London, UK
OS: XP
Hi ZZ Zimm

welcome to geekstogo smile.gif

i can see several infections in your log. lets get started right away.


====STEP 1====
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

====STEP 2====
if you have already downloaded combofix then could you delete the current version of combofix you have and then follow these instructions:

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet. (All the instructions for installing the Recovery Console are in the above link, but for more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.)

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**



In your next reply could i see:
1. the SDFix Report.txt log
2. the combofix log
3. a new hijackthis log

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
Go to the top of the page
 
+Quote Post
ZZ Zimm
post Aug 17 2008, 10:01 PM
Post #3


New Member
*
Posts: 9
OS: XP
Thanks so much for your reply,

As I was going through the process I was not able to find my Windows XP disk to install WinXP Recovery Console. Is there a link or workaround for it as I cannot locate my CD anywhere.

Please Advise and Thanks again for your help,

ZZ
Go to the top of the page
 
+Quote Post
andrewuk
post Aug 17 2008, 10:08 PM
Post #4


Trusted Helper
Group Icon
Posts: 2,900
From: London, UK
OS: XP
yes, if you follow the link provided to the combofix instructions (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) about a third of the way down the page is a section started in bold If you use Windows XP and do not have the Windows CD which guides you through downloading a file form microsoft.

andrewuk
Go to the top of the page
 
+Quote Post
ZZ Zimm
post Aug 18 2008, 01:32 AM
Post #5


New Member
*
Posts: 9
OS: XP
Thanks again for your help. BTW I did what the instructions said but Recovery Console did not install- hope this did not mess anything up. Logs following:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:29:34 AM, on 8/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/oas/ActiveX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189466180346
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189466167778
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: NSsbdPDcr - {5B7790D4-F1DD-3A7E-476E-75E87751CB3C} - C:\WINDOWS\system32\mhgcb.dll
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

--
End of file - 5182 bytes
Go to the top of the page
 
+Quote Post
ZZ Zimm
post Aug 18 2008, 01:33 AM
Post #6


New Member
*
Posts: 9
OS: XP
SD Fix Log:


SDFix: Version 1.216
Run by ronnie bradford on Mon 08/18/2008 at 12:43 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File
Restoring Default Desktop Wallpaper
Restoring Default ScreenSaver value

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\pphc5d9j0eeod.exe - Deleted
C:\WINDOWS\SYSTEM32\PPHC5D~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\PHC5D9~1.BMP - Deleted
C:\WINDOWS\system32\blphc5d9j0eeod.scr - Deleted
C:\Documents and Settings\ronnie bradford\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.redtube.com\settings.sol - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\ac8zt2\install.bat - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\ac8zt2\wnlmdakqqas.dll - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt1.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt10.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt11.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt12.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt13.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt14.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt15.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt16.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt17.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt18.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt19.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt1A.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt1B.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt1C.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt1D.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt1E.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt1F.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt2.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt20.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt21.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt22.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt23.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt24.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt25.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt26.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt27.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt28.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt29.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt2A.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt2B.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt2C.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt2D.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt2E.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt2F.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt3.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt31.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt35.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt39.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt3C.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt4.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt40.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt42.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt46.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt47.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt48.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt4B.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt4C.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt4D.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt4E.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt5.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt50.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt52.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt54.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt55.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt56.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt58.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt5A.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt5C.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt5E.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt6.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt60.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt62.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt64.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt66.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt69.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt6B.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt6D.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt6F.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt7.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt71.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt73.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt75.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt77.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt79.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt7B.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt7D.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt7F.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt8.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt81.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt83.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt85.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt87.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt89.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt8B.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt8D.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt8F.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt9.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.ttA.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.ttB.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.ttC.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.ttD.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.ttE.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.ttF.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt2.tmp.vbs - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt20.tmp.vbs - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt2F.tmp.vbs - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\sfsrv.exe.bat - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\vistasp1.exe.bat - Deleted
C:\WINDOWS\system32\2.tmp - Deleted
C:\WINDOWS\system32\20.tmp - Deleted
C:\WINDOWS\system32\21.tmp - Deleted
C:\WINDOWS\system32\22.tmp - Deleted
C:\WINDOWS\system32\23.tmp - Deleted
C:\WINDOWS\system32\24.tmp - Deleted
C:\WINDOWS\system32\25.tmp - Deleted
C:\WINDOWS\system32\26.tmp - Deleted
C:\WINDOWS\system32\27.tmp - Deleted
C:\WINDOWS\system32\28.tmp - Deleted
C:\WINDOWS\system32\29.tmp - Deleted
C:\WINDOWS\system32\2A.tmp - Deleted
C:\WINDOWS\system32\2B.tmp - Deleted
C:\WINDOWS\system32\2C.tmp - Deleted
C:\WINDOWS\system32\2D.tmp - Deleted
C:\WINDOWS\system32\2E.tmp - Deleted
C:\WINDOWS\system32\2F.tmp - Deleted
C:\WINDOWS\system32\1.tmp - Deleted
C:\WINDOWS\system32\10.tmp - Deleted
C:\WINDOWS\system32\11.tmp - Deleted
C:\WINDOWS\system32\12.tmp - Deleted
C:\WINDOWS\system32\13.tmp - Deleted
C:\WINDOWS\system32\14.tmp - Deleted
C:\WINDOWS\system32\15.tmp - Deleted
C:\WINDOWS\system32\16.tmp - Deleted
C:\WINDOWS\system32\17.tmp - Deleted
C:\WINDOWS\system32\18.tmp - Deleted
C:\WINDOWS\system32\19.tmp - Deleted
C:\WINDOWS\system32\1A.tmp - Deleted
C:\WINDOWS\system32\1B.tmp - Deleted
C:\WINDOWS\system32\1C.tmp - Deleted
C:\WINDOWS\system32\1D.tmp - Deleted
C:\WINDOWS\system32\1E.tmp - Deleted
C:\WINDOWS\system32\1F.tmp - Deleted
C:\WINDOWS\system32\sex2.ico - Deleted
C:\WINDOWS\wnlmdakqqas.dll - Deleted
C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\s1265.php - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\s1265.php.bat - Deleted
C:\WINDOWS\smdat32a.sys - Deleted
C:\WINDOWS\system32\vav.cpl - Deleted



Folder C:\Documents and Settings\ronnie bradford\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.redtube.com - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-18 01:23:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Ares Ultra\\Ares Ultra.exe"="C:\\Program Files\\Ares Ultra\\Ares Ultra.exe:*:Disabled:Ares Ultra p2p for windows"
"C:\\Program Files\\Bit Lord 1.1\\BitLord.exe"="C:\\Program Files\\Bit Lord 1.1\\BitLord.exe:*:Enabled:BitLord"
"C:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"="C:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe:*:Enabled:Dreamweaver MX"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Disabled:LEXPPS.EXE"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Disabled:Internet Explorer"
"C:\\Program Files\\Opera\\Opera.exe"="C:\\Program Files\\Opera\\Opera.exe:*:Enabled:Opera Internet Browser"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Disabled:Bonjour"
"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Antivirus\\caav.exe"="C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Antivirus\\caav.exe:*:Enabled:CA Anti-Virus"
"C:\\Program Files\\CA\\CA Internet Security Suite\\casecuritycenter.exe"="C:\\Program Files\\CA\\CA Internet Security Suite\\casecuritycenter.exe:*:Enabled:CA Security Center"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 13 Aug 2007 622,080 A.SH. --- "C:\Program Files\Internet Explorer\iexplore.exe"
Wed 4 Aug 2004 1,667,584 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Mon 21 Jun 2004 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 14 Aug 2005 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv17.bak"
Mon 26 Nov 2007 90,112 A..H. --- "C:\WINDOWS\system32\P2P Networking\MARSHAL14.DLL"
Sun 14 Oct 2007 90,112 A..H. --- "C:\WINDOWS\system32\P2P Networking\MARSHAL.DLL"
Mon 15 Oct 2007 90,112 A..H. --- "C:\WINDOWS\system32\P2P Networking\MARSHAL2.DLL"
Mon 15 Oct 2007 90,112 A..H. --- "C:\WINDOWS\system32\P2P Networking\MARSHAL3.DLL"
Sun 18 Nov 2007 90,112 A..H. --- "C:\WINDOWS\system32\P2P Networking\MARSHAL4.DLL"
Sun 18 Nov 2007 90,112 A..H. --- "C:\WINDOWS\system32\P2P Networking\MARSHAL5.DLL"
Wed 21 Nov 2007 90,112 A..H. --- "C:\WINDOWS\system32\P2P Networking\MARSHAL6.DLL"
Thu 22 Nov 2007 90,112 A..H. --- "C:\WINDOWS\system32\P2P Networking\MARSHAL7.DLL"
Thu 22 Nov 2007 90,112 A..H. --- "C:\WINDOWS\system32\P2P Networking\MARSHAL8.DLL"
Thu 22 Nov 2007 90,112 A..H. --- "C:\WINDOWS\system32\P2P Networking\MARSHAL9.DLL"
Sat 24 Nov 2007 90,112 A..H. --- "C:\WINDOWS\system32\P2P Networking\MARSHAL10.DLL"
Sat 24 Nov 2007 90,112 A..H. --- "C:\WINDOWS\system32\P2P Networking\MARSHAL11.DLL"
Sat 24 Nov 2007 90,112 A..H. --- "C:\WINDOWS\system32\P2P Networking\MARSHAL12.DLL"
Mon 26 Nov 2007 90,112 A..H. --- "C:\WINDOWS\system32\P2P Networking\MARSHAL13.DLL"
Wed 2 Jan 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Mon 21 Jun 2004 4,348 ...H. --- "C:\Documents and Settings\Dante\My Documents\My Music\License Backup\drmv1key.bak"
Sun 14 Aug 2005 401 A..H. --- "C:\Documents and Settings\Dante\My Documents\My Music\License Backup\drmv1lic.bak"
Wed 6 Oct 2004 400 A.SH. --- "C:\Documents and Settings\Dante\My Documents\My Music\License Backup\drmv2key.bak"
Sat 28 Jan 2006 19,968 ...H. --- "C:\Documents and Settings\Debracca\Application Data\Microsoft\Word\~WRL0003.tmp"
Tue 28 Feb 2006 19,456 ...H. --- "C:\Documents and Settings\Debracca\Application Data\Microsoft\Word\~WRL0004.tmp"
Sat 28 Jan 2006 22,016 ...H. --- "C:\Documents and Settings\Debracca\Application Data\Microsoft\Word\~WRL1268.tmp"
Sat 28 Jan 2006 21,504 ...H. --- "C:\Documents and Settings\Debracca\Application Data\Microsoft\Word\~WRL1818.tmp"
Sun 7 May 2006 20,992 ...H. --- "C:\Documents and Settings\Debracca\Application Data\Microsoft\Word\~WRL2277.tmp"
Sat 28 Jan 2006 20,992 ...H. --- "C:\Documents and Settings\Debracca\Application Data\Microsoft\Word\~WRL2579.tmp"
Tue 28 Feb 2006 19,968 ...H. --- "C:\Documents and Settings\Debracca\Application Data\Microsoft\Word\~WRL3029.tmp"
Tue 28 Feb 2006 19,968 ...H. --- "C:\Documents and Settings\Debracca\Application Data\Microsoft\Word\~WRL3444.tmp"
Tue 28 Feb 2006 19,968 ...H. --- "C:\Documents and Settings\Debracca\Application Data\Microsoft\Word\~WRL3952.tmp"
Fri 24 Aug 2007 19,456 ...H. --- "C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Word\~WRL0004.tmp"
Tue 25 Sep 2007 20,480 ...H. --- "C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Word\~WRL0005.tmp"
Tue 8 Apr 2008 20,992 ...H. --- "C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Word\~WRL0171.tmp"
Tue 25 Sep 2007 19,968 ...H. --- "C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Word\~WRL0175.tmp"
Sat 10 May 2008 54,784 ...H. --- "C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Word\~WRL0801.tmp"
Sun 3 Feb 2008 22,016 ...H. --- "C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Word\~WRL0984.tmp"
Tue 8 Apr 2008 23,552 ...H. --- "C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Word\~WRL1025.tmp"
Sat 10 May 2008 19,968 ...H. --- "C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Word\~WRL1378.tmp"
Tue 20 May 2008 20,480 ...H. --- "C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Word\~WRL2082.tmp"
Tue 8 Apr 2008 20,480 ...H. --- "C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Word\~WRL2165.tmp"
Sun 3 Feb 2008 22,528 ...H. --- "C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Word\~WRL2295.tmp"
Sun 3 Feb 2008 19,968 ...H. --- "C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Word\~WRL2385.tmp"
Tue 8 Apr 2008 24,064 ...H. --- "C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Word\~WRL2889.tmp"
Tue 10 Jun 2008 43,520 ...H. --- "C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Word\~WRL3057.tmp"
Tue 8 Apr 2008 22,016 ...H. --- "C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Word\~WRL3058.tmp"
Tue 25 Sep 2007 21,504 ...H. --- "C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Word\~WRL3134.tmp"
Tue 10 Jun 2008 45,056 ...H. --- "C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Word\~WRL3135.tmp"
Sat 10 May 2008 54,784 ...H. --- "C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Word\~WRL3623.tmp"
Fri 24 Aug 2007 20,992 ...H. --- "C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Word\~WRL3688.tmp"
Tue 10 Jun 2008 43,520 ...H. --- "C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Word\~WRL3762.tmp"

Finished!
Go to the top of the page
 
+Quote Post
ZZ Zimm
post Aug 18 2008, 01:36 AM
Post #7


New Member
*
Posts: 9
OS: XP
ComboFix 08-08-17.03 - ronnie bradford 2008-08-18 1:51:56.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.415 [GMT -5:00]
Running from: C:\Documents and Settings\ronnie bradford\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Adsl Software Limited
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080616174645791.log
C:\Documents and Settings\Dante\Application Data\macromedia\Flash Player\#SharedObjects\CUUE5RVF\interclick.com
C:\Documents and Settings\Dante\Application Data\macromedia\Flash Player\#SharedObjects\CUUE5RVF\interclick.com\ud.sol
C:\Documents and Settings\Dante\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Dante\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Dante\Application Data\rhc1d9j0eeod
C:\Documents and Settings\Dante\Cookies\dante@adtrgt[2].txt
C:\Documents and Settings\Dante\Cookies\dante@imlive[1].txt
C:\Documents and Settings\Dante\Cookies\dante@myspace[1].txt
C:\Documents and Settings\Dante\Cookies\dante@turn[2].txt
C:\Documents and Settings\Dante\Desktop\IE Defender 2.4.lnk
C:\Documents and Settings\Dante\Start Menu\Programs\Antivirus 2008 PRO
C:\Documents and Settings\Dante\UserData
C:\Documents and Settings\Dante\UserData\GDOPODSN\YL[1].xml
C:\Documents and Settings\Dante\UserData\GDOPODSN\YL[2].xml
C:\Documents and Settings\Dante\UserData\index.dat
C:\Documents and Settings\Dante\UserData\OL2ZKHYV\dhtml[1].xml
C:\Documents and Settings\Debracca\Application Data\rhc1d9j0eeod
C:\Documents and Settings\Debracca\Cookies\debracca@hits.gureport.co[1].txt
C:\Documents and Settings\Debracca\UserData
C:\Documents and Settings\Debracca\UserData\index.dat
C:\Documents and Settings\ronnie bradford\Application Data\macromedia\Flash Player\#SharedObjects\CNVFP3FM\interclick.com
C:\Documents and Settings\ronnie bradford\Application Data\macromedia\Flash Player\#SharedObjects\CNVFP3FM\interclick.com\ud.sol
C:\Documents and Settings\ronnie bradford\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\ronnie bradford\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\ronnie bradford\Application Data\rhc1d9j0eeod
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@a.networkworld[2].txt
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@about[1].txt
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@ad.yieldmanager[1].txt
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@addlvr[2].txt
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@adtrgt[2].txt
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@afy11[1].txt
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@badongo[1].txt
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@bfm.bidsystem[2].txt
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@delb.opt.fimserve[2].txt
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@demr.opt.fimserve[1].txt
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@desk.opt.fimserve[2].txt
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@gamespot[2].txt
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@go[2].txt
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@harddrivefilter[2].txt
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@hoverspot[1].txt
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@hustle-muzik.blogspot[2].txt
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@mapquest[2].txt
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@myspace[1].txt
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@nytimes[1].txt
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@revsci[1].txt
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@store.yahoo[1].txt
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@thisistomorrow.blogspot[1].txt
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@turn[1].txt
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@web.checkm8[2].txt
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@www.google[3].txt
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@www.shareaflick[1].txt
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@www.viprasys[2].txt
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@www.yellowbook[1].txt
C:\Documents and Settings\ronnie bradford\UserData
C:\Documents and Settings\ronnie bradford\UserData\A7EHA3I9\mnpFrames[1].xml
C:\Documents and Settings\ronnie bradford\UserData\index.dat
C:\Documents and Settings\ronnie bradford\UserData\QFARQNCN\YL[1].xml
C:\Documents and Settings\Zachary\Application Data\macromedia\Flash Player\#SharedObjects\AYB7TMFW\interclick.com
C:\Documents and Settings\Zachary\Application Data\macromedia\Flash Player\#SharedObjects\AYB7TMFW\interclick.com\ud.sol
C:\Documents and Settings\Zachary\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Zachary\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Zachary\Application Data\rhc1d9j0eeod
C:\Documents and Settings\Zachary\Cookies\zachary@64.70.35[1].txt
C:\Documents and Settings\Zachary\Cookies\zachary@about[2].txt
C:\Documents and Settings\Zachary\Cookies\zachary@ad[2].txt
C:\Documents and Settings\Zachary\Cookies\zachary@adopt.specificclick[2].txt
C:\Documents and Settings\Zachary\Cookies\zachary@adrevolver[1].txt
C:\Documents and Settings\Zachary\Cookies\zachary@ads.pointroll[1].txt
C:\Documents and Settings\Zachary\Cookies\zachary@ads.revsci[1].txt
C:\Documents and Settings\Zachary\Cookies\zachary@adtrgt[2].txt
C:\Documents and Settings\Zachary\Cookies\zachary@avsystemcare[1].txt
C:\Documents and Settings\Zachary\Cookies\zachary@buzznet[1].txt
C:\Documents and Settings\Zachary\Cookies\zachary@casalemedia[1].txt
C:\Documents and Settings\Zachary\Cookies\zachary@delb.opt.fimserve[1].txt
C:\Documents and Settings\Zachary\Cookies\zachary@ehg-gatehousemedia.hitbox[2].txt
C:\Documents and Settings\Zachary\Cookies\zachary@ehg-myspaceinc.hitbox[2].txt
C:\Documents and Settings\Zachary\Cookies\zachary@findarticles[2].txt
C:\Documents and Settings\Zachary\Cookies\zachary@gamespot[1].txt
C:\Documents and Settings\Zachary\Cookies\zachary@go[2].txt
C:\Documents and Settings\Zachary\Cookies\zachary@grouplotto.aavalue[1].txt
C:\Documents and Settings\Zachary\Cookies\zachary@insightexpressai[2].txt
C:\Documents and Settings\Zachary\Cookies\zachary@metacafe[1].txt
C:\Documents and Settings\Zachary\Cookies\zachary@metrics.adobe[1].txt
C:\Documents and Settings\Zachary\Cookies\zachary@myspace[1].txt
C:\Documents and Settings\Zachary\Cookies\zachary@myspace[3].txt
C:\Documents and Settings\Zachary\Cookies\zachary@myspace[4].txt
C:\Documents and Settings\Zachary\Cookies\zachary@myspace[5].txt
C:\Documents and Settings\Zachary\Cookies\zachary@myspace[6].txt
C:\Documents and Settings\Zachary\Cookies\zachary@myspace[7].txt
C:\Documents and Settings\Zachary\Cookies\zachary@revsci[2].txt
C:\Documents and Settings\Zachary\Cookies\zachary@specificclick[2].txt
C:\Documents and Settings\Zachary\Cookies\zachary@stat.dealtime[2].txt
C:\Documents and Settings\Zachary\Cookies\zachary@sweetim[2].txt
C:\Documents and Settings\Zachary\Cookies\zachary@trafficmp[2].txt
C:\Documents and Settings\Zachary\UserData
C:\Documents and Settings\Zachary\UserData\7HP7GCNC\oWindowsUpdate[1].xml
C:\Documents and Settings\Zachary\UserData\EOVXOUVY\globals[1].xml
C:\Documents and Settings\Zachary\UserData\index.dat
C:\Documents and Settings\Zachary\UserData\OWJM55T5\sn[1].xml
C:\Documents and Settings\Zachary\UserData\UC24IUZ0\sn[1].xml
C:\Documents and Settings\Zachary\UserData\UC24IUZ0\YL[1].xml
C:\Program Files\rhc1d9j0eeod
C:\WINDOWS\cdmxtras
C:\WINDOWS\cdmxtras\uninst.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\3.tmp
C:\WINDOWS\system32\4.tmp
C:\WINDOWS\system32\5.tmp
C:\WINDOWS\system32\6.tmp
C:\WINDOWS\system32\7.tmp
C:\WINDOWS\system32\8.tmp
C:\WINDOWS\system32\9.tmp
C:\WINDOWS\system32\A.tmp
C:\WINDOWS\system32\adlgiwvo.ini
C:\WINDOWS\system32\B.tmp
C:\WINDOWS\system32\babsarbj.ini
C:\WINDOWS\system32\bwfjmlfo.dll
C:\WINDOWS\system32\C.tmp
C:\WINDOWS\system32\cache329
C:\WINDOWS\system32\D.tmp
C:\WINDOWS\system32\desioyjf.ini
C:\WINDOWS\system32\E.tmp
C:\WINDOWS\system32\edareoyi.dll
C:\WINDOWS\system32\eggiibic.ini
C:\WINDOWS\system32\F.tmp
C:\WINDOWS\system32\fjyoised.dll
C:\WINDOWS\system32\hmtqxugt.ini
C:\WINDOWS\system32\ierucuon.ini
C:\WINDOWS\system32\iyoerade.ini
C:\WINDOWS\system32\jhqhcjap.ini
C:\WINDOWS\system32\kblxcown.dll
C:\WINDOWS\system32\kpemtlit.ini
C:\WINDOWS\system32\kwcwwqsg.ini
C:\WINDOWS\system32\kyscmryq.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\noucurei.dll
C:\WINDOWS\system32\ntjsfckv.ini
C:\WINDOWS\system32\nwocxlbk.ini
C:\WINDOWS\system32\oflmjfwb.ini
C:\WINDOWS\system32\ovwiglda.dll
C:\WINDOWS\system32\P2P Networking
C:\WINDOWS\system32\P2P Networking\MARSHAL.DLL
C:\WINDOWS\system32\P2P Networking\MARSHAL10.DLL
C:\WINDOWS\system32\P2P Networking\MARSHAL11.DLL
C:\WINDOWS\system32\P2P Networking\MARSHAL12.DLL
C:\WINDOWS\system32\P2P Networking\MARSHAL13.DLL
C:\WINDOWS\system32\P2P Networking\MARSHAL14.DLL
C:\WINDOWS\system32\P2P Networking\MARSHAL2.DLL
C:\WINDOWS\system32\P2P Networking\MARSHAL3.DLL
C:\WINDOWS\system32\P2P Networking\MARSHAL4.DLL
C:\WINDOWS\system32\P2P Networking\MARSHAL5.DLL
C:\WINDOWS\system32\P2P Networking\MARSHAL6.DLL
C:\WINDOWS\system32\P2P Networking\MARSHAL7.DLL
C:\WINDOWS\system32\P2P Networking\MARSHAL8.DLL
C:\WINDOWS\system32\P2P Networking\MARSHAL9.DLL
C:\WINDOWS\system32\P2P Networking\P2P Networking.eng
C:\WINDOWS\system32\P2P Networking\P2P Networking10.ENG
C:\WINDOWS\system32\P2P Networking\P2P Networking11.ENG
C:\WINDOWS\system32\P2P Networking\P2P Networking12.ENG
C:\WINDOWS\system32\P2P Networking\P2P Networking13.ENG
C:\WINDOWS\system32\P2P Networking\P2P Networking14.ENG
C:\WINDOWS\system32\P2P Networking\P2P Networking2.ENG
C:\WINDOWS\system32\P2P Networking\P2P Networking3.ENG
C:\WINDOWS\system32\P2P Networking\P2P Networking4.ENG
C:\WINDOWS\system32\P2P Networking\P2P Networking5.ENG
C:\WINDOWS\system32\P2P Networking\P2P Networking6.ENG
C:\WINDOWS\system32\P2P Networking\P2P Networking7.ENG
C:\WINDOWS\system32\P2P Networking\P2P Networking8.ENG
C:\WINDOWS\system32\P2P Networking\P2P Networking9.ENG
C:\WINDOWS\system32\qyufdgir.ini
C:\WINDOWS\system32\rigdfuyq.dll
C:\WINDOWS\system32\ssquklfo.ini
C:\WINDOWS\system32\tiltmepk.dll
C:\WINDOWS\system32\vodfyscx.ini
C:\WINDOWS\system32\xcsyfdov.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-18 to 2008-08-18 )))))))))))))))))))))))))))))))
.

2008-08-18 00:31 . 2008-08-18 00:31 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-18 00:25 . 2008-08-18 01:36 <DIR> d-------- C:\SDFix
2008-08-14 16:18 . 2008-08-14 16:18 0 --a------ C:\WINDOWS\system32\4F.tmp
2008-08-09 11:09 . 2008-08-09 11:09 0 --a------ C:\WINDOWS\system32\45.tmp
2008-08-09 00:47 . 2008-08-09 00:47 0 --a------ C:\WINDOWS\system32\37.tmp
2008-08-06 07:48 . 2008-08-06 07:48 <DIR> d-------- C:\Documents and Settings\Debracca\Application Data\MySpace
2008-08-04 14:58 . 2008-08-04 14:58 <DIR> d-------- C:\Documents and Settings\Zachary\Application Data\MySpace
2008-07-31 22:14 . 2008-08-17 18:56 <DIR> d-------- C:\Program Files\MySpace
2008-07-31 22:14 . 2008-07-31 22:14 <DIR> d-------- C:\Documents and Settings\ronnie bradford\Application Data\MySpace

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-18 01:08 94,208 ----a-w C:\WINDOWS\system32\67.tmp
2008-08-18 00:56 94,208 ----a-w C:\WINDOWS\system32\66.tmp
2008-08-18 00:56 94,208 ----a-w C:\WINDOWS\system32\65.tmp
2008-08-18 00:56 94,208 ----a-w C:\WINDOWS\system32\64.tmp
2008-08-18 00:55 94,208 ----a-w C:\WINDOWS\system32\63.tmp
2008-08-18 00:55 94,208 ----a-w C:\WINDOWS\system32\62.tmp
2008-08-18 00:55 94,208 ----a-w C:\WINDOWS\system32\61.tmp
2008-08-18 00:55 94,208 ----a-w C:\WINDOWS\system32\60.tmp
2008-08-18 00:55 94,208 ----a-w C:\WINDOWS\system32\5F.tmp
2008-08-18 00:54 94,208 ----a-w C:\WINDOWS\system32\5E.tmp
2008-08-18 00:54 94,208 ----a-w C:\WINDOWS\system32\5D.tmp
2008-08-18 00:54 94,208 ----a-w C:\WINDOWS\system32\5C.tmp
2008-08-18 00:54 94,208 ----a-w C:\WINDOWS\system32\5B.tmp
2008-08-18 00:01 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-08-18 00:00 --------- d-----w C:\Program Files\AVS4YOU
2008-08-17 23:59 --------- d-----w C:\Program Files\Google
2008-08-17 23:50 94,208 ----a-w C:\WINDOWS\system32\5A.tmp
2008-08-14 23:01 94,208 ----a-w C:\WINDOWS\system32\59.tmp
2008-08-14 23:00 94,208 ----a-w C:\WINDOWS\system32\58.tmp
2008-08-14 23:00 94,208 ----a-w C:\WINDOWS\system32\57.tmp
2008-08-14 23:00 94,208 ----a-w C:\WINDOWS\system32\56.tmp
2008-08-14 23:00 94,208 ----a-w C:\WINDOWS\system32\55.tmp
2008-08-14 23:00 94,208 ----a-w C:\WINDOWS\system32\54.tmp
2008-08-14 23:00 94,208 ----a-w C:\WINDOWS\system32\53.tmp
2008-08-14 22:59 94,208 ----a-w C:\WINDOWS\system32\52.tmp
2008-08-14 22:54 94,208 ----a-w C:\WINDOWS\system32\51.tmp
2008-08-14 22:54 94,208 ----a-w C:\WINDOWS\system32\50.tmp
2008-08-14 21:18 94,208 ----a-w C:\WINDOWS\system32\4E.tmp
2008-08-14 21:18 94,208 ----a-w C:\WINDOWS\system32\4D.tmp
2008-08-14 16:11 94,208 ----a-w C:\WINDOWS\system32\4C.tmp
2008-08-14 16:11 94,208 ----a-w C:\WINDOWS\system32\4B.tmp
2008-08-13 13:39 94,208 ----a-w C:\WINDOWS\system32\4A.tmp
2008-08-13 13:38 94,208 ----a-w C:\WINDOWS\system32\49.tmp
2008-08-13 13:38 94,208 ----a-w C:\WINDOWS\system32\48.tmp
2008-08-12 01:51 94,208 ----a-w C:\WINDOWS\system32\47.tmp
2008-08-11 13:59 94,208 ----a-w C:\WINDOWS\system32\46.tmp
2008-08-09 16:09 94,208 ----a-w C:\WINDOWS\system32\44.tmp
2008-08-09 16:08 94,208 ----a-w C:\WINDOWS\system32\43.tmp
2008-08-09 16:08 94,208 ----a-w C:\WINDOWS\system32\42.tmp
2008-08-09 16:08 94,208 ----a-w C:\WINDOWS\system32\41.tmp
2008-08-09 16:07 94,208 ----a-w C:\WINDOWS\system32\40.tmp
2008-08-09 16:07 94,208 ----a-w C:\WINDOWS\system32\3F.tmp
2008-08-09 16:07 94,208 ----a-w C:\WINDOWS\system32\3E.tmp
2008-08-09 16:07 94,208 ----a-w C:\WINDOWS\system32\3D.tmp
2008-08-09 16:07 94,208 ----a-w C:\WINDOWS\system32\3C.tmp
2008-08-09 16:07 94,208 ----a-w C:\WINDOWS\system32\3B.tmp
2008-08-09 16:01 94,208 ----a-w C:\WINDOWS\system32\3A.tmp
2008-08-09 16:00 94,208 ----a-w C:\WINDOWS\system32\39.tmp
2008-08-09 16:00 94,208 ----a-w C:\WINDOWS\system32\38.tmp
2008-08-09 16:00 94,208 ----a-w C:\WINDOWS\system32\34.tmp
2008-08-09 05:47 94,208 ----a-w C:\WINDOWS\system32\36.tmp
2008-08-09 05:47 94,208 ----a-w C:\WINDOWS\system32\35.tmp
2008-08-09 05:46 94,208 ----a-w C:\WINDOWS\system32\33.tmp
2008-08-09 05:46 94,208 ----a-w C:\WINDOWS\system32\32.tmp
2008-08-09 05:46 94,208 ----a-w C:\WINDOWS\system32\31.tmp
2008-08-09 05:46 94,208 ----a-w C:\WINDOWS\system32\30.tmp
2008-07-11 07:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-11 07:09 --------- d-----w C:\Program Files\WMA-MP3.com
2008-07-11 07:04 --------- d-----w C:\Documents and Settings\ronnie bradford\Application Data\AVS4YOU
2008-07-11 07:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-07-11 05:02 --------- d-----w C:\Documents and Settings\ronnie bradford\Application Data\ImgBurn
2008-07-11 04:51 --------- d-----w C:\Program Files\ImgBurn
2008-06-30 02:37 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-06-28 22:02 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-21 20:26 --------- d-----w C:\Documents and Settings\ronnie bradford\Application Data\Blackberry Desktop
2008-06-21 20:17 --------- d-----w C:\Documents and Settings\ronnie bradford\Application Data\Research In Motion
2008-06-21 19:24 --------- d-----w C:\Program Files\Common Files\Research In Motion
2008-06-21 19:23 --------- d-----w C:\Program Files\Research In Motion
2008-06-13 20:15 91,376 ----a-w C:\WINDOWS\system32\isafprod.dll
2005-05-15 02:10 0 ---ha-w C:\Documents and Settings\Zachary\hpothb07.dat
2004-05-03 14:32 0 ---ha-w C:\Documents and Settings\ronnie bradford\hpothb07.dat
.

------- Sigcheck -------

2004-08-04 01:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
md5deep: C:\WINDOWS\system32\svchost.exe: error at offset 0: Permission denied

2004-08-04 01:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
md5deep: C:\WINDOWS\system32\winlogon.exe: error at offset 0: Permission denied

md5deep: C:\WINDOWS\explorer.exe: error at offset 0: Permission denied
2004-08-04 01:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\ServicePackFiles\i386\explorer.exe

2004-08-04 01:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\ServicePackFiles\i386\services.exe
md5deep: C:\WINDOWS\system32\services.exe: error at offset 0: Permission denied

2004-08-04 01:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\ServicePackFiles\i386\lsass.exe
md5deep: C:\WINDOWS\system32\lsass.exe: error at offset 0: Permission denied

2004-08-04 01:56 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe
md5deep: C:\WINDOWS\system32\spoolsv.exe: error at offset 0: Permission denied
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-06-29 21:37 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-07-30 17:29 181488]
"CAVRID"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [2008-06-13 15:15 234736]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-01-31 20:39:12 110592]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-06-29 21:37 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"NSsbdPDcr"= {5B7790D4-F1DD-3A7E-476E-75E87751CB3C} - C:\WINDOWS\system32\mhgcb.dll [2004-08-04 01:56 32768]

[HKEY