Doggone it. [RESOLVED]

Need a geek? Geeks to Go offers free, quality tech support -- in terms anyone can understand. Volunteers are waiting to help, friendly, technology experts who have knowledge to share, and enjoy helping others. Feel free to browse the site as a guest. However, you must log in to reply to existing topics, or to start a new topic. Other benefits of joining include richer forum features, and removal of all advertising. Learn more in our Welcome Guide Infected? Malware and Spyware Cleaning Guide. What are you waiting for? Click here to join for free today!

> Geeks to Go! » Security » Virus, Spyware and Trojan Removal

2 Pages

1 2 >

Doggone it. [RESOLVED]

Options

MISTERSTALKER View Member Profile	May 12 2008, 07:43 PM Post #1
Member Posts: 62 OS: XP	Hi. I downloaded and ran an .exe file that seemed to be an innocent video codec download. It turned out to be a virus. I have a feeling it messed with a bunch of my windows configurations and registry stuff. For one, it disabled task manager and (i think) explorer.exe. I was able to enable task manager before the virus kicked in entirely. (whew.) well here's the hijackthis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:43:04 PM, on 5/12/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\DOCUME~1\DAVIDL~1\LOCALS~1\TEMP\_VWUPSRV.EXE C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wuauclt.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file) O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: pvnsmfor - {5AC18EE0-E9B2-428D-844F-6D3EEA227215} - C:\WINDOWS\pvnsmfor.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [InstallProgram] C:\DOCUME~1\DAVIDL~1\LOCALS~1\Temp\setup_526_1_.exe O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user') O4 - Startup: 4t Tray Minimizer.lnk = C:\Program Files\4t Tray Minimizer\4t-min.exe O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...arch.jhtml?p=ZK O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\David Lim\My Documents\FORBIDDEN UNTIL FEBRUARY 29th\Program Files\AIM\aim.exe (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://.gunbound.net O15 - Trusted Zone: http://.nprotect.net O15 - Trusted Zone: http://.softnyx.net O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633 O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.runaware.com/dolphin/wficat.cab O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://s.nx.com/activex/public_new/nxpm.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {340CCF52-D65F-4A11-80B3-13DC23697B59} (BugsInstall Control) - http://player.bugs.co.kr/install/BugsInstall_2005_11_06.cab O16 - DPF: {3942BD43-B5CE-465F-9AC3-16BA93994273} (DosirakControl Control) - http://kt68kmssdn.dosirak.com/Commons/Acti...irakControl.ocx O16 - DPF: {3EFC2239-B769-469F-A5E6-38693AE0B9DE} (Sysinfo2 Control) - http://speed.nca.or.kr/login/sysinfo2.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...72/mcinsctl.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab O16 - DPF: {5DAEF053-DEF0-4752-A963-CCE9B49B0B79} (Gogs Class) - http://app.ipop.co.kr/gogsweb/gogsweb.cab O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownlo...Plugin11USA.cab O16 - DPF: {6F4863C1-482C-4744-8946-4AEA34DF1A16} (FreechalOn Class) - http://login.freechal.com/freechalon/FcOnCtl12.cab O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9_1/dmcc2.cab O16 - DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} (MagicLockOCX Control) - http://www.diodeo.com/MagicLockOCX.cab O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/XTools.cab O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab O16 - DPF: {AD08A7E2-BA60-4733-92E3-A7AA0C0A39E2} (butterple Control) - http://blogfile.paran.com/BLOG_178551/2005..._butterplay.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab O16 - DPF: {BC5E698E-77CF-45EF-80A3-090A4B6AAF83} (HGPlugin8USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin8USA.cab O16 - DPF: {BCA935CA-7E41-4F73-BA9C-FAB4393DBAC0} (MADanalCtrl Control) - http://www.csafer.net/ActiveX/MAStreamCtrl.cab O16 - DPF: {BCEF5CDE-BAD4-4532-A30B-9D16D502DE69} (BugsInstallEx Control) - http://install.bugs.co.kr/install/BugsInstallerEx.cab O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.co.kr/install/BugsLoader20041018.cab O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1008 Class) - http://hompy.hangame.com/common/HanSetup1008.cab O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/gamedownlo...Plugin10USA.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O21 - SSODL: vbksrofa - {45497C51-974C-41A6-8D5C-3A996DB0C2C7} - C:\WINDOWS\vbksrofa.dll O21 - SSODL: mpfanvqg - {9BADAECB-83B2-4EED-AFC4-EF9D3B2F57A2} - C:\WINDOWS\mpfanvqg.dll O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: AntiVir Update Temp (TmpUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\DOCUME~1\DAVIDL~1\LOCALS~1\TEMP\_VWUPSRV.EXE O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 11811 bytes Thank you in advance! This post has been edited by MISTERSTALKER*: May 12 2008, 08:39 PM

Rorschach112 View Member Profile	May 13 2008, 06:15 AM Post #2
GeekU Teacher Posts: 34,385 From: Dublin OS: XP	Hello Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding. Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix) Please then reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, the Advanced Options Menu should appear; Select the first option, to run Windows in Safe Mode, then press Enter. Choose your usual account. Open the extracted SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum). Finally paste the contents of the Report.txt back on the forum. Please download Deckard's System Scanner (DSS) and save it to your Desktop. Close all other windows before proceeding. Double-click on dss.exe and follow the prompts. If your anti-virus or firewall complains, please allow this script to run as it is not malicious. When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

MISTERSTALKER View Member Profile	May 13 2008, 05:22 PM Post #3
Member Posts: 62 OS: XP	I ran SDFix as you said, but my desktop icons didn't appear. Still using task manager to run programs and such xP Below is the report. SDFix: Version 1.182 Run by Administrator on Tue 05/13/2008 at 03:46 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Windows Registry Values Restoring Windows Default Hosts File Restoring Default HomePage Value Restoring Default Desktop Components Value Rebooting Checking Files : Trojan Files Found: C:\WINDOWS\SYSTEM32\ADDAA.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDAU32.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDBH.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDBI.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDBK32.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDBW32.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDCE.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDCK.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDCS32.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDDC32.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDEA32.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDED32.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDEE32.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDEZ32.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDHF.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDIP.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDJM32.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDJT32.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDKD32.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDKG32.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDKI32.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDKT32.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDMJ.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDMP32.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDMV32.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDMZ.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDND.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDNH.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDNJ32.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDNZ32.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDPI.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDQA32.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDQP.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDQR.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDQR32.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDRA.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDRK32.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDRP.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDSG32.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDSJ.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDSQ32.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDSY32.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDTD32.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDTG32.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDTN32.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDUD.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDVB32.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDVC.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDVF32.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDVV32.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDVZ32.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDWF32.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDWX.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDXO32.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDYA.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDYD32.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDYH.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDZN.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDZN32.EXE - Deleted C:\WINDOWS\SYSTEM32\ADDZQ32.EXE - Deleted C:\WINDOWS\SYSTEM32\APIAP.EXE - Deleted C:\WINDOWS\SYSTEM32\APIBP.EXE - Deleted C:\WINDOWS\SYSTEM32\APIBU32.EXE - Deleted C:\WINDOWS\SYSTEM32\APICS32.EXE - Deleted C:\WINDOWS\SYSTEM32\APICW32.EXE - Deleted C:\WINDOWS\SYSTEM32\APIDD32.EXE - Deleted C:\WINDOWS\SYSTEM32\APIDJ32.EXE - Deleted C:\WINDOWS\SYSTEM32\APIEH32.EXE - Deleted C:\WINDOWS\SYSTEM32\APIEO.EXE - Deleted C:\WINDOWS\SYSTEM32\APIFF.EXE - Deleted C:\WINDOWS\SYSTEM32\APIFH32.EXE - Deleted C:\WINDOWS\SYSTEM32\APIFN.EXE - Deleted C:\WINDOWS\SYSTEM32\APIFQ.EXE - Deleted C:\WINDOWS\SYSTEM32\APIGJ32.EXE - Deleted C:\WINDOWS\SYSTEM32\APIGO.EXE - Deleted C:\WINDOWS\SYSTEM32\APIGZ.EXE - Deleted C:\WINDOWS\SYSTEM32\APIHS.EXE - Deleted C:\WINDOWS\SYSTEM32\APIHT32.EXE - Deleted C:\WINDOWS\SYSTEM32\APIIE.EXE - Deleted C:\WINDOWS\SYSTEM32\APIKJ32.EXE - Deleted C:\WINDOWS\SYSTEM32\APILC.EXE - Deleted C:\WINDOWS\SYSTEM32\APILO.EXE - Deleted C:\WINDOWS\SYSTEM32\APIMC32.EXE - Deleted C:\WINDOWS\SYSTEM32\APIMG.EXE - Deleted C:\WINDOWS\SYSTEM32\APIMJ.EXE - Deleted C:\WINDOWS\SYSTEM32\APIMQ32.EXE - Deleted C:\WINDOWS\SYSTEM32\APIMS32.EXE - Deleted C:\WINDOWS\SYSTEM32\APIMY.EXE - Deleted C:\WINDOWS\SYSTEM32\APINP.EXE - Deleted C:\WINDOWS\SYSTEM32\APINY32.EXE - Deleted C:\WINDOWS\SYSTEM32\APIOD32.EXE - Deleted C:\WINDOWS\SYSTEM32\APIOQ.EXE - Deleted C:\WINDOWS\SYSTEM32\APIOW32.EXE - Deleted C:\WINDOWS\SYSTEM32\APIPA32.EXE - Deleted C:\WINDOWS\SYSTEM32\APIPF32.EXE - Deleted C:\WINDOWS\SYSTEM32\APIPI.EXE - Deleted C:\WINDOWS\SYSTEM32\APIPV32.EXE - Deleted C:\WINDOWS\SYSTEM32\APIQR.EXE - Deleted C:\WINDOWS\SYSTEM32\APIQR32.EXE - Deleted C:\WINDOWS\SYSTEM32\APIQX.EXE - Deleted C:\WINDOWS\SYSTEM32\APIRA.EXE - Deleted C:\WINDOWS\SYSTEM32\APIRG32.EXE - Deleted C:\WINDOWS\SYSTEM32\APIRX32.EXE - Deleted C:\WINDOWS\SYSTEM32\APISL32.EXE - Deleted C:\WINDOWS\SYSTEM32\APIST.EXE - Deleted C:\WINDOWS\SYSTEM32\APITF.EXE - Deleted C:\WINDOWS\SYSTEM32\APITS32.EXE - Deleted C:\WINDOWS\SYSTEM32\APIUA.EXE - Deleted C:\WINDOWS\SYSTEM32\APIUC32.EXE - Deleted C:\WINDOWS\SYSTEM32\APIUI32.EXE - Deleted C:\WINDOWS\SYSTEM32\APIVK32.EXE - Deleted C:\WINDOWS\SYSTEM32\APIVN32.EXE - Deleted C:\WINDOWS\SYSTEM32\APIWE32.EXE - Deleted C:\WINDOWS\SYSTEM32\APIXC32.EXE - Deleted C:\WINDOWS\SYSTEM32\APIXE.EXE - Deleted C:\WINDOWS\SYSTEM32\APIXV.EXE - Deleted C:\WINDOWS\SYSTEM32\APIYC.EXE - Deleted C:\WINDOWS\SYSTEM32\APIYM32.EXE - Deleted C:\WINDOWS\SYSTEM32\APIZC32.EXE - Deleted C:\WINDOWS\SYSTEM32\APIZI.EXE - Deleted C:\WINDOWS\SYSTEM32\APIZI32.EXE - Deleted C:\WINDOWS\SYSTEM32\APIZJ.EXE - Deleted C:\WINDOWS\SYSTEM32\APIZR32.EXE - Deleted C:\WINDOWS\SYSTEM32\APIZY.EXE - Deleted C:\WINDOWS\SYSTEM32\APPAJ32.EXE - Deleted C:\WINDOWS\SYSTEM32\APPAX.EXE - Deleted C:\WINDOWS\SYSTEM32\APPBE.EXE - Deleted C:\WINDOWS\SYSTEM32\APPCH.EXE - Deleted C:\WINDOWS\SYSTEM32\APPDN32.EXE - Deleted C:\WINDOWS\SYSTEM32\APPDR32.EXE - Deleted C:\WINDOWS\SYSTEM32\APPEB32.EXE - Deleted C:\WINDOWS\SYSTEM32\APPET32.EXE - Deleted C:\WINDOWS\SYSTEM32\APPEU.EXE - Deleted C:\WINDOWS\SYSTEM32\APPFC32.EXE - Deleted C:\WINDOWS\SYSTEM32\APPFF32.EXE - Deleted C:\WINDOWS\SYSTEM32\APPGF32.EXE - Deleted C:\WINDOWS\SYSTEM32\APPGK32.EXE - Deleted C:\WINDOWS\SYSTEM32\APPGL.EXE - Deleted C:\WINDOWS\SYSTEM32\APPHD32.EXE - Deleted C:\WINDOWS\SYSTEM32\APPHF.EXE - Deleted C:\WINDOWS\SYSTEM32\APPHM32.EXE - Deleted C:\WINDOWS\SYSTEM32\APPHY.EXE - Deleted C:\WINDOWS\SYSTEM32\APPII32.EXE - Deleted C:\WINDOWS\SYSTEM32\APPIJ.EXE - Deleted C:\WINDOWS\SYSTEM32\APPIU32.EXE - Deleted C:\WINDOWS\SYSTEM32\APPKL.EXE - Deleted C:\WINDOWS\SYSTEM32\APPLA.EXE - Deleted C:\WINDOWS\SYSTEM32\APPMD32.EXE - Deleted C:\WINDOWS\SYSTEM32\APPMF.EXE - Deleted C:\WINDOWS\SYSTEM32\APPMY.EXE - Deleted C:\WINDOWS\SYSTEM32\APPNK.EXE - Deleted C:\WINDOWS\SYSTEM32\APPNM32.EXE - Deleted C:\WINDOWS\SYSTEM32\APPNW.EXE - Deleted C:\WINDOWS\SYSTEM32\APPOU32.EXE - Deleted C:\WINDOWS\SYSTEM32\APPOV.EXE - Deleted C:\WINDOWS\SYSTEM32\APPQB.EXE - Deleted C:\WINDOWS\SYSTEM32\APPSD32.EXE - Deleted C:\WINDOWS\SYSTEM32\APPSG32.EXE - Deleted C:\WINDOWS\SYSTEM32\APPSQ32.EXE - Deleted C:\WINDOWS\SYSTEM32\APPSX.EXE - Deleted C:\WINDOWS\SYSTEM32\APPTD.EXE - Deleted C:\WINDOWS\SYSTEM32\APPTJ.EXE - Deleted C:\WINDOWS\SYSTEM32\APPTJ32.EXE - Deleted C:\WINDOWS\SYSTEM32\APPTY32.EXE - Deleted C:\WINDOWS\SYSTEM32\APPVG32.EXE - Deleted C:\WINDOWS\SYSTEM32\APPWV.EXE - Deleted C:\WINDOWS\SYSTEM32\APPXQ.EXE - Deleted C:\WINDOWS\SYSTEM32\APPXQ32.EXE - Deleted C:\WINDOWS\SYSTEM32\APPZX32.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLAZ32.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLBE32.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLBI32.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLBL.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLBP32.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLDU32.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLDW32.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLEA.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLEG32.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLEH32.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLFE.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLFG32.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLFJ.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLGC32.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLGG.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLGY.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLHC.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLHF32.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLHK32.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLIB.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLJQ.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLKS.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLLN32.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLLX32.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLMB.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLMR.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLMZ32.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLNQ32.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLOG.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLPB.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLPD32.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLSF.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLSN32.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLSP.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLSS32.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLTI32.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLUK32.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLUN32.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLVC32.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLVJ32.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLWE.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLWG32.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLWO.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLXA.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLYH32.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLYP32.EXE - Deleted C:\WINDOWS\SYSTEM32\CRAM.EXE - Deleted C:\WINDOWS\SYSTEM32\CRAX32.EXE - Deleted C:\WINDOWS\SYSTEM32\CRAY32.EXE - Deleted C:\WINDOWS\SYSTEM32\CRBS.EXE - Deleted C:\WINDOWS\SYSTEM32\CRBS32.EXE - Deleted C:\WINDOWS\SYSTEM32\CRCF32.EXE - Deleted C:\WINDOWS\SYSTEM32\CRCO.EXE - Deleted C:\WINDOWS\SYSTEM32\CRCO32.EXE - Deleted C:\WINDOWS\SYSTEM32\CRCT32.EXE - Deleted C:\WINDOWS\SYSTEM32\CRCZ32.EXE - Deleted C:\WINDOWS\SYSTEM32\CRDC32.EXE - Deleted C:\WINDOWS\SYSTEM32\CRDH.EXE - Deleted C:\WINDOWS\SYSTEM32\CREJ32.EXE - Deleted C:\WINDOWS\SYSTEM32\CREP32.EXE - Deleted C:\WINDOWS\SYSTEM32\CREQ32.EXE - Deleted C:\WINDOWS\SYSTEM32\CREW.EXE - Deleted C:\WINDOWS\SYSTEM32\CRFI.EXE - Deleted C:\WINDOWS\SYSTEM32\CRFN32.EXE - Deleted C:\WINDOWS\SYSTEM32\CRFR.EXE - Deleted C:\WINDOWS\SYSTEM32\CRGD.EXE - Deleted C:\WINDOWS\SYSTEM32\CRGL32.EXE - Deleted C:\WINDOWS\SYSTEM32\CRHF.EXE - Deleted C:\WINDOWS\SYSTEM32\CRHV.EXE - Deleted C:\WINDOWS\SYSTEM32\CRIX.EXE - Deleted C:\WINDOWS\SYSTEM32\CRJD.EXE - Deleted C:\WINDOWS\SYSTEM32\CRJF32.EXE - Deleted C:\WINDOWS\SYSTEM32\CRJH32.EXE - Deleted C:\WINDOWS\SYSTEM32\CRJO32.EXE - Deleted C:\WINDOWS\SYSTEM32\CRJU32.EXE - Deleted C:\WINDOWS\SYSTEM32\CRJV32.EXE - Deleted C:\WINDOWS\SYSTEM32\CRJX.EXE - Deleted C:\WINDOWS\SYSTEM32\CRKD32.EXE - Deleted C:\WINDOWS\SYSTEM32\CRKY32.EXE - Deleted C:\WINDOWS\SYSTEM32\CRLT.EXE - Deleted C:\WINDOWS\SYSTEM32\CRLX.EXE - Deleted C:\WINDOWS\SYSTEM32\CRLZ.EXE - Deleted C:\WINDOWS\SYSTEM32\CRME32.EXE - Deleted C:\WINDOWS\SYSTEM32\CRMM.EXE - Deleted C:\WINDOWS\SYSTEM32\CRNL32.EXE - Deleted C:\WINDOWS\SYSTEM32\CRNM32.EXE - Deleted C:\WINDOWS\SYSTEM32\CROL32.EXE - Deleted C:\WINDOWS\SYSTEM32\CROP.EXE - Deleted C:\WINDOWS\SYSTEM32\CRPC.EXE - Deleted C:\WINDOWS\SYSTEM32\CRPO32.EXE - Deleted C:\WINDOWS\SYSTEM32\CRPU.EXE - Deleted C:\WINDOWS\SYSTEM32\CRPZ32.EXE - Deleted C:\WINDOWS\SYSTEM32\CRQB32.EXE - Deleted C:\WINDOWS\SYSTEM32\CRQC.EXE - Deleted C:\WINDOWS\SYSTEM32\CRRD.EXE - Deleted C:\WINDOWS\SYSTEM32\CRRE32.EXE - Deleted C:\WINDOWS\SYSTEM32\CRRL32.EXE - Deleted C:\WINDOWS\SYSTEM32\CRRT32.EXE - Deleted C:\WINDOWS\SYSTEM32\CRSY32.EXE - Deleted C:\WINDOWS\SYSTEM32\CRTZ32.EXE - Deleted C:\WINDOWS\SYSTEM32\CRUB32.EXE - Deleted C:\WINDOWS\SYSTEM32\CRUD.EXE - Deleted C:\WINDOWS\SYSTEM32\CRUI.EXE - Deleted C:\WINDOWS\SYSTEM32\CRUP.EXE - Deleted C:\WINDOWS\SYSTEM32\CRVG.EXE - Deleted C:\WINDOWS\SYSTEM32\CRVM.EXE - Deleted C:\WINDOWS\SYSTEM32\CRVZ32.EXE - Deleted C:\WINDOWS\SYSTEM32\CRWG32.EXE - Deleted C:\WINDOWS\SYSTEM32\CRWU.EXE - Deleted C:\WINDOWS\SYSTEM32\CRXO.EXE - Deleted C:\WINDOWS\SYSTEM32\CRYA.EXE - Deleted C:\WINDOWS\SYSTEM32\CRYC.EXE - Deleted C:\WINDOWS\SYSTEM32\CRYG.EXE - Deleted C:\WINDOWS\SYSTEM32\CRYH32.EXE - Deleted C:\WINDOWS\SYSTEM32\CRYY32.EXE - Deleted C:\WINDOWS\SYSTEM32\CRZD32.EXE - Deleted C:\WINDOWS\SYSTEM32\CRZF32.EXE - Deleted C:\WINDOWS\SYSTEM32\CRZN.EXE - Deleted C:\WINDOWS\SYSTEM32\D3AE32.EXE - Deleted C:\WINDOWS\SYSTEM32\D3AI.EXE - Deleted C:\WINDOWS\SYSTEM32\D3BJ.EXE - Deleted C:\WINDOWS\SYSTEM32\D3BQ32.EXE - Deleted C:\WINDOWS\SYSTEM32\D3BS32.EXE - Deleted C:\WINDOWS\SYSTEM32\D3CX32.EXE - Deleted C:\WINDOWS\SYSTEM32\D3CY.EXE - Deleted C:\WINDOWS\SYSTEM32\D3DZ32.EXE - Deleted C:\WINDOWS\SYSTEM32\D3ED32.EXE - Deleted C:\WINDOWS\SYSTEM32\D3EO.EXE - Deleted C:\WINDOWS\SYSTEM32\D3EU.EXE - Deleted C:\WINDOWS\SYSTEM32\D3FN.EXE - Deleted C:\WINDOWS\SYSTEM32\D3GG.EXE - Deleted C:\WINDOWS\SYSTEM32\D3GM.EXE - Deleted C:\WINDOWS\SYSTEM32\D3HQ.EXE - Deleted C:\WINDOWS\SYSTEM32\D3IK.EXE - Deleted C:\WINDOWS\SYSTEM32\D3IL32.EXE - Deleted C:\WINDOWS\SYSTEM32\D3IM.EXE - Deleted C:\WINDOWS\SYSTEM32\D3IQ32.EXE - Deleted C:\WINDOWS\SYSTEM32\D3JA.EXE - Deleted C:\WINDOWS\SYSTEM32\D3JI.EXE - Deleted C:\WINDOWS\SYSTEM32\D3JN.EXE - Deleted C:\WINDOWS\SYSTEM32\D3JR32.EXE - Deleted C:\WINDOWS\SYSTEM32\D3JV32.EXE - Deleted C:\WINDOWS\SYSTEM32\D3KB.EXE - Deleted C:\WINDOWS\SYSTEM32\D3LA32.EXE - Deleted C:\WINDOWS\SYSTEM32\D3LK32.EXE - Deleted C:\WINDOWS\SYSTEM32\D3LL32.EXE - Deleted C:\WINDOWS\SYSTEM32\D3MC.EXE - Deleted C:\WINDOWS\SYSTEM32\D3MM32.EXE - Deleted C:\WINDOWS\SYSTEM32\D3MX32.EXE - Deleted C:\WINDOWS\SYSTEM32\D3NK.EXE - Deleted C:\WINDOWS\SYSTEM32\D3NV32.EXE - Deleted C:\WINDOWS\SYSTEM32\D3NY.EXE - Deleted C:\WINDOWS\SYSTEM32\D3OA32.EXE - Deleted C:\WINDOWS\SYSTEM32\D3OL.EXE - Deleted C:\WINDOWS\SYSTEM32\D3PN32.EXE - Deleted C:\WINDOWS\SYSTEM32\D3PT32.EXE - Deleted C:\WINDOWS\SYSTEM32\D3QA32.EXE - Deleted C:\WINDOWS\SYSTEM32\D3QE32.EXE - Deleted C:\WINDOWS\SYSTEM32\D3RI.EXE - Deleted C:\WINDOWS\SYSTEM32\D3RU32.EXE - Deleted C:\WINDOWS\SYSTEM32\D3SJ.EXE - Deleted C:\WINDOWS\SYSTEM32\D3SU32.EXE - Deleted C:\WINDOWS\SYSTEM32\D3TG.EXE - Deleted C:\WINDOWS\SYSTEM32\D3TP.EXE - Deleted C:\WINDOWS\SYSTEM32\D3TT32.EXE - Deleted C:\WINDOWS\SYSTEM32\D3TY.EXE - Deleted C:\WINDOWS\SYSTEM32\D3UC.EXE - Deleted C:\WINDOWS\SYSTEM32\D3VE32.EXE - Deleted C:\WINDOWS\SYSTEM32\D3VL.EXE - Deleted C:\WINDOWS\SYSTEM32\D3VL32.EXE - Deleted C:\WINDOWS\SYSTEM32\D3WU.EXE - Deleted C:\WINDOWS\SYSTEM32\D3XG.EXE - Deleted C:\WINDOWS\SYSTEM32\D3XI32.EXE - Deleted C:\WINDOWS\SYSTEM32\D3XJ32.EXE - Deleted C:\WINDOWS\SYSTEM32\D3XP.EXE - Deleted C:\WINDOWS\SYSTEM32\D3YG32.EXE - Deleted C:\WINDOWS\SYSTEM32\D3YI32.EXE - Deleted C:\WINDOWS\SYSTEM32\D3YK32.EXE - Deleted C:\WINDOWS\SYSTEM32\D3ZI.EXE - Deleted C:\WINDOWS\SYSTEM32\D3ZJ32.EXE - Deleted C:\WINDOWS\SYSTEM32\IEAE.EXE - Deleted C:\WINDOWS\SYSTEM32\IEAF32.EXE - Deleted C:\WINDOWS\SYSTEM32\IEAR.EXE - Deleted C:\WINDOWS\SYSTEM32\IEAZ.EXE - Deleted C:\WINDOWS\SYSTEM32\IEBI.EXE - Deleted C:\WINDOWS\SYSTEM32\IECE.EXE - Deleted C:\WINDOWS\SYSTEM32\IECW.EXE - Deleted C:\WINDOWS\SYSTEM32\IECW32.EXE - Deleted C:\WINDOWS\SYSTEM32\IEDC32.EXE - Deleted C:\WINDOWS\SYSTEM32\IEDF32.EXE - Deleted C:\WINDOWS\SYSTEM32\IEDG.EXE - Deleted C:\WINDOWS\SYSTEM32\IEDX.EXE - Deleted C:\WINDOWS\SYSTEM32\IEEP.EXE - Deleted C:\WINDOWS\SYSTEM32\IEEP32.EXE - Deleted C:\WINDOWS\SYSTEM32\IEER.EXE - Deleted C:\WINDOWS\SYSTEM32\IEET.EXE - Deleted C:\WINDOWS\SYSTEM32\IEFN32.EXE - Deleted C:\WINDOWS\SYSTEM32\IEGB.EXE - Deleted C:\WINDOWS\SYSTEM32\IEGE.EXE - Deleted C:\WINDOWS\SYSTEM32\IEGL.EXE - Deleted C:\WINDOWS\SYSTEM32\IEGY32.EXE - Deleted C:\WINDOWS\SYSTEM32\IEHT.EXE - Deleted C:\WINDOWS\SYSTEM32\IEHW32.EXE - Deleted C:\WINDOWS\SYSTEM32\IEHX.EXE - Deleted C:\WINDOWS\SYSTEM32\IEIO.EXE - Deleted C:\WINDOWS\SYSTEM32\IEIT32.EXE - Deleted C:\WINDOWS\SYSTEM32\IEJL.EXE - Deleted C:\WINDOWS\SYSTEM32\IEJQ32.EXE - Deleted C:\WINDOWS\SYSTEM32\IEKI32.EXE - Deleted C:\WINDOWS\SYSTEM32\IEKZ.EXE - Deleted C:\WINDOWS\SYSTEM32\IELL.EXE - Deleted C:\WINDOWS\SYSTEM32\IEMW.EXE - Deleted C:\WINDOWS\SYSTEM32\IEND.EXE - Deleted C:\WINDOWS\SYSTEM32\IENE32.EXE - Deleted C:\WINDOWS\SYSTEM32\IENW.EXE - Deleted C:\WINDOWS\SYSTEM32\IEOE.EXE - Deleted C:\WINDOWS\SYSTEM32\IEOF.EXE - Deleted C:\WINDOWS\SYSTEM32\IEOM32.EXE - Deleted C:\WINDOWS\SYSTEM32\IEOS32.EXE - Deleted C:\WINDOWS\SYSTEM32\IEOX.EXE - Deleted C:\WINDOWS\SYSTEM32\IEOZ.EXE - Deleted C:\WINDOWS\SYSTEM32\IEPR32.EXE - Deleted C:\WINDOWS\SYSTEM32\IEQE32.EXE - Deleted C:\WINDOWS\SYSTEM32\IEQS32.EXE - Deleted C:\WINDOWS\SYSTEM32\IESD32.EXE - Deleted C:\WINDOWS\SYSTEM32\IESM32.EXE - Deleted C:\WINDOWS\SYSTEM32\IESQ32.EXE - Deleted C:\WINDOWS\SYSTEM32\IETP.EXE - Deleted C:\WINDOWS\SYSTEM32\IETS32.EXE - Deleted C:\WINDOWS\SYSTEM32\IETZ.EXE - Deleted C:\WINDOWS\SYSTEM32\IEUO32.EXE - Deleted C:\WINDOWS\SYSTEM32\IEUZ32.EXE - Deleted C:\WINDOWS\SYSTEM32\IEWA.EXE - Deleted C:\WINDOWS\SYSTEM32\IEWD32.EXE - Deleted C:\WINDOWS\SYSTEM32\IEWR32.EXE - Deleted C:\WINDOWS\SYSTEM32\IEWW.EXE - Deleted C:\WINDOWS\SYSTEM32\IEWZ.EXE - Deleted C:\WINDOWS\SYSTEM32\IEXK.EXE - Deleted C:\WINDOWS\SYSTEM32\IEZH.EXE - Deleted C:\WINDOWS\SYSTEM32\IEZJ.EXE - Deleted C:\WINDOWS\SYSTEM32\IEZO.EXE - Deleted C:\WINDOWS\SYSTEM32\IEZO32.EXE - Deleted C:\WINDOWS\SYSTEM32\IEZQ.EXE - Deleted C:\WINDOWS\SYSTEM32\IEZV32.EXE - Deleted C:\WINDOWS\SYSTEM32\IPAH32.EXE - Deleted C:\WINDOWS\SYSTEM32\IPAR.EXE - Deleted C:\WINDOWS\SYSTEM32\IPCA32.EXE - Deleted C:\WINDOWS\SYSTEM32\IPCM32.EXE - Deleted C:\WINDOWS\SYSTEM32\IPCO.EXE - Deleted C:\WINDOWS\SYSTEM32\IPCX32.EXE - Deleted C:\WINDOWS\SYSTEM32\IPDU32.EXE - Deleted C:\WINDOWS\SYSTEM32\IPDX.EXE - Deleted C:\WINDOWS\SYSTEM32\IPEB.EXE - Deleted C:\WINDOWS\SYSTEM32\IPEC32.EXE - Deleted C:\WINDOWS\SYSTEM32\IPEO.EXE - Deleted C:\WINDOWS\SYSTEM32\IPFQ.EXE - Deleted C:\WINDOWS\SYSTEM32\IPFS32.EXE - Deleted C:\WINDOWS\SYSTEM32\IPFZ32.EXE - Deleted C:\WINDOWS\SYSTEM32\IPGK.EXE - Deleted C:\WINDOWS\SYSTEM32\IPGR.EXE - Deleted C:\WINDOWS\SYSTEM32\IPHC32.EXE - Deleted C:\WINDOWS\SYSTEM32\IPHO.EXE - Deleted C:\WINDOWS\SYSTEM32\IPHS32.EXE - Deleted C:\WINDOWS\SYSTEM32\IPIE32.EXE - Deleted C:\WINDOWS\SYSTEM32\IPIG.EXE - Deleted C:\WINDOWS\SYSTEM32\IPIM.EXE - Deleted C:\WINDOWS\SYSTEM32\IPIN.EXE - Deleted C:\WINDOWS\SYSTEM32\IPIO32.EXE - Deleted C:\WINDOWS\SYSTEM32\IPIQ32.EXE - Deleted C:\WINDOWS\SYSTEM32\IPIR.EXE - Deleted C:\WINDOWS\SYSTEM32\IPIV.EXE - Deleted C:\WINDOWS\SYSTEM32\IPJB32.EXE - Deleted C:\WINDOWS\SYSTEM32\IPJO32.EXE - Deleted C:\WINDOWS\SYSTEM32\IPJZ32.EXE - Deleted C:\WINDOWS\SYSTEM32\IPKU32.EXE - Deleted C:\WINDOWS\SYSTEM32\IPKW.EXE - Deleted C:\WINDOWS\SYSTEM32\IPLQ.EXE - Deleted C:\WINDOWS\SYSTEM32\IPLU.EXE - Deleted C:\WINDOWS\SYSTEM32\IPMU32.EXE - Deleted C:\WINDOWS\SYSTEM32\IPMX32.EXE - Deleted C:\WINDOWS\SYSTEM32\IPNM32.EXE - Deleted C:\WINDOWS\SYSTEM32\IPNO.EXE - Deleted C:\WINDOWS\SYSTEM32\IPNW32.EXE - Deleted C:\WINDOWS\SYSTEM32\IPOQ32.EXE - Deleted C:\WINDOWS\SYSTEM32\IPOU.EXE - Deleted C:\WINDOWS\SYSTEM32\IPPB.EXE - Deleted C:\WINDOWS\SYSTEM32\IPPI.EXE - Deleted C:\WINDOWS\SYSTEM32\IPPQ32.EXE - Deleted C:\WINDOWS\SYSTEM32\IPPV.EXE - Deleted C:\WINDOWS\SYSTEM32\IPQI32.EXE - Deleted C:\WINDOWS\SYSTEM32\IPQK32.EXE - Deleted C:\WINDOWS\SYSTEM32\IPQY.EXE - Deleted C:\WINDOWS\SYSTEM32\IPRA.EXE - Deleted C:\WINDOWS\SYSTEM32\IPTP.EXE - Deleted C:\WINDOWS\SYSTEM32\IPTR.EXE - Deleted C:\WINDOWS\SYSTEM32\IPUT.EXE - Deleted C:\WINDOWS\SYSTEM32\IPUX.EXE - Deleted C:\WINDOWS\SYSTEM32\IPUY.EXE - Deleted C:\WINDOWS\SYSTEM32\IPVC.EXE - Deleted C:\WINDOWS\SYSTEM32\IPVM32.EXE - Deleted C:\WINDOWS\SYSTEM32\IPVW32.EXE - Deleted C:\WINDOWS\SYSTEM32\IPVY32.EXE - Deleted C:\WINDOWS\SYSTEM32\IPWH32.EXE - Deleted C:\WINDOWS\SYSTEM32\IPWU32.EXE - Deleted C:\WINDOWS\SYSTEM32\IPXN.EXE - Deleted C:\WINDOWS\SYSTEM32\IPXO32.EXE - Deleted C:\WINDOWS\SYSTEM32\IPYD.EXE - Deleted C:\WINDOWS\SYSTEM32\IPYH.EXE - Deleted C:\WINDOWS\SYSTEM32\IPYJ.EXE - Deleted C:\WINDOWS\SYSTEM32\IPYO.EXE - Deleted C:\WINDOWS\SYSTEM32\IPYV32.EXE - Deleted C:\WINDOWS\SYSTEM32\IPZN.EXE - Deleted C:\WINDOWS\SYSTEM32\IPZO32.EXE - Deleted C:\WINDOWS\SYSTEM32\IPZP.EXE - Deleted C:\WINDOWS\SYSTEM32\IPZU.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAAG.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAAI32.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAAL.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAAM32.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAAT32.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAAZ.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVABB32.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVABC32.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVABH32.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVABV32.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVACO32.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVADD32.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVADU.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAFF32.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAFK32.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAFP32.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAFS32.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAGI32.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAHJ.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAHV.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAII32.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAJJ32.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAJM32.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAJS32.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAKE.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAKV.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVALD32.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVALR.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVALV32.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAMF.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAMV.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVANE32.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVANO.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVANX.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAOJ.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAOU32.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAOZ32.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAPD.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAPG32.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAQN32.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAQR32.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVARD32.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVARR32.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVARS32.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVARX32.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVASQ.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVASR.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAUB32.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAUR.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAVC.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAVK32.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAVT.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAWL32.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAWV32.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAWX.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAXF32.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAXU.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAYB32.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAYM32.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAYQ.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAYY32.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAZK32.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAZT32.EXE - Deleted C:\WINDOWS\SYSTEM32\JAVAZX32.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCAA.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCAL.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCBD.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCBZ32.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCCK.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCCN.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCDG.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCED.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCEM32.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCFN.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCGM32.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCGX.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCGY32.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCHG32.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCHR32.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCHZ32.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCII32.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCIQ32.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCIV32.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCJI.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCJS32.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCKE32.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCKJ32.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCLZ.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCMC.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCMK.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCMM32.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCNI.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCNR.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCOM32.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCPJ32.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCQM.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCQV.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCRB.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCRD.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCRF.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCRM.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCRZ32.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCSG.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCSL32.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCSR32.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCST32.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCTB.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCTC.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCVC32.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCVL.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCWI32.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCWV.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCXC32.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCXF.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCXW32.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCXX.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCYR.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCZC32.EXE - Deleted C:\WINDOWS\SYSTEM32\MFCZJ.EXE - Deleted C:\WINDOWS\SYSTEM32\MSAA32.EXE - Deleted C:\WINDOWS\SYSTEM32\MSAN.EXE - Deleted C:\WINDOWS\SYSTEM32\MSAU32.EXE - Deleted C:\WINDOWS\SYSTEM32\MSAZ.EXE - Deleted C:\WINDOWS\SYSTEM32\MSBP.EXE - Deleted C:\WINDOWS\SYSTEM32\MSBV32.EXE - Deleted C:\WINDOWS\SYSTEM32\MSCD.EXE - Deleted C:\WINDOWS\SYSTEM32\MSCE.EXE - Deleted C:\WINDOWS\SYSTEM32\MSCL32.EXE - Deleted C:\WINDOWS\SYSTEM32\MSCM.EXE - Deleted C:\WINDOWS\SYSTEM32\MSDY32.EXE - Deleted C:\WINDOWS\SYSTEM32\MSEI32.EXE - Deleted C:\WINDOWS\SYSTEM32\MSFG32.EXE - Deleted C:\WINDOWS\SYSTEM32\MSGA.EXE - Deleted C:\WINDOWS\SYSTEM32\MSGI32.EXE - Deleted C:\WINDOWS\SYSTEM32\MSGJ.EXE - Deleted C:\WINDOWS\SYSTEM32\MSHB.EXE - Deleted C:\WINDOWS\SYSTEM32\MSHT.EXE - Deleted C:\WINDOWS\SYSTEM32\MSHX32.EXE - Deleted C:\WINDOWS\SYSTEM32\MSID.EXE - Deleted C:\WINDOWS\SYSTEM32\MSIG.EXE - Deleted C:\WINDOWS\SYSTEM32\MSIS32.EXE - Deleted C:\WINDOWS\SYSTEM32\MSJA.EXE - Deleted C:\WINDOWS\SYSTEM32\MSKD.EXE - Deleted C:\WINDOWS\SYSTEM32\MSKE32.EXE - Deleted C:\WINDOWS\SYSTEM32\MSLC32.EXE - Deleted C:\WINDOWS\SYSTEM32\MSME.EXE - Deleted C:\WINDOWS\SYSTEM32\MSMG32.EXE - Deleted C:\WINDOWS\SYSTEM32\MSMV.EXE - Deleted C:\WINDOWS\SYSTEM32\MSMX32.EXE - Deleted C:\WINDOWS\SYSTEM32\MSOJ.EXE - Deleted C:\WINDOWS\SYSTEM32\MSOJ32.EXE - Deleted C:\WINDOWS\SYSTEM32\MSOY32.EXE - Deleted C:\WINDOWS\SYSTEM32\MSPF.EXE - Deleted C:\WINDOWS\SYSTEM32\MSPM32.EXE - Deleted C:\WINDOWS\SYSTEM32\MSPY.EXE - Deleted C:\WINDOWS\SYSTEM32\MSPZ.EXE - Deleted C:\WINDOWS\SYSTEM32\MSQL.EXE - Deleted C:\WINDOWS\SYSTEM32\MSQM32.EXE - Deleted C:\WINDOWS\SYSTEM32\MSQW.EXE - Deleted C:\WINDOWS\SYSTEM32\MSQZ32.EXE - Deleted C:\WINDOWS\SYSTEM32\MSRI.EXE - Deleted C:\WINDOWS\SYSTEM32\MSRJ.EXE - Deleted C:\WINDOWS\SYSTEM32\MSRK32.EXE - Deleted C:\WINDOWS\SYSTEM32\MSRQ.EXE - Deleted C:\WINDOWS\SYSTEM32\MSRT.EXE - Deleted C:\WINDOWS\SYSTEM32\MSRW.EXE - Deleted C:\WINDOWS\SYSTEM32\MSSZ.EXE - Deleted C:\WINDOWS\SYSTEM32\MSTO32.EXE - Deleted C:\WINDOWS\SYSTEM32\MSTZ32.EXE - Deleted C:\WINDOWS\SYSTEM32\MSUT32.EXE - Deleted C:\WINDOWS\SYSTEM32\MSUY.EXE - Deleted C:\WINDOWS\SYSTEM32\MSVT.EXE - Deleted C:\WINDOWS\SYSTEM32\MSWB32.EXE - Deleted C:\WINDOWS\SYSTEM32\MSWU.EXE - Deleted C:\WINDOWS\SYSTEM32\MSWZ.EXE - Deleted C:\WINDOWS\SYSTEM32\MSYG32.EXE - Deleted C:\WINDOWS\SYSTEM32\MSZB.EXE - Deleted C:\WINDOWS\SYSTEM32\MSZI.EXE - Deleted C:\WINDOWS\SYSTEM32\NETAM32.EXE - Deleted C:\WINDOWS\SYSTEM32\NETAY32.EXE - Deleted C:\WINDOWS\SYSTEM32\NETBY32.EXE - Deleted C:\WINDOWS\SYSTEM32\NETCP.EXE - Deleted C:\WINDOWS\SYSTEM32\NETCS32.EXE - Deleted C:\WINDOWS\SYSTEM32\NETDA.EXE - Deleted C:\WINDOWS\SYSTEM32\NETEQ.EXE - Deleted C:\WINDOWS\SYSTEM32\NETEX32.EXE - Deleted C:\WINDOWS\SYSTEM32\NETFM32.EXE - Deleted C:\WINDOWS\SYSTEM32\NETFU32.EXE - Deleted C:\WINDOWS\SYSTEM32\NETGB.EXE - Deleted C:\WINDOWS\SYSTEM32\NETGM.EXE - Deleted C:\WINDOWS\SYSTEM32\NETGQ32.EXE - Deleted C:\WINDOWS\SYSTEM32\NETGT32.EXE - Deleted C:\WINDOWS\SYSTEM32\NETGV.EXE - Deleted C:\WINDOWS\SYSTEM32\NETHP32.EXE - Deleted C:\WINDOWS\SYSTEM32\NETIH32.EXE - Deleted C:\WINDOWS\SYSTEM32\NETIL.EXE - Deleted C:\WINDOWS\SYSTEM32\NETIM.EXE - Deleted C:\WINDOWS\SYSTEM32\NETJU.EXE - Deleted C:\WINDOWS\SYSTEM32\NETKF.EXE - Deleted C:\WINDOWS\SYSTEM32\NETKP.EXE - Deleted C:\WINDOWS\SYSTEM32\NETKV.EXE - Deleted C:\WINDOWS\SYSTEM32\NETMN32.EXE - Deleted C:\WINDOWS\SYSTEM32\NETNY.EXE - Deleted C:\WINDOWS\SYSTEM32\NETOJ32.EXE - Deleted C:\WINDOWS\SYSTEM32\NETPI.EXE - Deleted C:\WINDOWS\SYSTEM32\NETPP.EXE - Deleted C:\WINDOWS\SYSTEM32\NETPP32.EXE - Deleted C:\WINDOWS\SYSTEM32\NETQB32.EXE - Deleted C:\WINDOWS\SYSTEM32\NETQP.EXE - Deleted C:\WINDOWS\SYSTEM32\NETRH32.EXE - Deleted C:\WINDOWS\SYSTEM32\NETRJ32.EXE - Deleted C:\WINDOWS\SYSTEM32\NETRP.EXE - Deleted C:\WINDOWS\SYSTEM32\NETRT32.EXE - Deleted C:\WINDOWS\SYSTEM32\NETRZ32.EXE - Deleted C:\WINDOWS\SYSTEM32\NETSL32.EXE - Deleted C:\WINDOWS\SYSTEM32\NETSU32.EXE - Deleted C:\WINDOWS\SYSTEM32\NETUA32.EXE - Deleted C:\WINDOWS\SYSTEM32\NETVW.EXE - Deleted C:\WINDOWS\SYSTEM32\NETVW32.EXE - Deleted C:\WINDOWS\SYSTEM32\NETWE.EXE - Deleted C:\WINDOWS\SYSTEM32\NETWI.EXE - Deleted C:\WINDOWS\SYSTEM32\NETWR.EXE - Deleted C:\WINDOWS\SYSTEM32\NETXA.EXE - Deleted C:\WINDOWS\SYSTEM32\NETXW.EXE - Deleted C:\WINDOWS\SYSTEM32\NETXW32.EXE - Deleted C:\WINDOWS\SYSTEM32\NETXY.EXE - Deleted C:\WINDOWS\SYSTEM32\NETYG32.EXE - Deleted C:\WINDOWS\SYSTEM32\NETYH32.EXE - Deleted C:\WINDOWS\SYSTEM32\NETYO.EXE - Deleted C:\WINDOWS\SYSTEM32\NETYO32.EXE - Deleted C:\WINDOWS\SYSTEM32\NTAF.EXE - Deleted C:\WINDOWS\SYSTEM32\NTAO.EXE - Deleted C:\WINDOWS\SYSTEM32\NTAX32.EXE - Deleted C:\WINDOWS\SYSTEM32\NTBG.EXE - Deleted C:\WINDOWS\SYSTEM32\NTBN32.EXE - Deleted C:\WINDOWS\SYSTEM32\NTBQ.EXE - Deleted C:\WINDOWS\SYSTEM32\NTBS.EXE - Deleted C:\WINDOWS\SYSTEM32\NTCK.EXE - Deleted C:\WINDOWS\SYSTEM32\NTCS.EXE - Deleted C:\WINDOWS\SYSTEM32\NTDF32.EXE - Deleted C:\WINDOWS\SYSTEM32\NTDJ32.EXE - Deleted C:\WINDOWS\SYSTEM32\NTFE.EXE - Deleted C:\WINDOWS\SYSTEM32\NTFM.EXE - Deleted C:\WINDOWS\SYSTEM32\NTFY.EXE - Deleted C:\WINDOWS\SYSTEM32\NTHH.EXE - Deleted C:\WINDOWS\SYSTEM32\NTHI.EXE - Deleted C:\WINDOWS\SYSTEM32\NTHR.EXE - Deleted C:\WINDOWS\SYSTEM32\NTHS.EXE - Deleted C:\WINDOWS\SYSTEM32\NTHS32.EXE - Deleted C:\WINDOWS\SYSTEM32\NTIO.EXE - Deleted C:\WINDOWS\SYSTEM32\NTIU.EXE - Deleted C:\WINDOWS\SYSTEM32\NTIY.EXE - Deleted C:\WINDOWS\SYSTEM32\NTKB32.EXE - Deleted C:\WINDOWS\SYSTEM32\NTKY32.EXE - Deleted C:\WINDOWS\SYSTEM32\NTLB32.EXE - Deleted C:\WINDOWS\SYSTEM32\NTLQ32.EXE - Deleted C:\WINDOWS\SYSTEM32\NTLR32.EXE - Deleted C:\WINDOWS\SYSTEM32\NTLZ.EXE - Deleted C:\WINDOWS\SYSTEM32\NTMD32.EXE - Deleted C:\WINDOWS\SYSTEM32\NTND32.EXE - Deleted C:\WINDOWS\SYSTEM32\NTNJ32.EXE - Deleted C:\WINDOWS\SYSTEM32\NTNN.EXE - Deleted C:\WINDOWS\SYSTEM32\NTNO32.EXE - Deleted C:\WINDOWS\SYSTEM32\NTNY32.EXE - Deleted C:\WINDOWS\SYSTEM32\NTOF.EXE - Deleted C:\WINDOWS\SYSTEM32\NTOH32.EXE - Deleted C:\WINDOWS\SYSTEM32\NTOS32.EXE - Deleted C:\WINDOWS\SYSTEM32\NTOU.EXE - Deleted C:\WINDOWS\SYSTEM32\NTPE.EXE - Deleted C:\WINDOWS\SYSTEM32\NTPF32.EXE - Deleted C:\WINDOWS\SYSTEM32\NTPO32.EXE - Deleted C:\WINDOWS\SYSTEM32\NTQG32.EXE - Deleted C:\WINDOWS\SYSTEM32\NTQN.EXE - Deleted C:\WINDOWS\SYSTEM32\NTQO32.EXE - Deleted C:\WINDOWS\SYSTEM32\NTQT.EXE - Deleted C:\WINDOWS\SYSTEM32\NTQT32.EXE - Deleted C:\WINDOWS\SYSTEM32\NTRK.EXE - Deleted C:\WINDOWS\SYSTEM32\NTSW.EXE - Deleted C:\WINDOWS\SYSTEM32\NTTD.EXE - Deleted C:\WINDOWS\SYSTEM32\NTTK32.EXE - Deleted C:\WINDOWS\SYSTEM32\NTUH32.EXE - Deleted C:\WINDOWS\SYSTEM32\NTVN32.EXE - Deleted C:\WINDOWS\SYSTEM32\NTVT.EXE - Deleted C:\WINDOWS\SYSTEM32\NTWG.EXE - Deleted C:\WINDOWS\SYSTEM32\NTWS32.EXE - Deleted C:\WINDOWS\SYSTEM32\NTWY.EXE - Deleted C:\WINDOWS\SYSTEM32\NTXH.EXE - Deleted C:\WINDOWS\SYSTEM32\NTYM.EXE - Deleted C:\WINDOWS\SYSTEM32\NTZK32.EXE - Deleted C:\WINDOWS\SYSTEM32\NTZT32.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKAE32.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKAN.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKAS.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKBN32.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKBT32.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKCM32.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKCP.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKCU.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKDD32.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKDF.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKDF32.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKDI32.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKDZ32.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKED32.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKEI.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKEZ.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKFI.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKFT32.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKFZ32.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKGO.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKGR.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKHM.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKII32.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKIR32.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKJU32.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKKM.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKKS32.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKLF.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKLO32.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKLW32.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKMB.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKMY32.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKNF.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKNT32.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKOV.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKPE32.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKPG.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKPN32.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKPS.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKQB.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKQC.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKQH32.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKQN32.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKQX.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKRJ32.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKRX.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKSC32.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKSP32.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKTK.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKTQ.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKUG32.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKUR.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKVJ.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKVL.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKWA32.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKWY.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKXP32.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKYL.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKYN32.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKZD32.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKZK32.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKZS32.EXE - Deleted C:\WINDOWS\SYSTEM32\SDKZZ32.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSAA32.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSAH32.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSAJ.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSAU32.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSBY.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSCE.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSCW.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSDD32.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSDF32.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSDH.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSDT.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSDV.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSEF.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSEX.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSEX32.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSFD.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSFG32.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSFS32.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSFV.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSGX32.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSHQ.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSHT32.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSIA32.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSJC32.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSJM.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSJT.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSLC32.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSLD.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSLQ.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSMA.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSMQ32.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSNE.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSNK.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSNT.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSOL32.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSPO32.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSQD.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSQI32.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSQJ.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSQV32.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSRL.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSRQ.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSRZ32.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSSB.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSSI32.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSSJ.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSSR32.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSTA32.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSTJ.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSTK.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSUC.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSUE32.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSWC32.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSWF32.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSWP.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSWR32.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSWW.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSWW32.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSWZ.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSXS.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSYB32.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSYH32.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSYN32.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSZU.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSZU32.EXE - Deleted C:\WINDOWS\SYSTEM32\SYSZZ.EXE - Deleted C:\WINDOWS\SYSTEM32\WINAC32.EXE - Deleted C:\WINDOWS\SYSTEM32\WINAO.EXE - Deleted C:\WINDOWS\SYSTEM32\WINAQ.EXE - Deleted C:\WINDOWS\SYSTEM32\WINBH32.EXE - Deleted C:\WINDOWS\SYSTEM32\WINBO.EXE - Deleted C:\WINDOWS\SYSTEM32\WINCC.EXE - Deleted C:\WINDOWS\SYSTEM32\WINCZ32.EXE - Deleted C:\WINDOWS\SYSTEM32\WINDE.EXE - Deleted C:\WINDOWS\SYSTEM32\WINDE32.EXE - Deleted C:\WINDOWS\SYSTEM32\WINDG.EXE - Deleted C:\WINDOWS\SYSTEM32\WINDU32.EXE - Deleted C:\WINDOWS\SYSTEM32\WINDX.EXE - Deleted C:\WINDOWS\SYSTEM32\WINEI.EXE - Deleted C:\WINDOWS\SYSTEM32\WINEP.EXE - Deleted C:\WINDOWS\SYSTEM32\WINFE.EXE - Deleted C:\WINDOWS\SYSTEM32\WINFQ32.EXE - Deleted C:\WINDOWS\SYSTEM32\WINFR.EXE - Deleted C:\WINDOWS\SYSTEM32\WINFU32.EXE - Deleted C:\WINDOWS\SYSTEM32\WINGY32.EXE - Deleted C:\WINDOWS\SYSTEM32\WINHA.EXE - Deleted C:\WINDOWS\SYSTEM32\WINHC32.EXE - Deleted C:\WINDOWS\SYSTEM32\WINHJ32.EXE - Deleted C:\WINDOWS\SYSTEM32\WINHU32.EXE - Deleted C:\WINDOWS\SYSTEM32\WINIK32.EXE - Deleted C:\WINDOWS\SYSTEM32\WINJN32.EXE - Deleted C:\WINDOWS\SYSTEM32\WINJT.EXE - Deleted C:\WINDOWS\SYSTEM32\WINJV.EXE - Deleted C:\WINDOWS\SYSTEM32\WINJV32.EXE - Deleted C:\WINDOWS\SYSTEM32\WINKK.EXE - Deleted C:\WINDOWS\SYSTEM32\WINKR32.EXE - Deleted C:\WINDOWS\SYSTEM32\WINKT.EXE - Deleted C:\WINDOWS\SYSTEM32\WINKV32.EXE - Deleted C:\WINDOWS\SYSTEM32\WINLS.EXE - Deleted C:\WINDOWS\SYSTEM32\WINLT32.EXE - Deleted C:\WINDOWS\SYSTEM32\WINLX.EXE - Deleted C:\WINDOWS\SYSTEM32\WINMT.EXE - Deleted C:\WINDOWS\SYSTEM32\WINMY.EXE - Deleted C:\WINDOWS\SYSTEM32\WINOE.EXE - Deleted C:\WINDOWS\SYSTEM32\WINOW.EXE - Deleted C:\WINDOWS\SYSTEM32\WINOZ32.EXE - Deleted C:\WINDOWS\SYSTEM32\WINPC.EXE - Deleted C:\WINDOWS\SYSTEM32\WINPG32.EXE - Deleted C:\WINDOWS\SYSTEM32\WINPM32.EXE - Deleted C:\WINDOWS\SYSTEM32\WINPU32.EXE - Deleted C:\WINDOWS\SYSTEM32\WINPV32.EXE - Deleted C:\WINDOWS\SYSTEM32\WINQE.EXE - Deleted C:\WINDOWS\SYSTEM32\WINQL.EXE - Deleted C:\WINDOWS\SYSTEM32\WINQT.EXE - Deleted C:\WINDOWS\SYSTEM32\WINRA32.EXE - Deleted C:\WINDOWS\SYSTEM32\WINRD.EXE - Deleted C:\WINDOWS\SYSTEM32\WINRF.EXE - Deleted C:\WINDOWS\SYSTEM32\WINRX32.EXE - Deleted C:\WINDOWS\SYSTEM32\WINSL.EXE - Deleted C:\WINDOWS\SYSTEM32\WINSR.EXE - Deleted C:\WINDOWS\SYSTEM32\WINST32.EXE - Deleted C:\WINDOWS\SYSTEM32\WINTA32.EXE - Deleted C:\WINDOWS\SYSTEM32\WINTB32.EXE - Deleted C:\WINDOWS\SYSTEM32\WINTR32.EXE - Deleted C:\WINDOWS\SYSTEM32\WINTW.EXE - Deleted C:\WINDOWS\SYSTEM32\WINUB32.EXE - Deleted C:\WINDOWS\SYSTEM32\WINUQ.EXE - Deleted C:\WINDOWS\SYSTEM32\WINUY.EXE - Deleted C:\WINDOWS\SYSTEM32\WINUZ32.EXE - Deleted C:\WINDOWS\SYSTEM32\WINVS.EXE - Deleted C:\WINDOWS\SYSTEM32\WINWD32.EXE - Deleted C:\WINDOWS\SYSTEM32\WINXD32.EXE - Deleted C:\WINDOWS\SYSTEM32\WINYP.EXE - Deleted C:\WINDOWS\SYSTEM32\WINZC32.EXE - Deleted C:\WINDOWS\SYSTEM32\WINZF32.EXE - Deleted C:\WINDOWS\SYSTEM32\WINZQ32.EXE - Deleted C:\WINDOWS\SYSTEM32\ATLNS32.DLL - Deleted C:\WINDOWS\SYSTEM32\D3WE32.DLL - Deleted C:\WINDOWS\SYSTEM32\EIMNH.DLL - Deleted C:\WINDOWS\SYSTEM32\EVQFL.DLL - Deleted C:\WINDOWS\SYSTEM32\LXXNK.DLL - Deleted C:\WINDOWS\SYSTEM32\MNRIT.DLL - Deleted C:\WINDOWS\SYSTEM32\MSRX32.DLL - Deleted C:\WINDOWS\SYSTEM32\NTUZ32.DLL - Deleted C:\WINDOWS\fvowketqplo.dll - Deleted C:\WINDOWS\i386\csrss.exe - Deleted C:\WINDOWS\mpfanvqg.dll - Deleted C:\WINDOWS\oadkxrts.exe - Deleted C:\WINDOWS\pvnsmfor.dll - Deleted C:\WINDOWS\vbksrofa.dll - Deleted Removing Temp Files ADS Check : Final Check : catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-13 16:03:55 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... IPC error: 2 The system cannot find the file specified. scanning hidden services & system hive ... scanning hidden registry entries ... [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9FBB2D0E-5090-F6E7-A6C7-85D9893F7AA4}] "iakimenmdgifjklank"=hex:6a,61,67,66,63,6d,62,6c,61,62,6a,64,61,6a,6f,6e,68,61,62,63,00,.. "haagcjgheckeanke"=hex:6a,61,67,66,63,6d,62,6c,61,62,6a,64,61,6a,6f,6e,68,61,62,63,00,.. scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe::Enabled:Logitech Desktop Messenger" "C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe::Enabled:Internet Explorer" "C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"="C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme::Enabled:GunBound" "C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe::Enabled:LimeWire" "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe::Enabled:AOL Loader" "C:\\Program Files\\BitLord2\\BitLord.exe"="C:\\Program Files\\BitLord2\\BitLord.exe::Enabled: " "C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe::Enabled:AOL Instant Messenger" "C:\\WINDOWS\\system32\\fscagent.exe"="C:\\WINDOWS\\system32\\fscagent.exe::Enabled:???? ???? ??" "C:\\WINDOWS\\system32\\clubbox.exe"="C:\\WINDOWS\\system32\\clubbox.exe::Enabled:��'1�� ,r��" "C:\\WINDOWS\\system32\\grdmgr.exe"="C:\\WINDOWS\\system32\\grdmgr.exe::Enabled:CDN ???? ??" "C:\\Nexon\\MapleStory\\MapleStory.exe"="C:\\Nexon\\MapleStory\\MapleStory.exe::Enabled:MapleStory" "C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe::Enabled:Veoh Client" "C:\\Program Files\\Xi\\NetXfer\\NetTransport.exe"="C:\\Program Files\\Xi\\NetXfer\\NetTransport.exe::Enabled:NetXfer Download Manager" "C:\\Program Files\\Softnyx\\WolfTeam\\Wolfteam.bin"="C:\\Program Files\\Softnyx\\WolfTeam\\Wolfteam.bin::Enabled:WolfTeam" "C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe::Enabled:Azureus" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files&#

Rorschach112 View Member Profile	May 14 2008, 06:20 AM Post #5
GeekU Teacher Posts: 34,385 From: Dublin OS: XP	Hello Please visit this web page for instructions for downloading and running ComboFix http://www.bleepingcomputer.com/combofix/how-to-use-combofix This includes installing the Windows XP Recovery Console in case you have not installed it yet. For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058. Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal. Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

MISTERSTALKER View Member Profile	May 14 2008, 03:43 PM Post #6
Member Posts: 62 OS: XP	QUOTE (Rorschach112 @ May 14 2008, 05:20 AM) Hello Please visit this web page for instructions for downloading and running ComboFix http://www.bleepingcomputer.com/combofix/how-to-use-combofix This includes installing the Windows XP Recovery Console in case you have not installed it yet. For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058. Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal. Post the log from ComboFix when you've accomplished that, along with a new HijackThis log. Hi! I downloaded Combofix and Windows XP Recovery console but: QUOTE 4. # Once the Microsoft file has finished downloading, you should drag it on top of the ComboFix icon and let your mouse button go. This is shown in the following image. I can't complete this step because my desktop icons still will not show. Is there a way to do this step in a different way?

Rorschach112 View Member Profile	May 14 2008, 05:28 PM Post #7
GeekU Teacher Posts: 34,385 From: Dublin OS: XP	Just run ComboFix then

MISTERSTALKER View Member Profile	May 14 2008, 06:56 PM Post #8
Member Posts: 62 OS: XP	Alrighty Oh and. my AntiVIR keeps detecting C:\WINDOWS\system32\yayvWnKC.dll as a trojan horse. I quarantined/deleted it many times but it keeps reappearing.. The detection pops up any time I open a program/file. Anyways, Here's the log: ComboFix 08-05-12.1 - David Lim 2008-05-14 17:17:18.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.141 [GMT -7:00] Running from: C:\Documents and Settings\David Lim\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\David Lim\Application Data\macromedia\Flash Player\#SharedObjects\WSPFGKSP\www.broadcaster.com C:\Documents and Settings\David Lim\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com C:\Documents and Settings\David Lim\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol C:\Documents and Settings\David Lim\Favorites\Error Cleaner.url C:\Documents and Settings\David Lim\Favorites\Privacy Protector.url C:\Documents and Settings\David Lim\Favorites\Spyware&Malware Protection.url C:\WINDOWS\Downloaded Program Files\setup.inf C:\WINDOWS\jnzqf.dat C:\WINDOWS\mggca.dat C:\WINDOWS\system32\drivers\Xprotector.sys C:\WINDOWS\system32\hdagj.dat C:\WINDOWS\system32\lnnxk.dat C:\WINDOWS\system32\qflhu.dat C:\WINDOWS\system32\VFPsBcdd.ini C:\WINDOWS\system32\VFPsBcdd.ini2 C:\WINDOWS\system32\zgefl.dat C:\WINDOWS\yxbit.dat . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_XPROTECTOR -------\Service_XPROTECTOR ((((((((((((((((((((((((( Files Created from 2008-04-15 to 2008-05-15 ))))))))))))))))))))))))))))))) . 2008-05-13 15:38 . 2008-05-13 15:38 <DIR> d-------- C:\WINDOWS\ERUNT 2008-05-13 15:31 . 2008-05-13 16:14 <DIR> d-------- C:\SDFix 2008-05-13 15:25 . 2008-05-13 15:25 <DIR> d-------- C:\Documents and Settings\David Lim\Application Data\TmpRecentIcons 2008-05-12 18:42 . 2008-05-12 18:42 <DIR> d-------- C:\Program Files\Trend Micro 2008-05-12 17:48 . 2008-05-12 17:49 319,104 --a------ C:\WINDOWS\system32\ddcBsPFV.dll 2008-05-12 17:40 . 2008-05-12 17:40 1 --a------ C:\WINDOWS\system32\kr_done1de 2008-05-12 17:39 . 2008-05-12 17:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adsl Software Limited 2008-05-12 17:39 . 2008-05-12 17:39 29,312 --a------ C:\WINDOWS\system32\yayvWnKC.dll 2008-04-30 22:35 . 2008-04-30 22:35 <DIR> d-------- C:\Program Files\Mediaccurate 2008-04-25 22:11 . 2004-12-10 10:06 327,680 --a------ C:\WINDOWS\system32\vp6dec.ax 2008-04-25 22:11 . 2004-12-10 10:47 53,248 --a------ C:\WINDOWS\system32\vp6dec_settings.cpl 2008-04-20 11:20 . 2008-04-20 11:20 <DIR> d-------- C:\Program Files\MSECache 2008-04-20 11:18 . 2008-05-02 21:00 <DIR> d-------- C:\Download 2008-04-20 10:55 . 2008-04-20 10:59 <DIR> d-------- C:\Documents and Settings\David Lim\Application Data\Mathematica 2008-04-20 10:55 . 2008-04-20 10:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Mathematica 2008-04-19 21:46 . 2008-04-19 22:41 <DIR> d-------- C:\WINDOWS\.jagex_cache_32 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-05-13 22:28 --------- d-----w C:\Program Files\AIMTunes 2008-05-06 22:48 --------- d-----w C:\Documents and Settings\David Lim\Application Data\Azureus 2008-05-03 04:01 --------- d-----w C:\Program Files\LimeWire 2008-04-26 05:10 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-04-20 18:23 49,280 ----a-w C:\Documents and Settings\David Lim\Application Data\GDIPFONTCACHEV1.DAT 2008-04-16 22:39 --------- d-----w C:\Program Files\Project64 1.6 2008-04-07 07:23 --------- d-----w C:\Program Files\iTunes 2008-04-07 07:21 --------- d-----w C:\Program Files\iPod 2008-04-07 07:13 --------- d-----w C:\Program Files\QuickTime 2008-03-25 22:33 --------- d-----w C:\Program Files\ESTsoft 2008-03-25 22:33 --------- d-----w C:\Documents and Settings\David Lim\Application Data\ESTsoft 2008-03-25 22:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESTsoft 2005-06-24 03:12 32 ----a-r C:\Documents and Settings\All Users\hash.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{62E8FC5F-C26D-49F2-BA3C-DDEA871387E3}] 2008-05-12 17:49 319104 --a------ C:\WINDOWS\system32\ddcBsPFV.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{97F7302A-147C-4435-901C-184375993BE6}] 2008-05-12 17:39 29312 --a------ C:\WINDOWS\system32\yayvWnKC.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360] "Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 09:15 50528] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-07-28 15:19 4841472] "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 14:48 479232] "avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-14 17:56 262401] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "NvMediaCenter"="C:\WINDOWS\system32\NVMCTRAY.DLL" [2003-07-28 15:19 49152] "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 14:18 443968] C:\Documents and Settings\David Lim\Start Menu\Programs\Startup\ 4t Tray Minimizer.lnk - C:\Program Files\4t Tray Minimizer\4t-min.exe [2004-10-18 14:26:38 1141760] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoResolveSearch"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoViewOnDrive"= 0 (0x0) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{97F7302A-147C-4435-901C-184375993BE6}"= C:\WINDOWS\system32\yayvWnKC.dll [2008-05-12 17:39 29312] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayvWnKC] yayvWnKC.dll 2008-05-12 17:39 29312 C:\WINDOWS\system32\yayvWnKC.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\ddcBsPFV [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "C:\\Program Files\\Internet Explorer\\iexplore.exe"= "C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\Program Files\\AIM\\aim.exe"= "C:\\WINDOWS\\system32\\grdmgr.exe"= "C:\\Program Files\\Azureus\\Azureus.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= "C:\\WINDOWS\\network diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\AIM6\\aim6.exe"= "C:\\WINDOWS\\system32\\dplaysvr.exe"= "C:\\Program Files\\Microsoft Games\\Age of Empires 2 - The Age of Kings and Conquerors\\age2_x1\\age2_x1.exe"= "C:\\Program Files\\IGZones\\IGZones.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\drivers\avgntmgr.sys [2006-11-22 14:30] R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2007-02-27 15:18] R2 SVKP;SVKP;C:\WINDOWS\System32\SVKP.sys [2004-04-14 12:46] R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38] R3 m4301a;Linksys Wireless-B USB Network Adapter v4.0 Driver;C:\WINDOWS\system32\DRIVERS\m4301A.sys [2004-12-21 16:16] S0 _epnt;Easy Protect NT Driver;C:\WINDOWS\system32\_epnt.sys [] S2 TmpUpSrv;AntiVir Update Temp;"C:\DOCUME~1\DAVIDL~1\LOCALS~1\TEMP\_VWUPSRV.EXE" [] S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 09:05] S3 cheetah1;cheetah1;C:\Documents and Settings\David Lim\Desktop\cheetahengine\cheetahengine\cheetah.sys [] S3 DADriv1;DADriv1;C:\Documents and Settings\David Lim\Desktop\DAEngine\DAEngine\DAK32.sys [] S3 DISK_DRIVE32;DISK_DRIVE32;C:\Documents and Settings\David Lim\My Documents\DiskDrove\Ms HackV.23 Part2\disk_1024.sys [] S3 GGK;GGK;C:\Documents and Settings\David Lim\My Documents\ggk\ggk.sys [] S3 iCheat1;iCheat1;C:\Documents and Settings\David Lim\Desktop\ICHEAT\nvid999.sys [] S3 kaspersky1;kaspersky1;C:\Documents and Settings\David Lim\Desktop\Kaspersky Engine 3.2\kaspersky.sys [] S3 NOWMEMDF;NOWMEMDF;C:\WINDOWS\system32\NOWMEMDF.sys [] S3 saruen;saruen;C:\Documents and Settings\David Lim\My Documents\Everything\saruengang101of\saruen.sys [] S3 saruenGang;saruenGang;C:\Documents and Settings\David Lim\My Documents\Everything\saruengang102\saruenGang.sys [] S3 sejt1;sejt1;C:\Documents and Settings\David Lim\My Documents\Everything\AkumaEngine33\AkumaEngine33\sejt.sys [] S3 spuce1;spuce1;C:\Documents and Settings\David Lim\Desktop\SPUCE2\SPUCE 2.0\spuce.sys [] S3 Visual1;Visual1;C:\Documents and Settings\David Lim\My Documents\Visual Engpine\Visual Engine\Visual.sys [] S3 XDva028;XDva028;C:\WINDOWS\system32\XDva028.sys [] S3 xp1;xp1;C:\Documents and Settings\David Lim\My Documents\Everything\xpengine\xp.sys [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{358d39de-53eb-11da-b957-00409507bbf0}] \Shell\AutoRun\command - F:\loaderw.exe /no hidden [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ae73f7d7-53bb-42ef-b634-9df2be96a4ee] C:\WINDOWS\System32\cbmonnx.exe . Contents of the 'Scheduled Tasks' folder "2008-05-10 00:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job" - C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe "2008-05-12 22:30:30 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-05-15 00:43:20 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job" - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE "2008-05-14 22:43:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job" - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe "2008-02-04 23:43:15 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job" - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-14 17:31:31 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\system32\yayvWnKC.dll . ------------------------ Other Running Processes ------------------------ . C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe C:\WINDOWS\system32\rundll32.exe . ************************************************************************ . Completion time: 2008-05-14 17:52:33 - machine was rebooted ComboFix-quarantined-files.txt 2008-05-15 00:49:01 ComboFix2.txt 2007-05-13 17:37:08 Pre-Run: 45,101,576,192 bytes free Post-Run: 45,398,253,568 bytes free 196 --- E O F --- 2008-05-14 21:36:59 Thanks again!

Rorschach112 View Member Profile	May 15 2008, 07:24 AM Post #9
GeekU Teacher Posts: 34,385 From: Dublin OS: XP	Hello 1. Close any open browsers. 2. Open notepad and copy/paste the text in the quotebox below into it: QUOTE File:: C:\WINDOWS\system32\ddcBsPFV.dll C:\WINDOWS\system32\kr_done1de C:\WINDOWS\system32\yayvWnKC.dll C:\WINDOWS\System32\cbmonnx.exe F:\loaderw.exe Folder:: Registry:: [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{97F7302A-147C-4435-901C-184375993BE6}"=- [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{358d39de-53eb-11da-b957-00409507bbf0}] [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ae73f7d7-53bb-42ef-b634-9df2be96a4ee] [-HKEY_CLASSES_ROOT\CLSID\{ae73f7d7-53bb-42ef-b634-9df2be96a4ee}] Driver:: Save this as CFScript.txt, in the same location as ComboFix.exe Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at "C:\ComboFix.txt" Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall Also post a new HijackThis log

MISTERSTALKER View Member Profile	May 15 2008, 07:02 PM Post #10
Member Posts: 62 OS: XP	Hi! Well. I couldn't see my windows icons still, but i found when i ran "explorer.exe" it would show temporarily (and then disappear again) so i did that and was scanning the way you directed, but my computer overheated in the middle of the scan, so I scanned again (and the logfiles are from after that scan) OH and after i ran that, my icons and start menu are back and i'm not getting any more AntiVIR detections! I know you wanted "ComboFix.txt" but "log.txt" popped up too, so here it is: ComboFix 08-05-12.1 - David Lim 2008-05-15 17:29:32.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.220 [GMT -7:00] Running from: C:\Documents and Settings\David Lim\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\David Lim\Desktop\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: C:\WINDOWS\System32\cbmonnx.exe C:\WINDOWS\system32\ddcBsPFV.dll C:\WINDOWS\system32\kr_done1de C:\WINDOWS\system32\yayvWnKC.dll F:\loaderw.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\ddcBsPFV.dll C:\WINDOWS\system32\VFPsBcdd.ini C:\WINDOWS\system32\VFPsBcdd.ini2 . ---- Previous Run ------- . C:\WINDOWS\system32\kr_done1de C:\WINDOWS\system32\yayvWnKC.dll . ((((((((((((((((((((((((( Files Created from 2008-04-16 to 2008-05-16 ))))))))))))))))))))))))))))))) . 2008-05-14 17:39 . 2008-05-14 17:39 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-05-14 17:39 . 2008-05-14 17:39 1,409 --a------ C:\WINDOWS\QTFont.for 2008-05-13 15:38 . 2008-05-13 15:38 <DIR> d-------- C:\WINDOWS\ERUNT 2008-05-13 15:31 . 2008-05-13 16:14 <DIR> d-------- C:\SDFix 2008-05-13 15:25 . 2008-05-13 15:25 <DIR> d-------- C:\Documents and Settings\David Lim\Application Data\TmpRecentIcons 2008-05-12 18:42 . 2008-05-12 18:42 <DIR> d-------- C:\Program Files\Trend Micro 2008-05-12 17:39 . 2008-05-12 17:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adsl Software Limited 2008-04-30 22:35 . 2008-04-30 22:35 <DIR> d-------- C:\Program Files\Mediaccurate 2008-04-25 22:11 . 2004-12-10 10:06 327,680 --a------ C:\WINDOWS\system32\vp6dec.ax 2008-04-25 22:11 . 2004-12-10 10:47 53,248 --a------ C:\WINDOWS\system32\vp6dec_settings.cpl 2008-04-20 11:20 . 2008-04-20 11:20 <DIR> d-------- C:\Program Files\MSECache 2008-04-20 11:18 . 2008-05-02 21:00 <DIR> d-------- C:\Download 2008-04-20 10:55 . 2008-04-20 10:59 <DIR> d-------- C:\Documents and Settings\David Lim\Application Data\Mathematica 2008-04-20 10:55 . 2008-04-20 10:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Mathematica 2008-04-19 21:46 . 2008-04-19 22:41 <DIR> d-------- C:\WINDOWS\.jagex_cache_32 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-05-13 22:28 --------- d-----w C:\Program Files\AIMTunes 2008-05-06 22:48 --------- d-----w C:\Documents and Settings\David Lim\Application Data\Azureus 2008-05-03 04:01 --------- d-----w C:\Program Files\LimeWire 2008-04-26 05:10 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-04-20 18:23 49,280 ----a-w C:\Documents and Settings\David Lim\Application Data\GDIPFONTCACHEV1.DAT 2008-04-16 22:39 --------- d-----w C:\Program Files\Project64 1.6 2008-04-07 07:23 --------- d-----w C:\Program Files\iTunes 2008-04-07 07:21 --------- d-----w C:\Program Files\iPod 2008-04-07 07:13 --------- d-----w C:\Program Files\QuickTime 2008-03-25 22:33 --------- d-----w C:\Program Files\ESTsoft 2008-03-25 22:33 --------- d-----w C:\Documents and Settings\David Lim\Application Data\ESTsoft 2008-03-25 22:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESTsoft 2005-06-24 03:12 32 ----a-r C:\Documents and Settings\All Users\hash.dat . ((((((((((((((((((((((((((((( snapshot@2008-05-14_17.47.25.67 ))))))))))))))))))))))))))))))))))))))))) . + 2008-01-23 04:56:21 554,008 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\dao360.dll + 2007-12-10 12:41:11 518,944 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msexch40.dll + 2007-12-10 12:41:11 326,432 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msexcl40.dll + 2007-12-10 12:41:11 1,516,568 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjet40.dll + 2007-12-10 12:41:11 355,112 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjetol1.dll + 2008-03-27 07:39:13 151,583 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjint40.dll + 2007-12-10 12:41:12 60,192 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjter40.dll + 2007-12-10 12:41:12 248,608 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjtes40.dll + 2007-12-10 12:41:12 219,936 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msltus40.dll + 2007-12-10 12:41:12 355,104 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mspbde40.dll + 2007-12-10 12:41:13 432,928 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrd2x40.dll + 2007-12-10 12:41:13 322,336 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrd3x40.dll + 2007-12-10 12:41:13 559,904 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrepl40.dll + 2007-12-10 12:41:13 264,992 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mstext40.dll + 2007-12-10 12:41:13 838,432 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mswdat10.dll + 2007-12-10 12:41:14 621,344 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mswstr10.dll + 2007-12-10 12:41:14 355,104 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msxbde40.dll + 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB950749\spmsg.dll + 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB950749\spuninst.exe + 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\spcustom.dll + 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\update.exe + 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\updspapi.dll - 2008-05-15 00:29:20 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-05-16 00:42:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat - 2008-03-12 22:45:59 167,936 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe + 2008-05-15 23:46:31 167,936 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe - 2008-03-12 22:45:59 2,560 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe + 2008-05-15 23:46:32 2,560 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe - 2008-03-12 22:45:59 81,920 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe + 2008-05-15 23:46:32 81,920 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe - 2008-03-12 22:45:59 34,304 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe + 2008-05-15 23:46:30 34,304 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe - 2008-03-12 22:45:59 8,192 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe + 2008-05-15 23:46:32 8,192 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe - 2008-03-12 22:45:59 3,584 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe + 2008-05-15 23:46:33 3,584 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe - 2008-03-12 22:45:59 114,688 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe + 2008-05-15 23:46:33 114,688 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe - 2008-03-12 22:45:59 16,384 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe + 2008-05-15 23:46:31 16,384 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe - 2008-03-12 22:45:59 30,720 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe + 2008-05-15 23:46:31 30,720 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe - 2008-03-12 22:45:59 22,528 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe + 2008-05-15 23:46:34 22,528 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe - 2008-03-12 22:45:59 45,056 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe + 2008-05-15 23:46:30 45,056 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe - 2008-03-12 22:45:59 90,112 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe + 2008-05-15 23:46:30 90,112 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe + 2008-03-25 04:50:25 554,008 -c----w C:\WINDOWS\system32\dllcache\dao360.dll + 2008-03-25 04:50:28 518,944 -c----w C:\WINDOWS\system32\dllcache\msexch40.dll + 2008-03-25 04:50:30 326,432 -c----w C:\WINDOWS\system32\dllcache\msexcl40.dll + 2008-03-25 04:50:34 1,516,568 -c----w C:\WINDOWS\system32\dllcache\msjet40.dll + 2008-03-25 04:50:40 355,112 -c----w C:\WINDOWS\system32\dllcache\msjetol1.dll + 2008-03-27 08:12:54 151,583 -c----w C:\WINDOWS\system32\dllcache\msjint40.dll + 2008-03-25 04:50:42 60,192 -c----w C:\WINDOWS\system32\dllcache\msjter40.dll + 2008-03-25 04:50:42 248,608 -c----w C:\WINDOWS\system32\dllcache\msjtes40.dll + 2008-03-25 04:50:44 219,936 -c----w C:\WINDOWS\system32\dllcache\msltus40.dll + 2008-03-25 04:50:45 355,104 -c----w C:\WINDOWS\system32\dllcache\mspbde40.dll + 2008-03-25 04:50:47 432,928 -c----w C:\WINDOWS\system32\dllcache\msrd2x40.dll + 2008-03-25 04:50:49 322,336 -c----w C:\WINDOWS\system32\dllcache\msrd3x40.dll + 2008-03-25 04:50:52 559,904 -c----w C:\WINDOWS\system32\dllcache\msrepl40.dll + 2008-03-25 04:50:55 264,992 -c----w C:\WINDOWS\system32\dllcache\mstext40.dll + 2008-03-25 04:50:57 838,432 -c----w C:\WINDOWS\system32\dllcache\mswdat10.dll + 2008-03-25 04:50:58 621,344 -c----w C:\WINDOWS\system32\dllcache\mswstr10.dll + 2008-03-25 04:50:58 355,104 -c----w C:\WINDOWS\system32\dllcache\msxbde40.dll - 2008-04-06 05:56:20 19,836,024 ----a-w C:\WINDOWS\system32\MRT.exe + 2008-05-09 21:35:04 16,863,864 ----a-w C:\WINDOWS\system32\MRT.exe - 2004-08-04 07:56:44 512,029 ----a-w C:\WINDOWS\system32\msexch40.dll + 2008-03-25 04:50:28 518,944 ----a-w C:\WINDOWS\system32\msexch40.dll - 2004-08-04 07:56:44 319,517 ----a-w C:\WINDOWS\system32\msexcl40.dll + 2008-03-25 04:50:30 326,432 ----a-w C:\WINDOWS\system32\msexcl40.dll - 2004-08-04 07:56:44 1,507,356 ----a-w C:\WINDOWS\system32\msjet40.dll + 2008-03-25 04:50:34 1,516,568 ----a-w C:\WINDOWS\system32\msjet40.dll - 2004-07-17 18:34:48 358,976 ----a-w C:\WINDOWS\system32\msjetoledb40.dll + 2008-03-25 04:50:40 355,112 ----a-w C:\WINDOWS\system32\msjetoledb40.dll - 2004-08-04 07:56:44 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll + 2008-03-27 08:12:54 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll - 2004-08-04 07:56:44 53,279 ----a-w C:\WINDOWS\system32\msjter40.dll + 2008-03-25 04:50:42 60,192 ----a-w C:\WINDOWS\system32\msjter40.dll - 2004-08-04 07:56:44 241,693 ----a-w C:\WINDOWS\system32\msjtes40.dll + 2008-03-25 04:50:42 248,608 ----a-w C:\WINDOWS\system32\msjtes40.dll - 2004-08-04 07:56:44 213,023 ----a-w C:\WINDOWS\system32\msltus40.dll + 2008-03-25 04:50:44 219,936 ----a-w C:\WINDOWS\system32\msltus40.dll - 2004-08-04 07:56:44 348,189 ----a-w C:\WINDOWS\system32\mspbde40.dll + 2008-03-25 04:50:45 355,104 ----a-w C:\WINDOWS\system32\mspbde40.dll - 2004-08-04 07:56:44 421,919 ----a-w C:\WINDOWS\system32\msrd2x40.dll + 2008-03-25 04:50:47 432,928 ----a-w C:\WINDOWS\system32\msrd2x40.dll - 2004-08-04 07:56:44 315,423 ----a-w C:\WINDOWS\system32\msrd3x40.dll + 2008-03-25 04:50:49 322,336 ----a-w C:\WINDOWS\system32\msrd3x40.dll - 2004-08-04 07:56:44 552,989 ----a-w C:\WINDOWS\system32\msrepl40.dll + 2008-03-25 04:50:52 559,904 ----a-w C:\WINDOWS\system32\msrepl40.dll - 2004-08-04 07:56:44 258,077 ----a-w C:\WINDOWS\system32\mstext40.dll + 2008-03-25 04:50:55 264,992 ----a-w C:\WINDOWS\system32\mstext40.dll - 2004-08-04 07:56:46 831,519 ----a-w C:\WINDOWS\system32\mswdat10.dll + 2008-03-25 04:50:57 838,432 ----a-w C:\WINDOWS\system32\mswdat10.dll - 2004-08-04 07:56:46 614,429 ----a-w C:\WINDOWS\system32\mswstr10.dll + 2008-03-25 04:50:58 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll - 2004-08-04 07:56:46 348,189 ----a-w C:\WINDOWS\system32\msxbde40.dll + 2008-03-25 04:50:58 355,104 ----a-w C:\WINDOWS\system32\msxbde40.dll . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{97F7302A-147C-4435-901C-184375993BE6}] C:\WINDOWS\system32\yayvWnKC.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360] "Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 09:15 50528] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-07-28 15:19 4841472] "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 14:48 479232] "avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-14 17:56 262401] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "NvMediaCenter"="C:\WINDOWS\system32\NVMCTRAY.DLL" [2003-07-28 15:19 49152] "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 14:18 443968] C:\Documents and Settings\David Lim\Start Menu\Programs\Startup\ 4t Tray Minimizer.lnk - C:\Program Files\4t Tray Minimizer\4t-min.exe [2004-10-18 14:26:38 1141760] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoResolveSearch"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoViewOnDrive"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayvWnKC] yayvWnKC.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "C:\\Program Files\\Internet Explorer\\iexplore.exe"= "C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\Program Files\\AIM\\aim.exe"= "C:\\WINDOWS\\system32\\grdmgr.exe"= "C:\\Program Files\\Azureus\\Azureus.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= "C:\\WINDOWS\\network diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\AIM6\\aim6.exe"= "C:\\WINDOWS\\system32\\dplaysvr.exe"= "C:\\Program Files\\Microsoft Games\\Age of Empires 2 - The Age of Kings and Conquerors\\age2_x1\\age2_x1.exe"= "C:\\Program Files\\IGZones\\IGZones.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\drivers\avgntmgr.sys [2006-11-22 14:30] R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2007-02-27 15:18] R2 SVKP;SVKP;C:\WINDOWS\System32\SVKP.sys [2004-04-14 12:46] R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38] R3 m4301a;Linksys Wireless-B USB Network Adapter v4.0 Driver;C:\WINDOWS\system32\DRIVERS\m4301A.sys [2004-12-21 16:16] S0 _epnt;Easy Protect NT Driver;C:\WINDOWS\system32\_epnt.sys [] S2 TmpUpSrv;AntiVir Update Temp;"C:\DOCUME~1\DAVIDL~1\LOCALS~1\TEMP\_VWUPSRV.EXE" [] S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 09:05] S3 cheetah1;cheetah1;C:\Documents and Settings\David Lim\Desktop\cheetahengine\cheetahengine\cheetah.sys [] S3 DADriv1;DADriv1;C:\Documents and Settings\David Lim\Desktop\DAEngine\DAEngine\DAK32.sys [] S3 DISK_DRIVE32;DISK_DRIVE32;C:\Documents and Settings\David Lim\My Documents\DiskDrove\Ms HackV.23 Part2\disk_1024.sys [] S3 GGK;GGK;C:\Documents and Settings\David Lim\My Documents\ggk\ggk.sys [] S3 iCheat1;iCheat1;C:\Documents and Settings\David Lim\Desktop\ICHEAT\nvid999.sys [] S3 kaspersky1;kaspersky1;C:\Documents and Settings\David Lim\Desktop\Kaspersky Engine 3.2\kaspersky.sys [] S3 NOWMEMDF;NOWMEMDF;C:\WINDOWS\system32\NOWMEMDF.sys [] S3 saruen;saruen;C:\Documents and Settings\David Lim\My Documents\Everything\saruengang101of\saruen.sys [] S3 saruenGang;saruenGang;C:\Documents and Settings\David Lim\My Documents\Everything\saruengang102\saruenGang.sys [] S3 sejt1;sejt1;C:\Documents and Settings\David Lim\My Documents\Everything\AkumaEngine33\AkumaEngine33\sejt.sys [] S3 spuce1;spuce1;C:\Documents and Settings\David Lim\Desktop\SPUCE2\SPUCE 2.0\spuce.sys [] S3 Visual1;Visual1;C:\Documents and Settings\David Lim\My Documents\Visual Engpine\Visual Engine\Visual.sys [] S3 XDva028;XDva028;C:\WINDOWS\system32\XDva028.sys [] S3 xp1;xp1;C:\Documents and Settings\David Lim\My Documents\Everything\xpengine\xp.sys [] . Contents of the 'Scheduled Tasks' folder "2008-05-10 00:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job" - C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe "2008-05-12 22:30:30 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-05-16 00:43:59 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job" - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE "2008-05-14 22:43:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job" - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe "2008-02-04 23:43:15 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job" - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-15 17:43:38 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\explorer.exe -> C:\Program Files\4t Tray Minimizer\ShellEh427.dll . ------------------------ Other Running Processes ------------------------ . C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\AIM6\aolsoftware.exe . ************************************************************************ . Completion time: 2008-05-15 17:56:57 - machine was rebooted [David Lim] ComboFix-quarantined-files.txt 2008-05-16 00:56:26 ComboFix2.txt 2008-05-15 00:52:37 ComboFix3.txt 2007-05-13 17:37:08 Pre-Run: 45,320,654,848 bytes free Post-Run: 45,325,553,664 bytes free 282 --- E O F --- 2008-05-14 21:36:59 and ComboFix.txt: ComboFix 08-05-12.1 - David Lim 2008-05-15 17:29:32.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.220 [GMT -7:00] Running from: C:\Documents and Settings\David Lim\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\David Lim\Desktop\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: C:\WINDOWS\System32\cbmonnx.exe C:\WINDOWS\system32\ddcBsPFV.dll C:\WINDOWS\system32\kr_done1de C:\WINDOWS\system32\yayvWnKC.dll F:\loaderw.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\ddcBsPFV.dll C:\WINDOWS\system32\VFPsBcdd.ini C:\WINDOWS\system32\VFPsBcdd.ini2 . ---- Previous Run ------- . C:\WINDOWS\system32\kr_done1de C:\WINDOWS\system32\yayvWnKC.dll . ((((((((((((((((((((((((( Files Created from 2008-04-16 to 2008-05-16 ))))))))))))))))))))))))))))))) . 2008-05-14 17:39 . 2008-05-14 17:39 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-05-14 17:39 . 2008-05-14 17:39 1,409 --a------ C:\WINDOWS\QTFont.for 2008-05-13 15:38 . 2008-05-13 15:38 <DIR> d-------- C:\WINDOWS\ERUNT 2008-05-13 15:31 . 2008-05-13 16:14 <DIR> d-------- C:\SDFix 2008-05-13 15:25 . 2008-05-13 15:25 <DIR> d-------- C:\Documents and Settings\David Lim\Application Data\TmpRecentIcons 2008-05-12 18:42 . 2008-05-12 18:42 <DIR> d-------- C:\Program Files\Trend Micro 2008-05-12 17:39 . 2008-05-12 17:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adsl Software Limited 2008-04-30 22:35 . 2008-04-30 22:35 <DIR> d-------- C:\Program Files\Mediaccurate 2008-04-25 22:11 . 2004-12-10 10:06 327,680 --a------ C:\WINDOWS\system32\vp6dec.ax 2008-04-25 22:11 . 2004-12-10 10:47 53,248 --a------ C:\WINDOWS\system32\vp6dec_settings.cpl 2008-04-20 11:20 . 2008-04-20 11:20 <DIR> d-------- C:\Program Files\MSECache 2008-04-20 11:18 . 2008-05-02 21:00 <DIR> d-------- C:\Download 2008-04-20 10:55 . 2008-04-20 10:59 <DIR> d-------- C:\Documents and Settings\David Lim\Application Data\Mathematica 2008-04-20 10:55 . 2008-04-20 10:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Mathematica 2008-04-19 21:46 . 2008-04-19 22:41 <DIR> d-------- C:\WINDOWS\.jagex_cache_32 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-05-13 22:28 --------- d-----w C:\Program Files\AIMTunes 2008-05-06 22:48 --------- d-----w C:\Documents and Settings\David Lim\Application Data\Azureus 2008-05-03 04:01 --------- d-----w C:\Program Files\LimeWire 2008-04-26 05:10 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-04-20 18:23 49,280 ----a-w C:\Documents and Settings\David Lim\Application Data\GDIPFONTCACHEV1.DAT 2008-04-16 22:39 --------- d-----w C:\Program Files\Project64 1.6 2008-04-07 07:23 --------- d-----w C:\Program Files\iTunes 2008-04-07 07:21 --------- d-----w C:\Program Files\iPod 2008-04-07 07:13 --------- d-----w C:\Program Files\QuickTime 2008-03-25 22:33 --------- d-----w C:\Program Files\ESTsoft 2008-03-25 22:33 --------- d-----w C:\Documents and Settings\David Lim\Application Data\ESTsoft 2008-03-25 22:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESTsoft 2005-06-24 03:12 32 ----a-r C:\Documents and Settings\All Users\hash.dat . ((((((((((((((((((((((((((((( snapshot@2008-05-14_17.47.25.67 ))))))))))))))))))))))))))))))))))))))))) . + 2008-01-23 04:56:21 554,008 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\dao360.dll + 2007-12-10 12:41:11 518,944 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msexch40.dll + 2007-12-10 12:41:11 326,432 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msexcl40.dll + 2007-12-10 12:41:11 1,516,568 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjet40.dll + 2007-12-10 12:41:11 355,112 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjetol1.dll + 2008-03-27 07:39:13 151,583 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjint40.dll + 2007-12-10 12:41:12 60,192 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjter40.dll + 2007-12-10 12:41:12 248,608 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjtes40.dll + 2007-12-10 12:41:12 219,936 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msltus40.dll + 2007-12-10 12:41:12 355,104 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mspbde40.dll + 2007-12-10 12:41:13 432,928 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrd2x40.dll + 2007-12-10 12:41:13 322,336 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrd3x40.dll + 2007-12-10 12:41:13 559,904 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrepl40.dll + 2007-12-10 12:41:13 264,992 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mstext40.dll + 2007-12-10 12:41:13 838,432 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mswdat10.dll + 2007-12-10 12:41:14 621,344 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mswstr10.dll + 2007-12-10 12:41:14 355,104 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msxbde40.dll + 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB950749\spmsg.dll + 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB950749\spuninst.exe + 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\spcustom.dll + 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\update.exe + 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\updspapi.dll - 2008-05-15 00:29:20 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-05-16 00:42:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat - 2008-03-12 22:45:59 167,936 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe + 2008-05-15 23:46:31 167,936 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe - 2008-03-12 22:45:59 2,560 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe + 2008-05-15 23:46:32 2,560 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe - 2008-03-12 22:45:59 81,920 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe + 2008-05-15 23:46:32 81,920 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe - 2008-03-12 22:45:59 34,304 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe + 2008-05-15 23:46:30 34,304 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe - 2008-03-12 22:45:59 8,192 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe + 2008-05-15 23:46:32 8,192 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe - 2008-03-12 22:45:59 3,584 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe + 2008-05-15 23:46:33 3,584 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe - 2008-03-12 22:45:59 114,688 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe + 2008-05-15 23:46:33 114,688 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe - 2008-03-12 22:45:59 16,384 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe + 2008-05-15 23:46:31 16,384 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe - 2008-03-12 22:45:59 30,720 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe + 2008-05-15 23:46:31 30,720 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe - 2008-03-12 22:45:59 22,528 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe + 2008-05-15 23:46:34 22,528 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe - 2008-03-12 22:45:59 45,056 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe + 2008-05-15 23:46:30 45,056 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe - 2008-03-12 22:45:59 90,112 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe + 2008-05-15 23:46:30 90,112 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe + 2008-03-25 04:50:25 554,008 -c----w C:\WINDOWS\system32\dllcache\dao360.dll + 2008-03-25 04:50:28 518,944 -c----w C:\WINDOWS\system32\dllcache\msexch40.dll + 2008-03-25 04:50:30 326,432 -c----w C:\WINDOWS\system32\dllcache\msexcl40.dll + 2008-03-25 04:50:34 1,516,568 -c----w C:\WINDOWS\system32\dllcache\msjet40.dll + 2008-03-25 04:50:40 355,112 -c----w C:\WINDOWS\system32\dllcache\msjetol1.dll + 2008-03-27 08:12:54 151,583 -c----w C:\WINDOWS\system32\dllcache\msjint40.dll + 2008-03-25 04:50:42 60,192 -c----w C:\WINDOWS\system32\dllcache\msjter40.dll + 2008-03-25 04:50:42 248,608 -c----w C:\WINDOWS\system32\dllcache\msjtes40.dll + 2008-03-25 04:50:44 219,936 -c----w C:\WINDOWS\system32\dllcache\msltus40.dll + 2008-03-25 04:50:45 355,104 -c----w C:\WINDOWS\system32\dllcache\mspbde40.dll + 2008-03-25 04:50:47 432,928 -c----w C:\WINDOWS\system32\dllcache\msrd2x40.dll + 2008-03-25 04:50:49 322,336 -c----w C:\WINDOWS\system32\dllcache\msrd3x40.dll + 2008-03-25 04:50:52 559,904 -c----w C:\WINDOWS\system32\dllcache\msrepl40.dll + 2008-03-25 04:50:55 264,992 -c----w C:\WINDOWS\system32\dllcache\mstext40.dll + 2008-03-25 04:50:57 838,432 -c----w C:\WINDOWS\system32\dllcache\mswdat10.dll + 2008-03-25 04:50:58 621,344 -c----w C:\WINDOWS\system32\dllcache\mswstr10.dll + 2008-03-25 04:50:58 355,104 -c----w C:\WINDOWS\system32\dllcache\msxbde40.dll - 2008-04-06 05:56:20 19,836,024 ----a-w C:\WINDOWS\system32\MRT.exe + 2008-05-09 21:35:04 16,863,864 ----a-w C:\WINDOWS\system32\MRT.exe - 2004-08-04 07:56:44 512,029 ----a-w C:\WINDOWS\system32\msexch40.dll + 2008-03-25 04:50:28 518,944 ----a-w C:\WINDOWS\system32\msexch40.dll - 2004-08-04 07:56:44 319,517 ----a-w C:\WINDOWS\system32\msexcl40.dll + 2008-03-25 04:50:30 326,432 ----a-w C:\WINDOWS\system32\msexcl40.dll - 2004-08-04 07:56:44 1,507,356 ----a-w C:\WINDOWS\system32\msjet40.dll + 2008-03-25 04:50:34 1,516,568 ----a-w C:\WINDOWS\system32\msjet40.dll - 2004-07-17 18:34:48 358,976 ----a-w C:\WINDOWS\system32\msjetoledb40.dll + 2008-03-25 04:50:40 355,112 ----a-w C:\WINDOWS\system32\msjetoledb40.dll - 2004-08-04 07:56:44 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll + 2008-03-27 08:12:54 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll - 2004-08-04 07:56:44 53,279 ----a-w C:\WINDOWS\system32\msjter40.dll + 2008-03-25 04:50:42 60,192 ----a-w C:\WINDOWS\system32\msjter40.dll - 2004-08-04 07:56:44 241,693 ----a-w C:\WINDOWS\system32\msjtes40.dll + 2008-03-25 04:50:42 248,608 ----a-w C:\WINDOWS\system32\msjtes40.dll - 2004-08-04 07:56:44 213,023 ----a-w C:\WINDOWS\system32\msltus40.dll + 2008-03-25 04:50:44 219,936 ----a-w C:\WINDOWS\system32\msltus40.dll - 2004-08-04 07:56:44 348,189 ----a-w C:\WINDOWS\system32\mspbde40.dll + 2008-03-25 04:50:45 355,104 ----a-w C:\WINDOWS\system32\mspbde40.dll - 2004-08-04 07:56:44 421,919 ----a-w C:\WINDOWS\system32\msrd2x40.dll + 2008-03-25 04:50:47 432,928 ----a-w C:\WINDOWS\system32\msrd2x40.dll - 2004-08-04 07:56:44 315,423 ----a-w C:\WINDOWS\system32\msrd3x40.dll + 2008-03-25 04:50:49 322,336 ----a-w C:\WINDOWS\system32\msrd3x40.dll - 2004-08-04 07:56:44 552,989 ----a-w C:\WINDOWS\system32\msrepl40.dll + 2008-03-25 04:50:52 559,904 ----a-w C:\WINDOWS\system32\msrepl40.dll - 2004-08-04 07:56:44 258,077 ----a-w C:\WINDOWS\system32\mstext40.dll + 2008-03-25 04:50:55 264,992 ----a-w C:\WINDOWS\system32\mstext40.dll - 2004-08-04 07:56:46 831,519 ----a-w C:\WINDOWS\system32\mswdat10.dll + 2008-03-25 04:50:57 838,432 ----a-w C:\WINDOWS\system32\mswdat10.dll - 2004-08-04 07:56:46 614,429 ----a-w C:\WINDOWS\system32\mswstr10.dll + 2008-03-25 04:50:58 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll - 2004-08-04 07:56:46 348,189 ----a-w C:\WINDOWS\system32\msxbde40.dll + 2008-03-25 04:50:58 355,104 ----a-w C:\WINDOWS\system32\msxbde40.dll . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{97F7302A-147C-4435-901C-184375993BE6}] C:\WINDOWS\system32\yayvWnKC.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360] "Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 09:15 50528] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-07-28 15:19 4841472] "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 14:48 479232] "avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-14 17:56 262401] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "NvMediaCenter"="C:\WINDOWS\system32\NVMCTRAY.DLL" [2003-07-28 15:19 49152] "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 14:18 443968] C:\Documents and Settings\David Lim\Start Menu\Programs\Startup\ 4t Tray Minimizer.lnk - C:\Program Files\4t Tray Minimizer\4t-min.exe [2004-10-18 14:26:38 1141760] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoResolveSearch"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoViewOnDrive"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayvWnKC] yayvWnKC.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "C:\\Program Files\\Internet Explorer\\iexplore.exe"= "C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\Program Files\\AIM\\aim.exe"= "C:\\WINDOWS\\system32\\grdmgr.exe"= "C:\\Program Files\\Azureus\\Azureus.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= "C:\\WINDOWS\\network diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\AIM6\\aim6.exe"= "C:\\WINDOWS\\system32\\dplaysvr.exe"= "C:\\Program Files\\Microsoft Games\\Age of Empires 2 - The Age of Kings and Conquerors\\age2_x1\\age2_x1.exe"= "C:\\Program Files\\IGZones\\IGZones.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\drivers\avgntmgr.sys [2006-11-22 14:30] R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2007-02-27 15:18] R2 SVKP;SVKP;C:\WINDOWS\System32\SVKP.sys [2004-04-14 12:46] R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38] R3 m4301a;Linksys Wireless-B USB Network Adapter v4.0 Driver;C:\WINDOWS\system32\DRIVERS\m4301A.sys [2004-12-21 16:16] S0 _epnt;Easy Protect NT Driver;C:\WINDOWS\system32\_epnt.sys [] S2 TmpUpSrv;AntiVir Update Temp;"C:\DOCUME~1\DAVIDL~1\LOCALS~1\TEMP\_VWUPSRV.EXE" [] S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 09:05] S3 cheetah1;cheetah1;C:\Documents and Settings\David Lim\Desktop\cheetahengine\cheetahengine\cheetah.sys [] S3 DADriv1;DADriv1;C:\Documents and Settings\David Lim\Desktop\DAEngine\DAEngine\DAK32.sys [] S3 DISK_DRIVE32;DISK_DRIVE32;C:\Documents and Settings\David Lim\My Documents\DiskDrove\Ms HackV.23 Part2\disk_1024.sys [] S3 GGK;GGK;C:\Documents and Settings\David Lim\My Documents\ggk\ggk.sys [] S3 iCheat1;iCheat1;C:\Documents and Settings\David Lim\Desktop\ICHEAT\nvid999.sys [] S3 kaspersky1;kaspersky1;C:\Documents and Settings\David Lim\Desktop\Kaspersky Engine 3.2\kaspersky.sys [] S3 NOWMEMDF;NOWMEMDF;C:\WINDOWS\system32\NOWMEMDF.sys [] S3 saruen;saruen;C:\Documents and Settings\David Lim\My Documents\Everything\saruengang101of\saruen.sys [] S3 saruenGang;saruenGang;C:\Documents and Settings\David Lim\My Documents\Everything\saruengang102\saruenGang.sys [] S3 sejt1;sejt1;C:\Documents and Settings\David Lim\My Documents\Everything\AkumaEngine33\AkumaEngine33\sejt.sys [] S3 spuce1;spuce1;C:\Documents and Settings\David Lim\Desktop\SPUCE2\SPUCE 2.0\spuce.sys [] S3 Visual1;Visual1;C:\Documents and Settings\David Lim\My Documents\Visual Engpine\Visual Engine\Visual.sys [] S3 XDva028;XDva028;C:\WINDOWS\system32\XDva028.sys [] S3 xp1;xp1;C:\Documents and Settings\David Lim\My Documents\Everything\xpengine\xp.sys [] . Contents of the 'Scheduled Tasks' folder "2008-05-10 00:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job" - C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe "2008-05-12 22:30:30 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-05-16 00:43:59 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job" - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE "2008-05-14 22:43:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job" - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe "2008-02-04 23:43:15 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job" - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-15 17:43:38 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\explorer.exe -> C:\Program Files\4t Tray Minimizer\ShellEh427.dll . ------------------------ Other Running Processes ------------------------ . C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\AIM6\aolsoftware.exe . ************************************************************************ . Completion time: 2008-05-15 17:56:57 - machine was rebooted [David Lim] ComboFix-quarantined-files.txt 2008-05-16 00:56:26 ComboFix2.txt 2008-05-15 00:52:37 ComboFix3.txt 2007-05-13 17:37:08 Pre-Run: 45,320,654,848 bytes free Post-Run: 45,325,553,664 bytes free 282 --- E O F --- 2008-05-14 21:36:59 and finally, the HJT logfile (sorry i forgot to attach last time): Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:01:50 PM, on 5/15/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\Google\Gmail Notifier\gnotify.exe C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\4t Tray Minimizer\4t-min.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\AIM6\aolsoftware.exe C:\WINDOWS\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: (no name) - {97F7302A-147C-4435-901C-184375993BE6} - C:\WINDOWS\system32\yayvWnKC.dll (file missing) O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file) O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user') O4 - Startup: 4t Tray Minimizer.lnk = C:\Program Files\4t Tray Minimizer\4t-min.exe O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...arch.jhtml?p=ZK O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://.gunbound.net O15 - Trusted Zone: http://.nprotect.net O15 - Trusted Zone: http://*.softnyx.net O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633 O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.runaware.com/dolphin/wficat.cab O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://s.nx.com/activex/public_new/nxpm.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {340CCF52-D65F-4A11-80B3-13DC23697B59} (BugsInstall Control) - http://player.bugs.co.kr/install/BugsInstall_2005_11_06.cab O16 - DPF: {3942BD43-B5CE-465F-9AC3-16BA93994273} (DosirakControl Control) - http://kt68kmssdn.dosirak.com/Commons/Acti...irakControl.ocx O16 - DPF: {3EFC2239-B769-469F-A5E6-38693AE0B9DE} (Sysinfo2 Control) -

Rorschach112 View Member Profile	May 16 2008, 04:54 AM Post #11
GeekU Teacher Posts: 34,385 From: Dublin OS: XP	Hello 1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present): R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank O2 - BHO: (no name) - {97F7302A-147C-4435-901C-184375993BE6} - C:\WINDOWS\system32\yayvWnKC.dll (file missing) O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file) O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...arch.jhtml?p=ZK 2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis. Please download Malwarebytes' Anti-Malware from Here or Here Double Click mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy&Paste the entire report in your next reply. Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly. Reboot and post a new HijackThis log and tell me how your PC is running

MISTERSTALKER View Member Profile	May 16 2008, 04:27 PM Post #12
Member Posts: 62 OS: XP	Alright! The computer it completely back to the way it was before the infection . Meaning, the startup is a bit slow, but I can deal with it. Awesome thanks a lot! Here's the mbam log: Malwarebytes' Anti-Malware 1.12 Database version: 755 Scan type: Quick Scan Objects scanned: 37283 Time elapsed: 14 minute(s), 20 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 24 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 2 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{40722371-e24c-4b36-8e76-010bb6c7185b} (Adware.CWS) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{825c19d3-35ce-428f-876b-88e080466689} (Adware.CWS) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{0409743c-e5e3-4bdd-9ec7-eff622530282} (Adware.CWS) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{6f553c18-15e6-4e5e-8f44-add50de754ed} (Adware.CWS) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{072039ab-2117-4ed5-a85f-9b9eb903e021} (Adware.CWS) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{072039ab-2117-4ed5-a85f-9b9eb903e021} (Adware.CWS) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\nowstarter.nowstarterctrl.1 (Adware.CWS) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{700e2f50-dc4d-41de-84eb-193eabb2900d} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{e959253d-2f5c-480c-b7d2-6bd8996a05b1} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{0ac49246-419b-4ee0-8917-8818daad6a4e} (Adware.180Solutions) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{0ebacaf2-e0f9-47a9-98cf-0ecce30b654c} (Adware.180Solutions) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{99410cde-6f16-42ce-9d49-3807f78f0287} (Adware.180Solutions) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{f31a5d11-bf0b-4a4e-90af-274f2090aaa6} (Adware.180Solutions) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Adsl Software Limited (Rogue.MalWarrior) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\ZangoToolbar 4.8.3 (Adware.Zango) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Documents and Settings\All Users\Application Data\Adsl Software Limited (Rogue.MalWarrior) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008 (Rogue.MalWarrior) -> Quarantined and deleted successfully. Files Infected: C:\WINDOWS\system32\NowStarter.ocx (Adware.CWS) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\Malwarrior.exe (Rogue.MalWarrior) -> Quarantined and deleted successfully. And here's the HJT log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:25:04 PM, on 5/16/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\Google\Gmail Notifier\gnotify.exe C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\4t Tray Minimizer\4t-min.exe C:\Program Files\Common Files\AOL\Loader\aolload.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user') O4 - Startup: 4t Tray Minimizer.lnk = C:\Program Files\4t Tray Minimizer\4t-min.exe O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://.gunbound.net O15 - Trusted Zone: http://.nprotect.net O15 - Trusted Zone: http://.softnyx.net O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633 O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.runaware.com/dolphin/wficat.cab O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://s.nx.com/activex/public_new/nxpm.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {340CCF52-D65F-4A11-80B3-13DC23697B59} (BugsInstall Control) - http://player.bugs.co.kr/install/BugsInstall_2005_11_06.cab O16 - DPF: {3942BD43-B5CE-465F-9AC3-16BA93994273} (DosirakControl Control) - http://kt68kmssdn.dosirak.com/Commons/Acti...irakControl.ocx O16 - DPF: {3EFC2239-B769-469F-A5E6-38693AE0B9DE} (Sysinfo2 Control) - http://speed.nca.or.kr/login/sysinfo2.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...72/mcinsctl.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab O16 - DPF: {5DAEF053-DEF0-4752-A963-CCE9B49B0B79} (Gogs Class) - http://app.ipop.co.kr/gogsweb/gogsweb.cab O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownlo...Plugin11USA.cab O16 - DPF: {6F4863C1-482C-4744-8946-4AEA34DF1A16} (FreechalOn Class) - http://login.freechal.com/freechalon/FcOnCtl12.cab O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9_1/dmcc2.cab O16 - DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} (MagicLockOCX Control) - http://www.diodeo.com/MagicLockOCX.cab O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/XTools.cab O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab O16 - DPF: {AD08A7E2-BA60-4733-92E3-A7AA0C0A39E2} (butterple Control) - http://blogfile.paran.com/BLOG_178551/2005..._butterplay.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab O16 - DPF: {BC5E698E-77CF-45EF-80A3-090A4B6AAF83} (HGPlugin8USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin8USA.cab O16 - DPF: {BCA935CA-7E41-4F73-BA9C-FAB4393DBAC0} (MADanalCtrl Control) - http://www.csafer.net/ActiveX/MAStreamCtrl.cab O16 - DPF: {BCEF5CDE-BAD4-4532-A30B-9D16D502DE69} (BugsInstallEx Control) - http://install.bugs.co.kr/install/BugsInstallerEx.cab O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.co.kr/install/BugsLoader20041018.cab O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1008 Class) - http://hompy.hangame.com/common/HanSetup1008.cab O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/gamedownlo...Plugin10USA.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O20 - Winlogon Notify: yayvWnKC - yayvWnKC.dll (file missing) O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: AntiVir Update Temp (TmpUpSrv) - Unknown owner - C:\DOCUME~1\DAVIDL~1\LOCALS~1\TEMP\_VWUPSRV.EXE (file missing) O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 11768 bytes Again, thanks!!!! This post has been edited by MISTERSTALKER*: May 16 2008, 04:27 PM

Rorschach112 View Member Profile	May 18 2008, 11:29 AM Post #13
GeekU Teacher Posts: 34,385 From: Dublin OS: XP	Just one thing Fix this entry with HijackThis O20 - Winlogon Notify: yayvWnKC - yayvWnKC.dll (file missing) Reboot and post a new HijackThis log

MISTERSTALKER View Member Profile	May 18 2008, 12:18 PM Post #14
Member Posts: 62 OS: XP	Hi! Alrighty, here it is: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:17:41 AM, on 5/18/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\Google\Gmail Notifier\gnotify.exe C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\4t Tray Minimizer\4t-min.exe C:\Program Files\Common Files\AOL\Loader\aolload.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user') O4 - Startup: 4t Tray Minimizer.lnk = C:\Program Files\4t Tray Minimizer\4t-min.exe O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://.gunbound.net O15 - Trusted Zone: http://.nprotect.net O15 - Trusted Zone: http://*.softnyx.net O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633 O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.runaware.com/dolphin/wficat.cab O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://s.nx.com/activex/public_new/nxpm.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {340CCF52-D65F-4A11-80B3-13DC23697B59} (BugsInstall Control) - http://player.bugs.co.kr/install/BugsInstall_2005_11_06.cab O16 - DPF: {3942BD43-B5CE-465F-9AC3-16BA93994273} (DosirakControl Control) - http://kt68kmssdn.dosirak.com/Commons/Acti...irakControl.ocx O16 - DPF: {3EFC2239-B769-469F-A5E6-38693AE0B9DE} (Sysinfo2 Control) - http://speed.nca.or.kr/login/sysinfo2.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...72/mcinsctl.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab O16 - DPF: {5DAEF053-DEF0-4752-A963-CCE9B49B0B79} (Gogs Class) - http://app.ipop.co.kr/gogsweb/gogsweb.cab O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownlo...Plugin11USA.cab O16 - DPF: {6F4863C1-482C-4744-8946-4AEA34DF1A16} (FreechalOn Class) - http://login.freechal.com/freechalon/FcOnCtl12.cab O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9_1/dmcc2.cab O16 - DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} (MagicLockOCX Control) - http://www.diodeo.com/MagicLockOCX.cab O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/XTools.cab O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab O16 - DPF: {AD08A7E2-BA60-4733-92E3-A7AA0C0A39E2} (butterple Control) - http://blogfile.paran.com/BLOG_178551/2005..._butterplay.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab O16 - DPF: {BC5E698E-77CF-45EF-80A3-090A4B6AAF83} (HGPlugin8USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin8USA.cab O16 - DPF: {BCA935CA-7E41-4F73-BA9C-FAB4393DBAC0} (MADanalCtrl Control) - http://www.csafer.net/ActiveX/MAStreamCtrl.cab O16 - DPF: {BCEF5CDE-BAD4-4532-A30B-9D16D502DE69} (BugsInstallEx Control) - http://install.bugs.co.kr/install/BugsInstallerEx.cab O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.co.kr/install/BugsLoader20041018.cab O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1008 Class) - http://hompy.hangame.com/common/HanSetup1008.cab O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/gamedownlo...Plugin10USA.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: AntiVir Update Temp (TmpUpSrv) - Unknown owner - C:\DOCUME~1\DAVIDL~1\LOCALS~1\TEMP\_VWUPSRV.EXE (file missing) O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 11706 bytes

Rorschach112 View Member Profile	May 19 2008, 06:22 AM Post #15
GeekU Teacher Posts: 34,385 From: Dublin OS: XP	Your logs are clean Follow these steps to uninstall Combofix and tools used in the removal of malware Click START then RUN Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there. You now need to update your Java and remove your older versions. Please follow these steps to remove older version Java components. * Click Start > Control Panel. * Click Add/Remove Programs. * Check any item with Java Runtime Environment (JRE) in the name. * Click the Remove or Change/Remove button. Download the latest version of Java Runtime Environment (JRE), and install it to your computer from here Below I have included a number of recommendations for how to protect your computer against malware infections. * Keep Windows updated by regularly checking their website at : http://windowsupdate.microsoft.com/ This will ensure your computer has always the latest security updates available installed on your computer. * To reduce re-infection for malware in the future, I strongly recommend installing these free programs: SpywareBlaster protects against bad ActiveX IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all Have a look at this tutorial for IE-Spyad here * SpywareGuard offers realtime protection from spyware installation attempts. Make Internet Explorer more secure Click Start > Run Type Inetcpl.cpl & click OK Click on the Security tab Click Reset all zones to default level Make sure the Internet Zone is selected & Click Custom level In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable". Next Click OK, then Apply button and then OK to exit the Internet Properties page. * MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future. * Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from Here * Take a good look at the following suggestions for malware prevention by reading Tony Klein�s article 'How Did I Get Infected In The First Place' Here Thank you for your patience, and performing all of the procedures requested.

« Next Oldest · Virus, Spyware and Trojan Removal · Next Newest »

2 Pages

1 2 >

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies / Views	Topic Information
Virus, Spyware and Trojan Removal Need help removing virtumonde trojan! Cant remove it [RESOLVED] 12	18 / 902	1st September 2008 - 07:44 PM Stu03 started - last by fenzodahl512
Virus, Spyware and Trojan Removal Smitfraud.C Trojan - Can't Get Rid of It [RESOLVED]	8 / 887	15th September 2008 - 02:37 AM Ybbor started - last by Thunderbird1988
Virus, Spyware and Trojan Removal I got a VIRUS and i need help removing it [RESOLVED] 123	42 / 2,371	8th November 2008 - 10:52 PM Flakko started - last by andrewuk
Virus, Spyware and Trojan Removal Mostly tuns of pop ups, mambam got most of it [RESOLVED]	11 / 459	5th December 2008 - 11:51 AM Jay Worner started - last by fenzodahl512