Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

vundo HijackThis log with uninstall_list, SUPERAntiSpyware Scan Log an

Started by kuraikinzoku , Feb 03 2008 09:38 PM

  • This topic is locked This topic is locked

#1
kuraikinzoku
Posted 03 February 2008 - 09:38 PM

kuraikinzoku

    Member

  • Member
  • PipPip
  • 38 posts
Here i have listed my
HijackThis log,
SUPERAntiSpyware Scan Log
uninstall_list and
Activescan results

what should i do next can some one please help?
------------------------------------------------------------------------------------------------------------------
HijakThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:22:24 PM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\dXNlciAx\command.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\tsitra72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A284662E902BC
9ED7286138F75F2F0C8D6E84A1EF604776CA6C1637FE13FD97CB77
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1202104112593
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: awvvw - C:\WINDOWS\system32\awvvw.dll (file missing)
O20 - Winlogon Notify: crypt32set - C:\WINDOWS\Media\fuwarxyus.dll
O20 - Winlogon Notify: jkkjgda - jkkjgda.dll (file missing)
O20 - Winlogon Notify: khfdedb - khfdedb.dll (file missing)
O21 - SSODL: fNeLX - {88E34F55-2249-E5FF-C9E3-BDBA8E07AA7C} - C:\WINDOWS\system32\xqs.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\dXNlciAx\command.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\bnpqyoqi.exe (file missing)
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:exe.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

--
End of file - 4046 bytes

-------------------------------------------------------------------------------------------------------------
uninstall_list


Adobe Flash Player 9 ActiveX
Apple Mobile Device Support
Apple Software Update
AVG Anti-Spyware 7.5
BCM V.92 56K Modem
BHO
Broadcom 440x 10/100 Integrated Controller
Command
Dell ResourceCD
Enhanced Ads by Think-Adz removal
HijackThis 2.0.2
Intel® Extreme Graphics Driver
Internet Speed Monitor
iTunes
Microsoft Office Professional Edition 2003
Network Monitor
OIN
Outerinfo
Panda ActiveScan
QuickTime
Roxio DLA
Roxio Express Labeler
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB923689)
Sonic Update Manager
SoundMAX
SUPERAntiSpyware Free Edition
SystemDoctor 1.1.173.0
TargetSaver
Think-Adz Search Assistant removal
Update for Windows XP (KB898461)
WinAntiSpyware 2006 Free 3.2.118.1
Windows Installer 3.1 (KB893803)

-------------------------------------------------------------------------------------------------------------

Activescan results

Incident Status Location

Adware:Adware/SearchAid Not disinfected C:\Program Files\Network Monitor\netmon.exe
Adware:Adware/CommAd Not disinfected C:\WINDOWS\dXNlciAx\command.exe
Adware:Adware/CommAd Not disinfected C:\WINDOWS\dXNlciAx\asappsrv.dll
Adware:adware/commad Not disinfected c:\windows\system32\atmtd.dll
Adware:adware/sqwire Not disinfected c:\windows\system32\tsuninst.exe
Potentially unwanted tool:application/winfixer2005 Not disinfected c:\windows\downloaded program files\UWA7P_0001_N91M0809NetInstaller.exe
Potentially unwanted tool:application/regclean32 Not disinfected C:\Documents and Settings\Owner\Desktop\Click to Find and Fix Errors.url
Adware:adware/keenvalue Not disinfected c:\program files\BHO
Potentially unwanted tool:application/winantispyware2006 Not disinfected hkey_local_machine\system\currentcontrolset\services\uwasfsd
Virus:Trj/Sinowal.RB Disinfected C:\30.tmp
Adware:Adware/Yazzle Not disinfected C:\38.tmp
Adware:Adware/Adband Not disinfected C:\3A.tmp
Virus:Trj/Downloader.QDR Disinfected C:\3E.tmp
Adware:Adware/Yazzle Not disinfected C:\D4.tmp
Virus:Trj/Downloader.RQM Disinfected C:\D6.tmp
Virus:Trj/Downloader.OBC Disinfected C:\D9.tmp
Virus:Generic Trojan Disinfected C:\Documents and Settings\All Users\Application Data\jmvkzqlc.dll
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\LocalService\Cookies\system@enhance[2].txt
Potentially unwanted tool:Application/Win-Touch Not disinfected C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\whlwov.exe
Virus:Trj/Agent.GJJ Disinfected C:\Documents and Settings\Owner\Application Data\WinTouch\WinTouch.exe
Potentially unwanted tool:Application/Win-Touch Not disinfected C:\Documents and Settings\Owner\Application Data\WinTouch\WTUninstaller.exe
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\!update.exe
Virus:Generic Trojan Disinfected C:\Documents and Settings\Owner\Local Settings\Temp\e22d6yJ7.exe
Virus:Generic Trojan Disinfected C:\Documents and Settings\Owner\Local Settings\Temp\EHyuMPWj.exe
Virus:Trj/Clicker.MP Disinfected C:\Documents and Settings\Owner\Local Settings\Temp\hegfcdxb.exe
Virus:Trj/Downloader.PJT Disinfected C:\Documents and Settings\Owner\Local Settings\Temp\hqyysbxi.exe
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\ipwlbooh.dll
Adware:Adware/Amera Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\ismtpa1.exe[ISMPack6.exe]
Virus:Trj/Downloader.QLY Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\ismupd8.exe[ISMPack5.exe]
Virus:Trj/Clicker.MP Disinfected C:\Documents and Settings\Owner\Local Settings\Temp\iwuotusw.exe
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\ixytwbgm.dll
Virus:Generic Malware Disinfected C:\Documents and Settings\Owner\Local Settings\Temp\NI.UWAS6_0001_N91M1508\setup.exe
Virus:Trj/Clicker.MP Disinfected C:\Documents and Settings\Owner\Local Settings\Temp\psbuafic.exe
Virus:Trj/Downloader.PJT Disinfected C:\Documents and Settings\Owner\Local Settings\Temp\qgvmwxns.exe
Virus:Generic Trojan Disinfected C:\Documents and Settings\Owner\Local Settings\Temp\RhnM2Cwy.exe
Virus:Trj/Downloader.PCQ Disinfected C:\Documents and Settings\Owner\Local Settings\Temp\rkmohnko.exe
Virus:Trj/Clicker.MP Disinfected C:\Documents and Settings\Owner\Local Settings\Temp\rpvjxecq.exe
Virus:Trj/Exitwin.D Disinfected C:\Documents and Settings\Owner\Local Settings\Temp\rsysinit.exe
Virus:Trj/Downloader.PUT Disinfected C:\Documents and Settings\Owner\Local Settings\Temp\snapsnet.exe
Virus:Trj/Agent.GAP Disinfected C:\Documents and Settings\Owner\Local Settings\Temp\sysskpi.exe
Adware:Adware/Zenosearch Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\thinksnet.exe
Adware:Adware/Sqwire Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\tsinstall_4_0_4_0_b4.exe
Adware:Adware/Sqwire Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\tsupdate_4_0_4_1_b3.exe
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\ugqpskds.dll
Virus:Trj/Agent.GYL Disinfected C:\Documents and Settings\Owner\Local Settings\Temp\UpdateInsider\Installeur.exe
Virus:Trj/Agent.GYL Disinfected C:\Documents and Settings\Owner\Local Settings\Temp\UpdateInsider.zip[Installeur.exe]
Possible Virus. Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\UpdateWords\installeur.exe
Possible Virus. Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\UpdateWords.zip[installeur.exe]
Potentially unwanted tool:Application/ErrorSafe Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\USDR6_9999_N18M1603\installer.exe
Adware:Adware/BaiduBar Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\XgcDl3x2.exe
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\xnxgyhmq.dll
Adware:Adware/Yazzle Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\yazzlesnet.exe
Potentially unwanted tool:Application/SystemDoctor2006 Not disinfected C:\Documents and Settings\Owner\My Documents\SystemDoctorNewReleaseInstall.exe
Virus:Generic Trojan Disinfected C:\Documents and Settings\Owner\~tmp1174.exe
Adware:Adware/Yazzle Not disinfected C:\E5.tmp
Virus:Trj/Downloader.RQM Disinfected C:\E7.tmp
Virus:Trj/Downloader.OBC Disinfected C:\EA.tmp
Virus:Trj/Agent.GDJ Disinfected C:\Program Files\BHO\plugin.dll
Virus:Trj/Agent.GDJ Disinfected C:\Program Files\BHO\uninstall.exe
Virus:Generic Trojan Disinfected C:\Program Files\chctkdad\elgbatsf.dll
Potentially unwanted tool:Application/DriveCleaner Not disinfected C:\Program Files\Common Files\WinAntiSpyware 2006 Free\uwasdc.exe
Potentially unwanted tool:Application/DriveCleaner Not disinfected C:\Program Files\Common Files\WinAntiSpyware 2006 Free\uwasers.exe
Adware:Adware/Yazzle Not disinfected C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
Adware:Adware/Yazzle Not disinfected C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
Adware:Adware/Yazzle Not disinfected C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
Adware:Adware/Yazzle Not disinfected C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
Adware:Adware/Yazzle Not disinfected C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
Adware:Adware/Yazzle Not disinfected C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
Adware:Adware/Sqwire Not disinfected C:\Program Files\Common Files\zoku\zokua.exe
Adware:Adware/Sqwire Not disinfected C:\Program Files\Common Files\zoku\zokud\zokuc.dll
Adware:Adware/Sqwire Not disinfected C:\Program Files\Common Files\zoku\zokul.exe
Adware:Adware/Sqwire Not disinfected C:\Program Files\Common Files\zoku\zokum.exe
Adware:Adware/Sqwire Not disinfected C:\Program Files\Common Files\zoku\zokup.exe
Adware:Adware/PurityScan Not disinfected C:\Program Files\Common Files\?ecurity\services.exe
Adware:Adware/InternetSpeedMonitor Not disinfected C:\Program Files\ISM\archupd.exe
Virus:Trj/Downloader.MDW Disinfected C:\Program Files\ISM\BndDrive.dll
Virus:Generic Malware Disinfected C:\Program Files\ISM\BndDrive6.dll
Potentially unwanted tool:Application/DownAndRun Not disinfected C:\Program Files\ISM\bndloader.exe
Adware:Adware/Adband Not disinfected C:\Program Files\ISM\ism.exe
Virus:Trj/Downloader.QLX Not disinfected C:\Program Files\ISM\syncupd.exe[ISMModule4.exe]
Virus:Trj/Downloader.MDW Not disinfected C:\Program Files\ISM\synupd.exe[ISMModule6.exe]
Virus:Generic Malware Not disinfected C:\Program Files\ISM\synupd.exe[BndDrive6.dll]
Virus:Trj/Downloader.REF Disinfected C:\Program Files\ISM2\cringupd.exe
Virus:Trj/Downloader.QLY Disinfected C:\Program Files\ISM2\ISMPack5.exe
Adware:Adware/Amera Not disinfected C:\Program Files\ISM2\ISMPack6.exe
Virus:Trj/Downloader.MDW Disinfected C:\Program Files\ISM2\ISMPack8.exe
Virus:Generic Trojan Disinfected C:\Program Files\Mnpakzgu\btjwtfvn.dll
Adware:Adware/Zenosearch Not disinfected C:\Program Files\Outerinfo\FF\components\FF.dll
Adware:Adware/InternetSpeedMonitor Not disinfected C:\Program Files\QdrModule\QdrModule9.exe
Adware:Adware/InternetSpeedMonitor Not disinfected C:\Program Files\QdrPack\QdrPack11.exe
Adware:Adware/InternetSpeedMonitor Not disinfected C:\Program Files\QdrPack\trffyupd.exe[QdrPack11.exe]
Possible Virus. Not disinfected C:\Program Files\SecCenter\scprot4.exe
Virus:Trj/Downloader.MDW Disinfected C:\Program Files\Temporary\wininstall.exe
Virus:Generic Trojan Disinfected C:\Program Files\Web Buying\v1.8.0\webbuying.exe
Virus:Trj/Downloader.QLZ Disinfected C:\Program Files\WinAble\winable.exe
Virus:Generic Malware Disinfected C:\Program Files\WinAntiSpyware 2006 Free\AsAgents.dll
Spyware:Application/ErrorProtector Not disinfected C:\Program Files\WinAntiSpyware 2006 Free\InstHelp.exe
Virus:Generic Malware Disinfected C:\Program Files\WinAntiSpyware 2006 Free\uwas6chk.dll
Potentially unwanted tool:Application/DriveCleaner Not disinfected C:\Program Files\WinAntiSpyware 2006 Free\uwas6cw.exe
Potentially unwanted tool:Application/WinAntivirus Not disinfected C:\Program Files\WinAntiSpyware 2006 Free\uwasffNT.exe
Virus:Trj/Downloader.MDW Disinfected C:\Program Files\WinAntiSpyware 2006 Free\was6.exe
Virus:Trj/Agent.GAP Disinfected C:\sysskpi.exe
Virus:Generic Malware Disinfected C:\WINDOWS\b103.exe
Virus:Generic Trojan Disinfected C:\WINDOWS\b104.exe
Virus:Trj/Downloader.MDW Disinfected C:\WINDOWS\b122.exe
Virus:Trj/Downloader.MDW Disinfected C:\WINDOWS\b122.exe.bin[b122.exe]
Adware:Adware/Yazzle Not disinfected C:\WINDOWS\b128.exe
Virus:Trj/Downloader.PLQ Disinfected C:\WINDOWS\b138.exe
Virus:Trj/Downloader.MDW Disinfected C:\WINDOWS\b143.exe
Virus:Trj/Downloader.MDW Disinfected C:\WINDOWS\b147.exe
Adware:Adware/CommAd Not disinfected C:\WINDOWS\dXNlciAx\xrh5w2EU.vbs
Possible Virus. Not disinfected C:\WINDOWS\Media\fuwarxyus.dll
Adware:Adware/Yazzle Not disinfected C:\WINDOWS\retadpu72.exe.tmp
Virus:Trj/BHO.O Disinfected C:\WINDOWS\system32\02cSTWdY.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\abeeriqd.dll
Virus:Trj/Downloader.OZB Disinfected C:\WINDOWS\system32\acxwwhls.exe
Virus:Trj/Downloader.OZB Disinfected C:\WINDOWS\system32\aduwpuqm.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ahhdbrsk.dll
Virus:Trj/Downloader.OZB Disinfected C:\WINDOWS\system32\aphtptwp.exe
Virus:Trj/Downloader.OZB Disinfected C:\WINDOWS\system32\apovjnwj.exe
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\atmtd.dll._
Adware:Adware/BHO Not disinfected C:\WINDOWS\system32\AU48iI55.dll
Virus:Trj/Downloader.OZB Disinfected C:\WINDOWS\system32\axuhiuhf.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\befbufne.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\bewwqgbr.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\bhmljnhk.dll
Virus:Trj/Downloader.OZB Disinfected C:\WINDOWS\system32\bpmdovvu.exe
Virus:Trj/Downloader.OZB Disinfected C:\WINDOWS\system32\bqiseqqk.exe
Virus:Trj/Downloader.OZB Disinfected C:\WINDOWS\system32\brcwwutc.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\brfbvcum.dll
Virus:Trj/Downloader.OZB Disinfected C:\WINDOWS\system32\btnlfuhw.exe
Virus:Trj/Downloader.OZB Disinfected C:\WINDOWS\system32\cgdrxpjn.exe
Virus:Trj/Downloader.OZB Disinfected C:\WINDOWS\system32\chhxjihf.exe
Spyware:Cookie/YieldManager Not disinfected C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\WINDOWS\system32\config\systemprofile\Cookies\system@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\WINDOWS\system32\config\systemprofile\Cookies\system@fastclick[2].txt
Spyware:Cookie/Overture Not disinfected C:\WINDOWS\system32\config\systemprofile\Cookies\system@overture[1].txt
Spyware:Cookie/Zedo Not disinfected C:\WINDOWS\system32\config\systemprofile\Cookies\system@zedo[1].txt
Virus:Trj/Downloader.OZB Disinfected C:\WINDOWS\system32\crdctscn.exe
Virus:Trj/Downloader.OZB Disinfected C:\WINDOWS\system32\crfvcmqr.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\dbuxurmt.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ddmjvohc.dll
Virus:Trj/Downloader.OZB Disinfected C:\WINDOWS\system32\devxqcqh.exe
Virus:Trj/Downloader.OZB Disinfected C:\WINDOWS\system32\dhxjomxv.exe
Virus:W32/ZlFake.A Disinfected C:\WINDOWS\system32\DLA\DLACTRLW.EXE
Virus:Trj/Downloader.OZB Disinfected C:\WINDOWS\system32\dlhrsumc.exe
Virus:Trj/Downloader.OZB Disinfected C:\WINDOWS\system32\dlvuward.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\dmncmler.dll
Virus:Trj/Downloader.OZB Disinfected C:\WINDOWS\system32\dniutnss.exe

Edited by kuraikinzoku, 04 February 2008 - 03:52 AM.

  • 0

Advertisements

#2
Rorschach112
Posted 04 February 2008 - 10:42 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.




Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
kuraikinzoku
Posted 05 February 2008 - 06:03 PM

kuraikinzoku

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
SDFix report

SDFix: Version 1.136

Run by Owner on Tue 02/05/2008 at 05:41 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
cmdService
ICF
Network Monitor
runtime
runtime2
smtpdrv
QVB05

Path:
C:\WINDOWS\dXNlciAx\command.exe
C:\WINDOWS\system32\svchost.exe:exe.exe
C:\Program Files\Network Monitor\netmon.exe service
\??\C:\WINDOWS\System32\drivers\runtime.sys
\SystemRoot\system32\drivers\runtime2.sys
System32\DRIVERS\smtpdrv.sys
System32\Drivers\Qvb05.sys

cmdService - Deleted
ICF - Deleted
Network Monitor - Deleted
runtime - Deleted
runtime2 - Deleted
smtpdrv - Deleted
QVB05 - Deleted



Infected ip6fw.sys Found!

ip6fw.sys File Locations:

"C:\WINDOWS\system32\dllcache\ip6fw.sys" 29056 08/12/2004 05:58 AM
"C:\WINDOWS\system32\drivers\ip6fw.sys" 29056 08/12/2004 05:58 AM

Infected File Listed Below:

C:\WINDOWS\system32\drivers\ip6fw.sys

File copied to Backups Folder
Attempting to replace ip6fw.sys with original version...

Original ip6fw.sys Restored


Restoring Windows Registry Values
Restoring Windows Default Hosts File

---------------------------------------------------------------------------------------------------------

Deckard's System Scanner main

Deckard's System Scanner v20071014.68
Run by Owner on 2008-02-05 18:56:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 3 Restore Point(s) --
3: 2008-02-06 02:56:05 UTC - RP22 - Deckard's System Scanner Restore Point
2: 2008-02-06 02:28:49 UTC - RP21 - System Checkpoint
1: 2008-02-06 01:44:46 UTC - RP20 - Software Distribution Service 3.0


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 255 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:56:35 PM, on 2/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1202104112593
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: awvvw - C:\WINDOWS\system32\awvvw.dll (file missing)
O20 - Winlogon Notify: crypt32set - C:\WINDOWS\Media\fuwarxyus.dll
O20 - Winlogon Notify: jkkjgda - jkkjgda.dll (file missing)
O20 - Winlogon Notify: khfdedb - khfdedb.dll (file missing)
O21 - SSODL: fNeLX - {88E34F55-2249-E5FF-C9E3-BDBA8E07AA7C} - C:\WINDOWS\system32\xqs.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\bnpqyoqi.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 3163 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Mta38 - c:\windows\system32\drivers\mta38.sys
R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S0 uwasfsd - c:\windows\system32\drivers\uwasfsd.sys (file missing)
S3 catchme - c:\docume~1\owner\locals~1\temp\catchme.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

S2 DomainService - c:\windows\system32\bnpqyoqi.exe /service (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-02-05 00:00:00 350 --a------ C:\WINDOWS\Tasks\At1.job
2008-02-04 02:00:00 350 --a------ C:\WINDOWS\Tasks\At3.job
2008-02-04 01:00:00 350 --a------ C:\WINDOWS\Tasks\At2.job
2008-02-03 23:00:00 350 --a------ C:\WINDOWS\Tasks\At24.job
2008-02-03 22:00:00 350 --a------ C:\WINDOWS\Tasks\At23.job
2008-02-03 18:00:00 350 --a------ C:\WINDOWS\Tasks\At19.job
2008-02-03 17:00:01 350 --a------ C:\WINDOWS\Tasks\At18.job
2008-02-03 16:00:01 350 --a------ C:\WINDOWS\Tasks\At17.job
2008-02-03 15:00:01 350 --a------ C:\WINDOWS\Tasks\At16.job
2008-02-03 14:00:00 350 --a------ C:\WINDOWS\Tasks\At15.job
2008-02-03 13:00:00 350 --a------ C:\WINDOWS\Tasks\At14.job
2008-02-03 12:00:00 350 --a------ C:\WINDOWS\Tasks\At13.job
2008-02-03 11:00:00 350 --a------ C:\WINDOWS\Tasks\At12.job
2008-02-03 10:00:00 350 --a------ C:\WINDOWS\Tasks\At11.job
2008-02-03 09:00:00 350 --a------ C:\WINDOWS\Tasks\At10.job
2008-02-03 08:00:00 350 --a------ C:\WINDOWS\Tasks\At9.job
2008-02-03 07:00:00 350 --a------ C:\WINDOWS\Tasks\At8.job
2008-02-03 06:00:00 350 --a------ C:\WINDOWS\Tasks\At7.job
2008-02-03 05:00:00 350 --a------ C:\WINDOWS\Tasks\At6.job
2008-02-03 04:00:00 350 --a------ C:\WINDOWS\Tasks\At5.job
2008-02-03 03:00:00 350 --a------ C:\WINDOWS\Tasks\At4.job
2008-01-31 21:00:00 350 --a------ C:\WINDOWS\Tasks\At22.job
2008-01-31 20:00:04 350 --a------ C:\WINDOWS\Tasks\At21.job
2008-01-31 19:00:07 350 --a------ C:\WINDOWS\Tasks\At20.job
2007-09-08 09:23:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-01-05 and 2008-02-05 -----------------------------

2008-02-05 17:40:10 0 d-------- C:\WINDOWS\ERUNT
2008-02-03 22:21:55 0 d-------- C:\Program Files\Trend Micro
2008-02-03 21:54:22 0 d-------- C:\WINDOWS\system32\PreInstall
2008-02-03 11:19:57 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-02-02 22:33:15 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-02 22:29:59 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-02-02 22:29:58 0 d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-02-02 22:27:14 96832 --a------ C:\WINDOWS\system32\kcoohkpx.dll
2008-02-02 22:24:27 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-02 21:35:57 0 d-------- C:\Documents and Settings\Owner\Application Data\??crosoft.NET
2008-02-02 21:35:38 0 d--h----- C:\WINDOWS\$hf_mig$
2008-02-02 21:33:57 69184 --a------ C:\WINDOWS\system32\hiltkalg.dll
2008-02-02 21:30:56 0 d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-02-02 21:29:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-02 21:25:38 0 d-------- C:\WINDOWS\pss
2008-02-02 21:21:08 0 d--h----- C:\Documents and Settings\Administrator.USER-0358FF83F2\Templates
2008-02-02 21:21:08 0 dr------- C:\Documents and Settings\Administrator.USER-0358FF83F2\Start Menu
2008-02-02 21:21:08 0 dr-h----- C:\Documents and Settings\Administrator.USER-0358FF83F2\SendTo
2008-02-02 21:21:08 0 d--h----- C:\Documents and Settings\Administrator.USER-0358FF83F2\Recent
2008-02-02 21:21:08 0 d--h----- C:\Documents and Settings\Administrator.USER-0358FF83F2\PrintHood
2008-02-02 21:21:08 0 d--h----- C:\Documents and Settings\Administrator.USER-0358FF83F2\NetHood
2008-02-02 21:21:08 0 d-------- C:\Documents and Settings\Administrator.USER-0358FF83F2\My Documents
2008-02-02 21:21:08 0 d--h----- C:\Documents and Settings\Administrator.USER-0358FF83F2\Local Settings
2008-02-02 21:21:08 0 d-------- C:\Documents and Settings\Administrator.USER-0358FF83F2\Favorites
2008-02-02 21:21:08 0 d-------- C:\Documents and Settings\Administrator.USER-0358FF83F2\Desktop
2008-02-02 21:21:08 0 d---s---- C:\Documents and Settings\Administrator.USER-0358FF83F2\Cookies
2008-02-02 21:21:08 0 dr-h----- C:\Documents and Settings\Administrator.USER-0358FF83F2\Application Data
2008-02-02 21:21:08 0 d---s---- C:\Documents and Settings\Administrator.USER-0358FF83F2\Application Data\Microsoft
2008-02-02 21:21:07 524288 --ah----- C:\Documents and Settings\Administrator.USER-0358FF83F2\NTUSER.DAT
2008-01-31 23:41:06 99560 ---hs---- C:\WINDOWS\system32\ttutv.ini2
2008-01-24 19:03:32 87616 --a------ C:\WINDOWS\system32\prbskdmp.dll
2008-01-24 19:01:38 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-01-24 19:01:29 32256 --a------ C:\WINDOWS\system32\kwkx.exe
2008-01-24 19:00:55 0 d-------- C:\WINDOWS\system32\?ecurity
2008-01-24 18:59:39 0 d-------- C:\Program Files\RcvSystem
2008-01-24 18:59:14 80448 --a------ C:\WINDOWS\system32\pkpdnhir.dll
2008-01-24 18:57:19 74304 --a------ C:\WINDOWS\system32\xrkmuvlg.exe <Not Verified; ; DDC>


-- Find3M Report ---------------------------------------------------------------

2008-02-05 17:44:40 0 d-------- C:\Program Files\Network Monitor
2008-02-05 17:44:40 0 d-------- C:\Program Files\Common Files
2008-02-05 17:44:39 0 d-------- C:\Program Files\Words
2008-02-05 17:44:38 0 d-------- C:\Program Files\Insider
2008-02-05 17:44:38 0 d-------- C:\Documents and Settings\Owner\Application Data\WinTouch
2008-02-05 00:24:34 0 d-------- C:\Program Files\Messenger
2008-02-03 18:35:18 155648 --a------ C:\WINDOWS\system32\igfxtray.exe <Not Verified; Intel Corporation; Intel® Common User Interface>
2008-02-03 18:35:13 118784 --a------ C:\WINDOWS\system32\hkcmd.exe <Not Verified; Intel Corporation; Intel® Common User Interface>
2008-02-03 18:28:40 0 d-------- C:\Program Files\WinAntiSpyware 2006 Free
2008-02-03 18:28:36 0 d-------- C:\Program Files\WinAble
2008-02-03 18:28:35 0 d-------- C:\Program Files\Temporary
2008-02-03 18:27:49 0 d-------- C:\Program Files\Mnpakzgu
2008-02-03 18:26:00 0 d-------- C:\Program Files\ISM2
2008-02-03 18:25:58 0 d-------- C:\Program Files\ISM
2008-02-03 18:24:14 0 d-------- C:\Program Files\chctkdad
2008-02-03 18:24:12 0 d--h----- C:\Program Files\BHO
2008-02-02 22:27:08 108659 ---hs---- C:\WINDOWS\system32\ttutv.bak2
2008-02-02 21:35:57 0 d-------- C:\Documents and Settings\Owner\Application Data\?ystem32
2008-02-02 21:35:57 0 d-------- C:\Documents and Settings\Owner\Application Data\??crosoft.NET
2008-01-24 19:01:09 929 --a------ C:\WINDOWS\system32\winpfz32.sys
2008-01-24 18:58:33 0 d-------- C:\Program Files\QdrPack
2007-12-16 12:07:23 80448 --a------ C:\WINDOWS\system32\xxuluwmm.dll
2007-12-16 12:06:55 74304 --a------ C:\WINDOWS\system32\rqyjxxug.exe <Not Verified; ; DDC>
2007-12-16 11:53:43 80448 --a------ C:\WINDOWS\system32\hhfvvesk.dll
2007-12-16 11:50:53 85568 --a------ C:\WINDOWS\system32\yvdwgtvf.dll
2007-12-16 11:48:25 74304 --a------ C:\WINDOWS\system32\naqgwsnd.exe <Not Verified; ; DDC>
2007-12-16 11:41:07 2 --a------ C:\WINDOWS\system32\wnsinticom32.exe
2007-12-16 11:39:45 0 d-------- C:\Documents and Settings\Owner\Application Data\?ecurity
2007-11-10 07:17:08 71232 --a------ C:\WINDOWS\system32\dbuxurmt.exe <Not Verified; ; DDC>


-- Registry Dump ---------------------------------------------------------------



-- End of Deckard's System Scanner: finished at 2008-02-05 18:57:11 ------------

--------------------------------------------------------------------------------------------------------------

Deckard's System Scanner extra


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.20GHz
Percentage of Memory in Use: 68%
Physical Memory (total/avail): 254.48 MiB / 80.46 MiB
Pagefile Memory (total/avail): 625.48 MiB / 376.15 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1946.3 MiB

C: is Fixed (NTFS) - 74.47 GiB total, 70.97 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is Removable (FAT)

\\.\PHYSICALDRIVE0 - WDC WD800BB-75FRA0 - 74.5 GiB - 2 partitions
\PARTITION0 - Unknown - 31.35 MiB
\PARTITION1 (bootable) - Installable File System - 74.47 GiB - C:

\\.\PHYSICALDRIVE1 - SanDisk Cruzer Micro USB Device - 486.34 MiB - 1 partition
\PARTITION0 - MS-DOS V4 Huge - 488.63 MiB - F:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\BHO\\uninstall.exe"="C:\\Program Files\\BHO\\uninstall.exe:*:Enabled:BHO"
"C:\\WINDOWS\\system32\\bnpqyoqi.exe"="C:\\WINDOWS\\system32\\bnp"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\WINDOWS\\system32\\svchost.exe"="C:\\WINDOWS\\system32\\svchost.exe:*:Enabled:svchost"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=USER-0358FF83F2
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\USER-0358FF83F2
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0204
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=USER-0358FF83F2
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator.USER-0358FF83F2 (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Apple Mobile Device Support --> MsiExec.exe /I{763E8D6C-0098-4FF4-801A-3F311D2D9D80}
Apple Software Update --> MsiExec.exe /I{492724FC-3B26-46B4-824F-3CE2722D9AA0}
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
BCM V.92 56K Modem --> C:\WINDOWS\BCMSMU.exe quiet
BHO --> C:\Program Files\BHO\uninstall.exe
Broadcom 440x 10/100 Integrated Controller --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{52504CE6-E909-4113-B232-4AFEC6543A61} /l1033
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
Enhanced Ads by Think-Adz removal --> C:\WINDOWS\system32\swinpmdq.exe -UPop
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
Internet Speed Monitor --> C:\Program Files\ISM\Uninstall.exe
iTunes --> MsiExec.exe /I{974C05A0-C76C-4724-A9A2-11D5D1355729}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
Roxio DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Roxio Express Labeler --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Roxio RecordNow Audio --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Roxio RecordNow Copy --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Roxio RecordNow Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
SystemDoctor 1.1.173.0 --> "C:\Program Files\SystemDoctor Free\unins000.exe"
TargetSaver --> C:\WINDOWS\system32\tsuninst.exe /u
Think-Adz Search Assistant removal --> C:\WINDOWS\system32\swinpmdq.exe -USearch
WinAntiSpyware 2006 Free 3.2.118.1 --> "C:\Program Files\WinAntiSpyware 2006 Free\unins000.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type1475 / Warning
Event Submitted/Written: 02/03/2008 03:31:30 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type1466 / Error
Event Submitted/Written: 01/24/2008 07:07:19 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application 007703C500610063006C0074002E006500780065, version 0.0.0.0, faulting module msvcrt.dll, version 7.0.2600.2180, fault address 0x000372e3.
Processing media-specific event for [007703C500610063006C0074002E006500780065!ws!]

Event Record #/Type1465 / Error
Event Submitted/Written: 01/24/2008 07:07:19 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module jmvkzqlc.dll, version 0.0.0.0, fault address 0x0000eb37.
Processing media-specific event for [iexplore.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type4332 / Error
Event Submitted/Written: 02/05/2008 06:01:49 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
uwasfsd

Event Record #/Type4329 / Error
Event Submitted/Written: 02/05/2008 05:44:43 PM
Event ID/Source: 1 / sr
Event Description:
The System Restore filter encountered the unexpected error '0xC0000022' while processing the file 'Qvb05.sys' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.

Event Record #/Type4328 / Error
Event Submitted/Written: 02/05/2008 05:43:17 PM
Event ID/Source: 7006 / Service Control Manager
Event Description:
The ScRegSetValueExW call failed for DeleteFlag with the following error:
%%5

Event Record #/Type4325 / Error
Event Submitted/Written: 02/05/2008 05:40:19 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AVG Anti-Spyware Driver
Fips
intelppm
OMCI
runtime2
SASDIFSV
SASKUTIL
smtpdrv
uwasfsd

Event Record #/Type4324 / Error
Event Submitted/Written: 02/05/2008 05:39:15 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}



-- End of Deckard's System Scanner: finished at 2008-02-05 18:57:11 ------------
  • 0

#4
Rorschach112
Posted 05 February 2008 - 06:39 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#5
kuraikinzoku
Posted 05 February 2008 - 08:51 PM

kuraikinzoku

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
ComboFix log

ComboFix 08-02.05.3 - Owner 2008-02-05 21:36:32.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.91 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - svchost.exe: deleted 49664 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\All Users\Application Data\salesmonitor
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\Owner\Application Data\CROSOF~1.NET
C:\Documents and Settings\Owner\Application Data\CROSOF~1.NET\w?crtupd.exe
C:\Documents and Settings\Owner\Application Data\ECURIT~1
C:\Documents and Settings\Owner\Application Data\FunWebProducts
C:\Documents and Settings\Owner\Application Data\FunWebProducts\Data\Owner\avatar.dat
C:\Documents and Settings\Owner\Application Data\WinAntiSpyware 2006
C:\Documents and Settings\Owner\Application Data\WinAntiSpyware 2006\Logs\update.log
C:\Documents and Settings\Owner\Application Data\WinTouch
C:\Documents and Settings\Owner\Application Data\YSTEM3~1
C:\Documents and Settings\Owner\err.log
C:\Documents and Settings\Owner\Local Settings\Application Data\n.ini
C:\Documents and Settings\Owner\My Documents\SKS~1
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\BHO
C:\Program Files\BHO\bho.dat
C:\Program Files\BHO\er.dat
C:\Program Files\Common Files\ecurit~1
C:\Program Files\Common Files\ecurit~1\?ecurity\
C:\Program Files\Common Files\ecurit~1\services.exe
C:\Program Files\Common Files\racle~1
C:\Program Files\Common Files\sks~1
C:\Program Files\Common Files\WinAntiSpyware 2006 Free
C:\Program Files\Common Files\WinAntiSpyware 2006 Free\uwasdc.exe
C:\Program Files\Common Files\WinAntiSpyware 2006 Free\uwasers.exe
C:\Program Files\fnts~1
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\Shared\0009B6A2.dat
C:\Program Files\icroso~1.net
C:\Program Files\inetget2
C:\Program Files\Insider
C:\Program Files\ISM
C:\Program Files\ISM\archupd.exe
C:\Program Files\ISM\BndDrive2.dll
C:\Program Files\ISM\bndloader.exe
C:\Program Files\ISM\dictionary.gz
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\syncupd.exe
C:\Program Files\ISM\synupd.exe
C:\Program Files\ISM\targets.gz
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\ISM2
C:\Program Files\ISM2\dictionary.gz
C:\Program Files\ISM2\hydramedupd.exe
C:\Program Files\ISM2\ISMPack6.exe
C:\Program Files\ISM2\targets.gz
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\network monitor
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dic.gz
C:\Program Files\QdrModule\kwd.gz
C:\Program Files\QdrModule\QdrModule9.exe
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\QdrPack10.exe
C:\Program Files\QdrPack\QdrPack11.exe
C:\Program Files\QdrPack\QdrPack12.exe
C:\Program Files\QdrPack\trffyupd.exe
C:\Program Files\QdrPack\trgts.gz
C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4.exe
C:\Program Files\stem~1
C:\Program Files\Temporary
C:\Program Files\web buying
C:\Program Files\WinAble
C:\Program Files\winantispyware 2006 free
C:\Program Files\winantispyware 2006 free\Activate.dat
C:\Program Files\winantispyware 2006 free\AsAgents.xml
C:\Program Files\winantispyware 2006 free\atl71.dll
C:\Program Files\winantispyware 2006 free\bnlink.dat
C:\Program Files\winantispyware 2006 free\database\appupdate.dat
C:\Program Files\winantispyware 2006 free\database\AutoProcess.dat
C:\Program Files\winantispyware 2006 free\database\dbupdate.dat
C:\Program Files\winantispyware 2006 free\database\enemies.dat
C:\Program Files\winantispyware 2006 free\database\knownfiles.dat
C:\Program Files\winantispyware 2006 free\database\monstate.dat
C:\Program Files\winantispyware 2006 free\database\PortSpec.ats
C:\Program Files\winantispyware 2006 free\database\quaratine.dat\#post_quarantine
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\0\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\1\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\10\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\11\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\11\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\12\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\13\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\15\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\16\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\17\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\18\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\19\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\2\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\20\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\21\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\22\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\23\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\25\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\26\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\27\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\28\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\28\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\29\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\3\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\30\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\31\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\32\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\33\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\34\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\35\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\36\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\37\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\38\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\4\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\40\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\41\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\42\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\43\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\44\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\45\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\46\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\47\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\47\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\48\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\49\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\5\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\50\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\51\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\52\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\53\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\6\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\7\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\8\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#agents\9\#startup
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\DirMonitor\c__\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\DirMonitor\c__\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\DirMonitor\C__Documents and Settings_All Users_Start Menu_Programs_Startup\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\DirMonitor\C__Documents and Settings_All Users_Start Menu_Programs_Startup\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\DirMonitor\C__Documents and Settings_Owner_Start Menu_Programs_Startup\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\DirMonitor\C__Documents and Settings_Owner_Start Menu_Programs_Startup\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\FileMonitor\C__WINDOWS_inf_iereset.inf\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\FileMonitor\C__WINDOWS_inf_iereset.inf\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\FileMonitor\C__WINDOWS_system.ini\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\FileMonitor\C__WINDOWS_system.ini\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\FileMonitor\C__WINDOWS_system32_drivers_etc_hosts\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\FileMonitor\C__WINDOWS_system32_drivers_etc_hosts\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\FileMonitor\C__WINDOWS_win.ini\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\FileMonitor\C__WINDOWS_win.ini\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcr___shellex_contextmenuhandlers\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcr___shellex_contextmenuhandlers\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcr_comfile_shell_open_command\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcr_comfile_shell_open_command\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcr_directory_shellex_contextmenuhandlers\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcr_directory_shellex_contextmenuhandlers\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcr_drive_shellex_contextmenuhandlers\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcr_drive_shellex_contextmenuhandlers\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcr_exefile_shell_open_command\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcr_exefile_shell_open_command\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcr_mime_database_content type\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcr_mime_database_content type\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcr_protocols\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcr_protocols\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_control panel_don't load\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_control panel_don't load\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_control panel_don't load\Owner
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_active setup_installed components\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_active setup_installed components\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_active setup_installed components\Owner
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_internet explorer_extensions\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_internet explorer_extensions\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_internet explorer_extensions\Owner
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_internet explorer_main\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_internet explorer_main\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_internet explorer_main\Owner
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_internet explorer_menuext\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_internet explorer_menuext\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_internet explorer_menuext\Owner
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_internet explorer_searchurl\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_internet explorer_searchurl\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_internet explorer_searchurl\Owner
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_windows nt_currentversion_windows\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_windows nt_currentversion_windows\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_windows nt_currentversion_windows\Owner
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_windows_currentversion_explorer_user shell folders\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_windows_currentversion_explorer_user shell folders\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_windows_currentversion_explorer_user shell folders\Owner
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_windows_currentversion_ext_stats\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_windows_currentversion_ext_stats\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_windows_currentversion_ext_stats\Owner
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_windows_currentversion_internet settings\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_windows_currentversion_internet settings\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_windows_currentversion_internet settings\Owner
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_windows_currentversion_internet settings_zonemap_domains\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_windows_currentversion_internet settings_zonemap_domains\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_windows_currentversion_internet settings_zonemap_domains\Owner
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_windows_currentversion_policies_explorer\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_windows_currentversion_policies_explorer\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_windows_currentversion_policies_explorer\Owner
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_windows_currentversion_policies_explorer_run\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_windows_currentversion_policies_explorer_run\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_windows_currentversion_policies_explorer_run\Owner
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_windows_currentversion_policies_system\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_windows_currentversion_policies_system\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_windows_currentversion_policies_system\Owner
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_windows_currentversion_run\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_windows_currentversion_run\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_windows_currentversion_run\Owner
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_windows_currentversion_runonce\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_windows_currentversion_runonce\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_windows_currentversion_runonce\Owner
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_windows_currentversion_runonce_setup\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_windows_currentversion_runonce_setup\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_microsoft_windows_currentversion_runonce_setup\Owner
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_mirabilis_icq_agent_apps\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_mirabilis_icq_agent_apps\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_mirabilis_icq_agent_apps\Owner
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_policies_microsoft_internet explorer\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_policies_microsoft_internet explorer\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_policies_microsoft_internet explorer\Owner
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_policies_microsoft_internet explorer_control panel\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_policies_microsoft_internet explorer_control panel\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_policies_microsoft_internet explorer_control panel\Owner
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_policies_microsoft_internet explorer_restrictions\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_policies_microsoft_internet explorer_restrictions\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hkcu_software_policies_microsoft_internet explorer_restrictions\Owner
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_active setup_installed components\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_active setup_installed components\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_code store database_distribution units\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_code store database_distribution units\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_internet explorer_abouturls\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_internet explorer_abouturls\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_internet explorer_explorer bars\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_internet explorer_explorer bars\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_internet explorer_extensions\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_internet explorer_extensions\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_internet explorer_main\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_internet explorer_main\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_internet explorer_search\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_internet explorer_search\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_internet explorer_toolbar\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_internet explorer_toolbar\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_internet explorer_urlsearchhooks\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_internet explorer_urlsearchhooks\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_windows nt_currentversion_image file execution options\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_windows nt_currentversion_image file execution options\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_windows nt_currentversion_inifilemapping\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_windows nt_currentversion_inifilemapping\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_windows nt_currentversion_windows\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_windows nt_currentversion_windows\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_windows nt_currentversion_winlogon\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_windows nt_currentversion_winlogon\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_windows nt_currentversion_winlogon_notify\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_windows nt_currentversion_winlogon_notify\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_windows_currentversion_explorer_browser helper objects\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_windows_currentversion_explorer_browser helper objects\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_windows_currentversion_explorer_sharedtaskscheduler\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_windows_currentversion_explorer_sharedtaskscheduler\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_windows_currentversion_explorer_shellexecutehooks\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_windows_currentversion_explorer_shellexecutehooks\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_windows_currentversion_internet settings_zonemap_domains\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_windows_currentversion_internet settings_zonemap_domains\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_windows_currentversion_policies_explorer\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_windows_currentversion_policies_explorer\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_windows_currentversion_run\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_windows_currentversion_run\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_windows_currentversion_runonce\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_windows_currentversion_runonce\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_windows_currentversion_runonce_setup\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_windows_currentversion_runonce_setup\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_windows_currentversion_runonceex\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_windows_currentversion_runonceex\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_windows_currentversion_shell extensions_approved\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_windows_currentversion_shell extensions_approved\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_windows_currentversion_shellserviceobjectdelayload\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_windows_currentversion_shellserviceobjectdelayload\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_windows_currentversion_url\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_windows_currentversion_url\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_windows_currentversion_windowsupdate_auto update\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_microsoft_windows_currentversion_windowsupdate_auto update\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_policies_microsoft_internet explorer_restrictions\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_software_policies_microsoft_internet explorer_restrictions\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_system_currentcontrolset_control_lsa\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_system_currentcontrolset_control_lsa\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_system_currentcontrolset_control_session manager\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_system_currentcontrolset_control_session manager\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_system_currentcontrolset_services\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_system_currentcontrolset_services\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_system_currentcontrolset_services_tcpip_parameters_interfaces\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_system_currentcontrolset_services_tcpip_parameters_interfaces\#name
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_system_currentcontrolset_services_winsock2_parameters_protocol_catalog
9_catalog_entries\#data
C:\Program Files\winantispyware 2006 free\database\RTMonitor.dat\#monitors\RegMonitor\hklm_system_currentcontrolset_services_winsock2_parameters_protocol_catalog
9_catalog_entries\#name
C:\Program Files\winantispyware 2006 free\database\Summary.dat
C:\Program Files\winantispyware 2006 free\database\tasks.dat
C:\Program Files\winantispyware 2006 free\database\TEBase.dat
C:\Program Files\winantispyware 2006 free\database\threatnet.dat
C:\Program Files\winantispyware 2006 free\diagnosis.dat
C:\Program Files\winantispyware 2006 free\err.log
C:\Program Files\winantispyware 2006 free\InstHelp.exe
C:\Program Files\winantispyware 2006 free\lapv.dat
C:\Program Files\winantispyware 2006 free\license.rtf
C:\Program Files\winantispyware 2006 free\manual.url
C:\Program Files\winantispyware 2006 free\mfc71.dll
C:\Program Files\winantispyware 2006 free\msvcp71.dll
C:\Program Files\winantispyware 2006 free\msvcr71.dll
C:\Program Files\winantispyware 2006 free\pv.dat
C:\Program Files\winantispyware 2006 free\readme.rtf
C:\Program Files\winantispyware 2006 free\scanlog.xml
C:\Program Files\winantispyware 2006 free\shellext.xml
C:\Program Files\winantispyware 2006 free\sr.log
C:\Program Files\winantispyware 2006 free\support.url
C:\Program Files\winantispyware 2006 free\unins000.dat
C:\Program Files\winantispyware 2006 free\unins000.exe
C:\Program Files\winantispyware 2006 free\up.dat
C:\Program Files\winantispyware 2006 free\updater.dat
C:\Program Files\winantispyware 2006 free\uwas6cw.exe
C:\Program Files\winantispyware 2006 free\uwasffNT.exe
C:\Program Files\winantispyware 2006 free\vbpv.dat
C:\Program Files\winantispyware 2006 free\WAS6.url
C:\Program Files\winantispyware 2006 free\was6.xml
C:\Program Files\Words
C:\Temp\1cb
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\b122.exe.bin
C:\WINDOWS\cookies.ini
C:\WINDOWS\Media\fuwarxyus.dll
C:\WINDOWS\msettings.ini
C:\WINDOWS\system32\5_exception.nls
C:\WINDOWS\system32\A1
C:\WINDOWS\system32\abeeriqd.dll
C:\WINDOWS\system32\ahhdbrsk.dll
C:\WINDOWS\system32\befbufne.dll
C:\WINDOWS\system32\bewwqgbr.dll
C:\WINDOWS\system32\bhmljnhk.dll
C:\WINDOWS\system32\bldqxswl.ini
C:\WINDOWS\system32\bmalkhag.ini
C:\WINDOWS\system32\bonicpvn.ini
C:\WINDOWS\system32\brfbvcum.dll
C:\WINDOWS\system32\caudyubv.ini
C:\WINDOWS\system32\ccnakrby.ini
C:\WINDOWS\system32\chovjmdd.ini
C:\WINDOWS\system32\clvqyrav.ini
C:\WINDOWS\system32\curity~1
C:\WINDOWS\system32\cycwuuwd.ini
C:\WINDOWS\system32\dbuxurmt.exe
C:\WINDOWS\system32\ddmjvohc.dll
C:\WINDOWS\system32\ddpupuix.ini
C:\WINDOWS\system32\dishofgl.ini
C:\WINDOWS\system32\dmncmler.dll
C:\WINDOWS\system32\dqireeba.ini
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\drivers\runtime2.sys
C:\WINDOWS\system32\dsgyifrm.dll
C:\WINDOWS\system32\dwdsrngt.exe
C:\WINDOWS\system32\dwuuwcyc.dll
C:\WINDOWS\system32\dwveicak.dll
C:\WINDOWS\system32\ecurit~1
C:\WINDOWS\system32\ehtxxqfo.dll
C:\WINDOWS\system32\eimkbyjw.ini
C:\WINDOWS\system32\enfubfeb.ini
C:\WINDOWS\system32\eqnubcss.dll
C:\WINDOWS\system32\ewtjuwsw.dll
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\fccyabc.dll
C:\WINDOWS\system32\fjekmjrl.ini
C:\WINDOWS\system32\fvtgwdvy.ini
C:\WINDOWS\system32\gahklamb.dll
C:\WINDOWS\system32\gebbcca.dll
C:\WINDOWS\system32\hgaceccs.ini
C:\WINDOWS\system32\hhfvvesk.dll
C:\WINDOWS\system32\hiltkalg.dll
C:\WINDOWS\system32\hjcbyurx.ini
C:\WINDOWS\system32\hjimflnq.ini
C:\WINDOWS\system32\hkbyoqsq.ini
C:\WINDOWS\system32\idskeedy.ini
C:\WINDOWS\system32\jcdnkgdq.ini
C:\WINDOWS\system32\jkkkhee.dll
C:\WINDOWS\system32\kacievwd.ini
C:\WINDOWS\system32\kcoohkpx.dll
C:\WINDOWS\system32\khnjlmhb.ini
C:\WINDOWS\system32\ksrbdhha.ini
C:\WINDOWS\system32\kvpmncju.dll
C:\WINDOWS\system32\kwkx.exe
C:\WINDOWS\system32\ldfxbuwp.ini
C:\WINDOWS\system32\lgfohsid.dll
C:\WINDOWS\system32\limiihnm.dll
C:\WINDOWS\system32\lrjmkejf.dll
C:\WINDOWS\system32\lwsxqdlb.dll
C:\WINDOWS\system32\lwtljkmn.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mfmmjxnv.dll
C:\WINDOWS\system32\mnhiimil.ini
C:\WINDOWS\system32\mrfiygsd.ini
C:\WINDOWS\system32\mucvbfrb.ini
C:\WINDOWS\system32\naqgwsnd.exe
C:\WINDOWS\system32\nmkjltwl.ini
C:\WINDOWS\system32\nobejepp.dll
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\nvpcinob.dll
C:\WINDOWS\system32\ofqxxthe.ini
C:\WINDOWS\system32\okwucxgq.dll
C:\WINDOWS\system32\opnkhed.dll
C:\WINDOWS\system32\pkpdnhir.dll
C:\WINDOWS\system32\pmdksbrp.ini
C:\WINDOWS\system32\pnjibabx.dll
C:\WINDOWS\system32\ppejebon.ini
C:\WINDOWS\system32\prbskdmp.dll
C:\WINDOWS\system32\pwubxfdl.dll
C:\WINDOWS\system32\qdgkndcj.dll
C:\WINDOWS\system32\qftpqtxs.dll
C:\WINDOWS\system32\qgxcuwko.ini
C:\WINDOWS\system32\qiymidxv.ini
C:\WINDOWS\system32\qiymidxv.tmp
C:\WINDOWS\system32\qnlfmijh.dll
C:\WINDOWS\system32\qsqoybkh.dll
C:\WINDOWS\system32\rbgqwweb.ini
C:\WINDOWS\system32\rosqtghu.ini
C:\WINDOWS\system32\rqrommj.dll
C:\WINDOWS\system32\rqyjxxug.exe
C:\WINDOWS\system32\sccecagh.dll
C:\WINDOWS\system32\sscbunqe.ini
C:\WINDOWS\system32\sxtqptfq.ini
C:\WINDOWS\system32\trxlnbfv.ini
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\system32\ttutv.bak1
C:\WINDOWS\system32\ttutv.bak2
C:\WINDOWS\system32\ttutv.ini
C:\WINDOWS\system32\ttutv.ini2
C:\WINDOWS\system32\ttutv.tmp
C:\WINDOWS\system32\uhgtqsor.dll
C:\WINDOWS\system32\ujcnmpvk.ini
C:\WINDOWS\system32\uqotnhbf.ini
C:\WINDOWS\system32\varyqvlc.dll
C:\WINDOWS\system32\vbuyduac.dll
C:\WINDOWS\system32\vfbnlxrt.dll
C:\WINDOWS\system32\vnxjmmfm.ini
C:\WINDOWS\system32\votfpcjy.ini
C:\WINDOWS\system32\vxdimyiq.dll
C:\WINDOWS\system32\win
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\wjybkmie.dll
C:\WINDOWS\system32\wnsinticom32.exe
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\audio.dll.cla
C:\WINDOWS\system32\wsnpoem\video.dll
C:\WINDOWS\system32\wswujtwe.ini
C:\WINDOWS\system32\wvurqnm.dll
C:\WINDOWS\system32\xbabijnp.ini
C:\WINDOWS\system32\xiupupdd.dll
C:\WINDOWS\system32\xrkmuvlg.exe
C:\WINDOWS\system32\xruybcjh.dll
C:\WINDOWS\system32\xxuluwmm.dll
C:\WINDOWS\system32\ybrkancc.dll
C:\WINDOWS\system32\ydeeksdi.dll
C:\WINDOWS\system32\yjcpftov.dll
C:\WINDOWS\system32\yvdwgtvf.dll
C:\WINDOWS\system32\Z1
C:\WINDOWS\system32\Z2

----- BITS: Possible infected sites -----

hxxp://www.download.windowsupdate.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2008-01-06 to 2008-02-06 )))))))))))))))))))))))))))))))
.

2008-02-05 17:40 . 2008-02-05 17:40 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-04 23:17 . 2008-02-05 18:02 <DIR> d-------- C:\SDFix
2008-02-03 22:21 . 2008-02-03 22:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-03 21:54 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-02-03 17:29 . 2006-05-05 01:41 453,120 -----c--- C:\WINDOWS\system32\dllcache\mrxsmb.sys
2008-02-03 11:20 . 2008-02-03 17:42 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-03 11:20 . 2008-02-03 17:42 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-03 11:20 . 2008-02-03 17:42 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-03 11:19 . 2008-02-03 18:32 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-02 22:33 . 2008-02-02 22:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-02 22:29 . 2008-02-03 18:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-02 22:29 . 2008-02-02 22:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-02-02 22:24 . 2008-02-02 22:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-02 21:35 . 2008-02-05 01:26 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-02-02 21:30 . 2008-02-02 21:30 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-02-02 21:30 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-02 21:29 . 2008-02-02 21:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-02 20:37 . 2008-02-02 20:37 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-02 20:37 . 2008-02-02 20:37 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-31 19:05 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-01-31 19:05 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-01-24 18:59 . 2008-02-03 18:28 <DIR> d-------- C:\Program Files\RcvSystem

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-04 02:27 --------- d-----w C:\Program Files\Mnpakzgu
2008-02-04 02:24 --------- d-----w C:\Program Files\chctkdad
2008-01-25 03:01 99 ----a-w C:\Documents and Settings\Owner\d.bat
2007-12-16 19:38 19,840 ----a-w C:\WINDOWS\system32\drivers\Mta38.sys
2007-10-08 18:39 126 ----a-w C:\Documents and Settings\Owner\c200.bat
2007-10-05 23:17 123 ----a-w C:\Documents and Settings\Owner\c.bat
2007-08-07 21:46 6,461 --sha-w C:\WINDOWS\system32\wvvwa.bak1
2007-08-11 18:05 1,700,299 --sha-w C:\WINDOWS\system32\wvvwa.bak2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25 6731312]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"fNeLX"= {88E34F55-2249-E5FF-C9E3-BDBA8E07AA7C} - C:\WINDOWS\system32\xqs.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awvvw]
C:\WINDOWS\system32\awvvw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32set]
C:\WINDOWS\Media\fuwarxyus.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkjgda]
jkkjgda.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfdedb]
khfdedb.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a------ 2007-06-11 01:25 6731312 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\88e34ffb]
C:\WINDOWS\system32\prbskdmp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
--a------ 2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\csrss]
C:\WINDOWS\system32\wbem\csrss.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DC6_Check]
C:\Program Files\Common Files\WinAntiSpyware 2006 Free\uwasdc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Deeawedq]
C:\Documents and Settings\Owner\Application Data\?ystem32\w?aclt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
--a------ 2008-02-03 18:33 122880 C:\WINDOWS\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ERS_Check]
C:\Program Files\Common Files\WinAntiSpyware 2006 Free\uwasers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
--a------ 2007-10-27 16:26 196675 C:\WINDOWS\system32\swinpmdq.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hmlgfkbs]
C:\Program Files\chctkdad\elgbatsf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2008-02-03 18:35 118784 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2008-02-03 18:35 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Insider]
C:\Program Files\Insider\Insider.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 15:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 15:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-08-15 19:15 271672 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jmvkzqlc]
regsvr32 /u C:\Documents and Settings\All Users\Application Data\jmvkzqlc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kkbnoscj]
C:\Documents and Settings\Owner\Application Data\??crosoft.NET\w?crtupd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule9]
C:\Program Files\QdrModule\QdrModule9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack11]
C:\Program Files\QdrPack\QdrPack11.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack12]
C:\Program Files\QdrPack\QdrPack12.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 05:24 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Regscan]
C:\WINDOWS\system32\regscan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\
  • 0

#6
Rorschach112
Posted 06 February 2008 - 07:18 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Documents and Settings\Owner\d.bat
C:\WINDOWS\system32\drivers\Mta38.sys
C:\Documents and Settings\Owner\c200.bat
C:\Documents and Settings\Owner\c.bat
C:\WINDOWS\system32\wvvwa.bak1
C:\WINDOWS\system32\wvvwa.bak2
C:\WINDOWS\Media\fuwarxyus.dll
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\TA_Start.lnk
C:\WINDOWS\pss\TA_Start.lnkStartup
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Think-Adz.lnk
C:\WINDOWS\pss\Think-Adz.lnkStartup
C:\WINDOWS\system32\prbskdmp.dll
C:\WINDOWS\system32\wbem\csrss.exe
C:\WINDOWS\system32\swinpmdq.exe
C:\Documents and Settings\All Users\Application Data\jmvkzqlc.dll
C:\WINDOWS\system32\regscan.exe

Folder::
C:\Program Files\Mnpakzgu
C:\Program Files\chctkdad
C:\Program Files\Common Files\WinAntiSpyware 2006 Free
C:\Documents and Settings\Owner\Application Data\?ystem32
C:\Program Files\Common Files\WinAntiSpyware 2006 Free
C:\Program Files\Insider
C:\Documents and Settings\Owner\Application Data\??crosoft.NET
C:\Program Files\QdrModule
C:\Program Files\QdrPack
C:\Program Files\QdrPack

Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^TA_Start.lnk]
[-HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Think-Adz.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\88e34ffb]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\csrss]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DC6_Check]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Deeawedq]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ERS_Check]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hmlgfkbs]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Insider]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jmvkzqlc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kkbnoscj]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule9]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack11]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack12]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Regscan]

Dirlook::
C:\Program Files\RcvSystem


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Also post a new HijackThis log
  • 0

#7
kuraikinzoku
Posted 06 February 2008 - 07:59 AM

kuraikinzoku

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
ComboFix log

ComboFix 08-02.05.3 - Owner 2008-02-06 8:52:45.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.90 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\chctkdad
C:\Program Files\Mnpakzgu
C:\WINDOWS\system32\5_exception.nls

.
((((((((((((((((((((((((( Files Created from 2008-01-06 to 2008-02-06 )))))))))))))))))))))))))))))))
.

2008-02-05 17:40 . 2008-02-05 17:40 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-04 23:17 . 2008-02-05 18:02 <DIR> d-------- C:\SDFix
2008-02-03 22:21 . 2008-02-03 22:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-03 21:54 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-02-03 17:29 . 2006-05-05 01:41 453,120 -----c--- C:\WINDOWS\system32\dllcache\mrxsmb.sys
2008-02-03 11:20 . 2008-02-03 17:42 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-03 11:20 . 2008-02-03 17:42 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-03 11:20 . 2008-02-03 17:42 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-03 11:19 . 2008-02-03 18:32 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-02 22:33 . 2008-02-02 22:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-02 22:29 . 2008-02-03 18:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-02 22:29 . 2008-02-02 22:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-02-02 22:24 . 2008-02-02 22:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-02 21:35 . 2008-02-05 01:26 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-02-02 21:30 . 2008-02-02 21:30 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-02-02 21:30 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-02 21:29 . 2008-02-02 21:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-02 20:37 . 2008-02-02 20:37 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-02 20:37 . 2008-02-02 20:37 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-31 19:05 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-01-31 19:05 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-01-24 18:59 . 2008-02-03 18:28 <DIR> d-------- C:\Program Files\RcvSystem

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-04 02:35 155,648 ----a-w C:\WINDOWS\system32\igfxtray.exe
2008-02-04 02:35 118,784 ----a-w C:\WINDOWS\system32\hkcmd.exe
2008-01-25 03:01 99 ----a-w C:\Documents and Settings\Owner\d.bat
2007-12-16 19:38 19,840 ----a-w C:\WINDOWS\system32\drivers\Mta38.sys
2007-10-08 18:39 126 ----a-w C:\Documents and Settings\Owner\c200.bat
2007-10-05 23:17 123 ----a-w C:\Documents and Settings\Owner\c.bat
2007-08-07 21:46 6,461 --sha-w C:\WINDOWS\system32\wvvwa.bak1
2007-08-11 18:05 1,700,299 --sha-w C:\WINDOWS\system32\wvvwa.bak2
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Program Files\RcvSystem ----

2007-12-27 14:27 20480 --a------ C:\Program Files\RcvSystem\httpdchk.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25 6731312]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"fNeLX"= {88E34F55-2249-E5FF-C9E3-BDBA8E07AA7C} - C:\WINDOWS\system32\xqs.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awvvw]
C:\WINDOWS\system32\awvvw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32set]
C:\WINDOWS\Media\fuwarxyus.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkjgda]
jkkjgda.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfdedb]
khfdedb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a------ 2007-06-11 01:25 6731312 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
--a------ 2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
--a------ 2008-02-03 18:33 122880 C:\WINDOWS\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2008-02-03 18:35 118784 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2008-02-03 18:35 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 15:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 15:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-08-15 19:15 271672 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 05:24 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
C:\Program Files\Common Files\SystemDoctor\dcpasmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sen]
C:\PROGRA~1\COMMON~1\ECURIT~1\services.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w]
--a------ 2007-09-15 16:57 34816 C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\whlwov.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\startdrv]
C:\WINDOWS\Temp\startdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\svchost]
C:\WINDOWS\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemDoctor Free]
C:\Program Files\SystemDoctor Free\sdmain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uwas6cw]
C:\Program Files\WinAntiSpyware 2006 Free\uwas6cw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.8.0\webbuying.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble]
C:\Program Files\WinAble\winable.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAntiSpyware 2006 Free]
C:\Program Files\WinAntiSpyware 2006 Free\was6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
C:\Program Files\WinPop\winpop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch]
C:\Documents and Settings\Owner\Application Data\WinTouch\WinTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wmjwkrfk]
--a------ 2007-09-20 15:35 56832 C:\Program Files\Qbkjqwxd\wmjwkrfk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Words]
C:\Program Files\Words\Words.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zoku]
--a------ 2006-07-19 13:56 9216 C:\PROGRA~1\COMMON~1\zoku\zokum.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{34-4F-F5-54-ZN}]
--a------ 2007-08-17 08:08 52769 C:\WINDOWS\system32\lodsrngs.exe

R0 Mta38;Mta38;C:\WINDOWS\system32\drivers\Mta38.sys [2007-12-16 11:38]
S0 uwasfsd;uwasfsd;C:\WINDOWS\system32\drivers\uwasfsd.sys []

.
Contents of the 'Scheduled Tasks' folder
"2007-09-08 17:23:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-06 08:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\fFwWEV8Q.exe
"2008-02-03 17:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\fFwWEV8Q.exe
"2008-02-03 18:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\fFwWEV8Q.exe
"2008-02-03 19:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\fFwWEV8Q.exe
"2008-02-03 20:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\fFwWEV8Q.exe
"2008-02-03 21:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\fFwWEV8Q.exe
"2008-02-03 22:00:00 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\fFwWEV8Q.exe
"2008-02-03 23:00:01 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\fFwWEV8Q.exe
"2008-02-04 00:00:01 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\fFwWEV8Q.exe
"2008-02-04 01:00:01 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\fFwWEV8Q.exe
"2008-02-04 02:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\fFwWEV8Q.exe
"2008-02-06 09:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\fFwWEV8Q.exe
"2008-02-06 03:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\fFwWEV8Q.exe
"2008-02-06 04:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\fFwWEV8Q.exe
"2008-02-06 05:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\fFwWEV8Q.exe
"2008-02-06 06:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\fFwWEV8Q.exe
"2008-02-06 07:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\fFwWEV8Q.exe
"2008-02-06 10:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\fFwWEV8Q.exe
"2008-02-06 11:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\fFwWEV8Q.exe
"2008-02-06 12:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\fFwWEV8Q.exe
"2008-02-06 13:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\fFwWEV8Q.exe
"2008-02-06 14:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\fFwWEV8Q.exe
"2008-02-06 15:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\fFwWEV8Q.exe
"2008-02-06 16:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\fFwWEV8Q.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-06 08:54:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-06 8:55:09
ComboFix-quarantined-files.txt 2008-02-06 16:55:00
ComboFix2.txt 2008-02-06 05:45:56
.
2008-02-05 09:33:32 --- E O F ---



----------------------------------------------------------------------------------------------------------------


HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:56:10 AM, on 2/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1202104112593
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: awvvw - C:\WINDOWS\system32\awvvw.dll (file missing)
O20 - Winlogon Notify: crypt32set - C:\WINDOWS\Media\fuwarxyus.dll (file missing)
O20 - Winlogon Notify: jkkjgda - jkkjgda.dll (file missing)
O20 - Winlogon Notify: khfdedb - khfdedb.dll (file missing)
O21 - SSODL: fNeLX - {88E34F55-2249-E5FF-C9E3-BDBA8E07AA7C} - C:\WINDOWS\system32\xqs.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 2839 bytes
  • 0

#8
Rorschach112
Posted 06 February 2008 - 08:06 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Download WinPFind35U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.
  • Open the WinPFind35u folder and double-click on WinPFind35U.exe to start the program.
  • Under Additional Scans check the box beside Reg - Disabled MS Config Items.
  • Under Rootkit Search change that to Yes.
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.

Make sure you attach the report in your reply.
  • 0

#9
kuraikinzoku
Posted 07 February 2008 - 03:28 PM

kuraikinzoku

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts 
WinPFind35 logfile created on: 2/7/2008 4:20:59 PM

WinPFind35U Version Beta46	 Folder = C:\Documents and Settings\Owner\Desktop\WinPFind35u

Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.2180)

 

254.48 Mb Total Physical Memory | 102.98 Mb Available Physical Memory | 40.46% Memory free

625.48 Mb Paging File | 388.02 Mb Available in Paging File | 62.04% Paging File free

Paging file location(s): C:\pagefile.sys 384 768;

 

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 74.47 Gb Total Space | 70.84 Gb Free Space | 95.13% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

Drive F: | 488.48 Mb Total Space | 295.14 Mb Free Space | 60.42% Space Free | Partition Type: FAT



Computer Name: USER-0358FF83F2

Current User Name: Owner

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user





[Processes - Non-Microsoft Only]

applemobiledeviceservice.exe -> %CommonProgramFiles%\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -> Apple, Inc. [Ver = 1, 12, 0, 0 | Size = 106496 bytes | Modified Date = 8/15/2007 6:43:42 PM | Attr =	]

guard.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 5/30/2007 4:31:10 AM | Attr =	]

avgas.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\avgas.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 43 | Size = 6731312 bytes | Modified Date = 6/11/2007 1:25:42 AM | Attr =	]

superantispyware.exe -> %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe -> SUPERAntiSpyware.com [Ver = 3, 6, 0, 1000 | Size = 1310720 bytes | Modified Date = 2/27/2007 11:39:26 AM | Attr =	]

winpfind35u.exe -> %UserDesktop%\WinPFind35u\WinPFind35U.exe -> OldTimer Tools [Ver = 1.0.0.0 | Size = 308224 bytes | Modified Date = 2/7/2008 1:47:38 PM | Attr =	]



[Win32 Services - Non-Microsoft Only]

(Apple Mobile Device) Apple Mobile Device [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -> Apple, Inc. [Ver = 1, 12, 0, 0 | Size = 106496 bytes | Modified Date = 8/15/2007 6:43:42 PM | Attr =	]

(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 5/30/2007 4:31:10 AM | Attr =	]

(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/12/2004 5:56:56 AM | Attr =	]

(iPod Service) iPod Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Inc. [Ver = 7.3.2.6 | Size = 501048 bytes | Modified Date = 8/15/2007 7:15:16 PM | Attr =	]



[Registry - Non-Microsoft Only]

< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 

!AVG Anti-Spyware -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\avgas.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 43 | Size = 6731312 bytes | Modified Date = 6/11/2007 1:25:42 AM | Attr =	]

< OptionalComponents [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ -> 

IMAIL-> Installed = 1 -> 

MAPI-> Installed = 1 -> 

MSFS-> Installed = 1 -> 

< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 

SUPERAntiSpyware -> %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe -> SUPERAntiSpyware.com [Ver = 3, 6, 0, 1000 | Size = 1310720 bytes | Modified Date = 2/27/2007 11:39:26 AM | Attr =	]

< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup -> 

< Owner Startup Folder > -> C:\Documents and Settings\Owner\Start Menu\Programs\Startup -> 

< ICQ Agent [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\ ->

HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\ -> ->

< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad -> 

{88E34F55-2249-E5FF-C9E3-BDBA8E07AA7C} [HKEY_LOCAL_MACHINE] -> %System32%\xqs.dll [fNeLX] -> File not found

< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks -> 

{57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] -> GRISOFT s.r.o. [Ver = 7, 5, 1, 36 | Size = 79408 bytes | Modified Date = 5/30/2007 4:29:58 AM | Attr =	]

{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\SUPERAntiSpyware\SASSEH.DLL [] -> SuperAdBlocker.com [Ver = 1, 0, 0, 1008 | Size = 77824 bytes | Modified Date = 12/20/2006 12:55:48 PM | Attr =	]

< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders -> 

< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 

< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 

< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ -> 

!SASWinLogon -> %ProgramFiles%\SUPERAntiSpyware\SASWINLO.dll -> SUPERAntiSpyware.com [Ver = 1, 0, 0, 1030 | Size = 282624 bytes | Modified Date = 2/27/2007 11:39:26 AM | Attr =	]

awvvw -> %System32%\awvvw.dll -> File not found

crypt32set -> %SystemRoot%\Media\fuwarxyus.dll -> File not found

igfxcui -> %System32%\igfxsrvc.dll -> Intel Corporation [Ver = 3.0.0.2285 | Size = 319488 bytes | Modified Date = 10/2/2003 12:18:52 PM | Attr =	]

jkkjgda -> jkkjgda.dll -> File not found

khfdedb -> khfdedb.dll -> File not found

NavLogon ->  -> File not found

< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun -> 67108863 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 255 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext ->  -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ -> -> 

< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ -> -> 

< HOSTS File > (27 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts -> 

< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 

HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome -> 

HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 

HKEY_LOCAL_MACHINE\: Main\\Local Page -> %SystemRoot%\system32\blank.htm -> 

HKEY_LOCAL_MACHINE\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 

HKEY_LOCAL_MACHINE\: Main\\Start Page -> http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home -> 

HKEY_LOCAL_MACHINE\: Search\\CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm -> 

HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm -> 

< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 

HKEY_CURRENT_USER\: Main\\Local Page -> C:\WINDOWS\system32\blank.htm -> 

HKEY_CURRENT_USER\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 

HKEY_CURRENT_USER\: Main\\Start Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome -> 

HKEY_CURRENT_USER\: ProxyEnable -> 0 -> 

< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1 domain(s) found. -> 

1 domain(s) and sub-domain(s) not assigned to a zone.

< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 

< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 

< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 

< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 

PluginsPageFriendlyName -> Microsoft ActiveX Gallery -> 

PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s -> 

< User Agent Post Platform [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform -> 

SV1 ->  -> 

< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 

{134C31AF-5B4C-44B4-AC3A-79D4AEAF420D} ->	(Broadcom 440x 10/100 Integrated Controller) -> 

< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ -> 

ipp: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened.[Reg Error: Value  does not exist or could not be read.] -> File not found

msdaipp: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened.[Reg Error: Value  does not exist or could not be read.] -> File not found

< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 

{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}[HKEY_LOCAL_MACHINE] -> http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/WebfettiInitialSetup1.0.0.15-3.cab[Reg Error: Key does not exist or could not be opened.] -> 

{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}[HKEY_LOCAL_MACHINE] -> http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1202104112593[MUWebControl Class] -> 

{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}[HKEY_LOCAL_MACHINE] -> http://acs.pandasoftware.com/activescan/as5free/asinst.cab[ActiveScan Installer Class] -> 

{D27CDB6E-AE6D-11CF-96B8-444553540000}[HKEY_LOCAL_MACHINE] -> http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[Shockwave Flash Object] -> 





[Registry - Additional Scans - Non-Microsoft Only]

< Disabled MSConfig Registry Items [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ -> 

!AVG Anti-Spyware hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\avgas.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 43 | Size = 6731312 bytes | Modified Date = 6/11/2007 1:25:42 AM | Attr =	]

{34-4F-F5-54-ZN} hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %System32%\lodsrngs.exe ->  [Ver = 2, 0, 0, 1 | Size = 52769 bytes | Modified Date = 8/17/2007 8:08:37 AM | Attr =	]

BCMSMMSG hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %SystemRoot%\BCMSMMSG.exe -> Broadcom Corporation [Ver =  3.5.25 08/27/2003 20:04:35 | Size = 122880 bytes | Modified Date = 8/29/2003 4:59:24 AM | Attr =	]

DLA hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %System32%\DLA\DLACTRLW.EXE -> Sonic Solutions [Ver = 5.20.08a | Size = 122880 bytes | Modified Date = 2/3/2008 6:33:19 PM | Attr =	]

HotKeysCmds hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %System32%\hkcmd.exe -> Intel Corporation [Ver = 3.0.0.2285 | Size = 118784 bytes | Modified Date = 2/3/2008 6:35:13 PM | Attr =	]

IgfxTray hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %System32%\igfxtray.exe -> Intel Corporation [Ver = 3.0.0.2285 | Size = 155648 bytes | Modified Date = 2/3/2008 6:35:18 PM | Attr =	]

ISUSPM Startup hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %CommonProgramFiles%\InstallShield\UpdateService\ISUSPM.exe -> InstallShield Software Corporation [Ver = 3, 10, 100, 1155 | Size = 221184 bytes | Modified Date = 7/27/2004 3:50:42 PM | Attr =	]

ISUSScheduler hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %CommonProgramFiles%\InstallShield\UpdateService\issch.exe -> InstallShield Software Corporation [Ver = 3, 10, 100, 1155 | Size = 81920 bytes | Modified Date = 7/27/2004 3:50:18 PM | Attr =	]

iTunesHelper hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %ProgramFiles%\iTunes\iTunesHelper.exe -> Apple Inc. [Ver = 7.3.2.6 | Size = 271672 bytes | Modified Date = 8/15/2007 7:15:24 PM | Attr =	]

QuickTime Task hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %ProgramFiles%\QuickTime\QTTask.exe -> Apple Inc. [Ver = 7.2 | Size = 286720 bytes | Modified Date = 6/29/2007 5:24:52 AM | Attr =	]

Salestart hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %CommonProgramFiles%\SystemDoctor\dcpasmon.exe -> File not found

Sen hkey=HKCU key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %SystemDrive%\PROGRA~1\COMMON~1\ECURIT~1\services.exe -> File not found

SfKg6w hkey=HKCU key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %UserAppData%\Microsoft\Windows\whlwov.exe ->  [Ver =  | Size = 34816 bytes | Modified Date = 9/15/2007 4:57:41 PM | Attr =	]

startdrv hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %SystemRoot%\Temp\startdrv.exe -> File not found

svchost hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %SystemRoot%\svchost.exe -> File not found

SystemDoctor Free hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %ProgramFiles%\SystemDoctor Free\sdmain.exe -> File not found

uwas6cw hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %ProgramFiles%\WinAntiSpyware 2006 Free\uwas6cw.exe -> File not found

WebBuying hkey=HKCU key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %ProgramFiles%\Web Buying\v1.8.0\webbuying.exe -> File not found

WinAble hkey=HKCU key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %ProgramFiles%\WinAble\winable.exe -> File not found

WinAntiSpyware 2006 Free hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %ProgramFiles%\WinAntiSpyware 2006 Free\was6.exe -> File not found

WinPop hkey=HKCU key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %ProgramFiles%\WinPop\winpop.exe -> File not found

WinTouch hkey=HKCU key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %UserAppData%\WinTouch\WinTouch.exe -> File not found

wmjwkrfk hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %ProgramFiles%\Qbkjqwxd\wmjwkrfk.exe ->  [Ver =  | Size = 56832 bytes | Modified Date = 9/20/2007 3:35:08 PM | Attr =	]

Words hkey=HKCU key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %ProgramFiles%\Words\Words.exe -> File not found

zoku hkey=HKCU key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %CommonProgramFiles%\zoku\zokum.exe ->  [Ver = 4, 0, 4, 1 | Size = 9216 bytes | Modified Date = 7/19/2006 1:56:46 PM | Attr =	]





[Files/Folders - Created Within 30 days]

Deckard -> %SystemDrive%\Deckard ->  [Folder | Created Date = 2/5/2008 6:55:56 PM | Attr =	]

4 C:\*.tmp files -> C:\*.tmp -> 

QooBox -> %SystemDrive%\QooBox ->  [Folder | Created Date = 2/5/2008 9:35:30 PM | Attr =	]

SDFix -> %SystemDrive%\SDFix ->  [Folder | Created Date = 2/4/2008 11:17:34 PM | Attr =	]

AvgAsCln.sys -> %System32%\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 10872 bytes | Created Date = 2/2/2008 9:30:00 PM | Attr =	]

ActiveScan -> %System32%\ActiveScan ->  [Folder | Created Date = 2/3/2008 11:19:57 AM | Attr =	]

1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> 

asuninst.exe -> %System32%\asuninst.exe -> Panda Software [Ver = 1, 0, 0, 2 | Size = 73728 bytes | Created Date = 2/3/2008 11:20:28 AM | Attr =	]

fdsv.exe -> %System32%\fdsv.exe -> Smallfrogs Studio [Ver = 1.0.0.10 | Size = 73728 bytes | Created Date = 2/5/2008 9:35:37 PM | Attr =	]

grep.exe -> %System32%\grep.exe ->  [Ver =  | Size = 80412 bytes | Created Date = 2/5/2008 9:35:37 PM | Attr =	]

Help.ico -> %System32%\Help.ico ->  [Ver =  | Size = 1406 bytes | Created Date = 2/3/2008 11:20:01 AM | Attr =	]

pavas.ico -> %System32%\pavas.ico ->  [Ver =  | Size = 30590 bytes | Created Date = 2/3/2008 11:20:00 AM | Attr =	]

PreInstall -> %System32%\PreInstall ->  [Folder | Created Date = 2/3/2008 9:54:22 PM | Attr =	]

sed.exe -> %System32%\sed.exe ->  [Ver =  | Size = 98816 bytes | Created Date = 2/5/2008 9:35:37 PM | Attr =	]

SoftwareDistribution -> %System32%\SoftwareDistribution ->  [Folder | Created Date = 1/24/2008 7:01:38 PM | Attr =	]

swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 3.0.0.0 | Size = 161792 bytes | Created Date = 2/5/2008 9:35:37 PM | Attr =	]

swsc.exe -> %System32%\swsc.exe -> SteelWerX [Ver = 2.0.0.5 | Size = 136704 bytes | Created Date = 2/5/2008 9:35:37 PM | Attr =	]

swxcacls.exe -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 2/5/2008 9:35:37 PM | Attr =	]

Uninstall.ico -> %System32%\Uninstall.ico ->  [Ver =  | Size = 2550 bytes | Created Date = 2/3/2008 11:20:01 AM | Attr =	]

VFind.exe -> %System32%\VFind.exe ->  [Ver =  | Size = 49152 bytes | Created Date = 2/5/2008 9:35:37 PM | Attr =	]

zip.exe -> %System32%\zip.exe ->  [Ver =  | Size = 68096 bytes | Created Date = 2/5/2008 9:35:37 PM | Attr =	]

ZPORT4AS.dll -> %System32%\ZPORT4AS.dll ->  [Ver =  | Size = 11776 bytes | Created Date = 2/3/2008 11:20:28 AM | Attr =	]

$hf_mig$ -> %SystemRoot%\$hf_mig$ ->  [Folder | Created Date = 2/2/2008 9:35:38 PM | Attr =  H ]

4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> 

$MSI31Uninstall_KB893803v2$ -> %SystemRoot%\$MSI31Uninstall_KB893803v2$ ->  [Folder | Created Date = 2/3/2008 9:53:48 PM | Attr =  H ]

ERDNT -> %SystemRoot%\ERDNT ->  [Folder | Created Date = 2/5/2008 6:56:05 PM | Attr =	]

ERUNT -> %SystemRoot%\ERUNT ->  [Folder | Created Date = 2/5/2008 5:40:10 PM | Attr =	]

Nircmd.exe -> %SystemRoot%\Nircmd.exe -> NirSoft [Ver = 2.00 | Size = 51200 bytes | Created Date = 2/5/2008 9:35:37 PM | Attr =	]

pss -> %SystemRoot%\pss ->  [Folder | Created Date = 2/2/2008 9:25:38 PM | Attr =	]

QTFont.for -> %SystemRoot%\QTFont.for ->  [Ver =  | Size = 1409 bytes | Created Date = 2/2/2008 8:37:38 PM | Attr =	]

QTFont.qfn -> %SystemRoot%\QTFont.qfn ->  [Ver =  | Size = 54156 bytes | Created Date = 2/2/2008 8:37:38 PM | Attr =  H ]

TEMP -> %SystemRoot%\TEMP ->  [Folder | Created Date = 2/6/2008 8:55:12 AM | Attr =	]



[Files/Folders - Modified Within 30 days]

boot.ini -> %SystemDrive%\boot.ini ->  [Ver =  | Size = 211 bytes | Modified Date = 2/2/2008 10:22:12 PM | Attr =  HS]

Deckard -> %SystemDrive%\Deckard ->  [Folder | Modified Date = 2/5/2008 6:55:56 PM | Attr =	]

4 C:\*.tmp files -> C:\*.tmp -> 

Documents and Settings -> %SystemDrive%\Documents and Settings ->  [Folder | Modified Date = 2/2/2008 9:21:07 PM | Attr =	]

Program Files -> %ProgramFiles% ->  [Folder | Modified Date = 2/6/2008 8:52:54 AM | Attr = R  ]

QooBox -> %SystemDrive%\QooBox ->  [Folder | Modified Date = 2/6/2008 8:55:10 AM | Attr =	]

SDFix -> %SystemDrive%\SDFix ->  [Folder | Modified Date = 2/5/2008 6:02:08 PM | Attr =	]

Temp -> %SystemDrive%\Temp ->  [Folder | Modified Date = 2/5/2008 9:37:54 PM | Attr =	]

WINDOWS -> %SystemRoot% ->  [Folder | Modified Date = 2/6/2008 8:55:12 AM | Attr =	]

etc -> %System32%\drivers\etc ->  [Folder | Modified Date = 2/5/2008 9:42:21 PM | Attr =	]

hosts -> %System32%\drivers\etc\hosts ->  [Ver =  | Size = 27 bytes | Modified Date = 2/5/2008 9:42:21 PM | Attr =	]

ActiveScan -> %System32%\ActiveScan ->  [Folder | Modified Date = 2/3/2008 6:32:44 PM | Attr =	]

1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> 

CatRoot2 -> %System32%\CatRoot2 ->  [Folder | Modified Date = 2/5/2008 6:56:27 PM | Attr =	]

Com -> %System32%\Com ->  [Folder | Modified Date = 2/5/2008 12:00:45 AM | Attr =	]

config -> %System32%\config ->  [Folder | Modified Date = 2/5/2008 9:40:44 PM | Attr =	]

dllcache -> %System32%\dllcache ->  [Folder | Modified Date = 2/5/2008 2:21:41 AM | Attr = RHS]

drivers -> %System32%\drivers ->  [Folder | Modified Date = 2/6/2008 8:53:33 AM | Attr =	]

FNTCACHE.DAT -> %System32%\FNTCACHE.DAT ->  [Ver =  | Size = 188200 bytes | Modified Date = 2/5/2008 2:21:42 AM | Attr =	]

Help.ico -> %System32%\Help.ico ->  [Ver =  | Size = 1406 bytes | Modified Date = 2/3/2008 5:42:33 PM | Attr =	]

hkcmd.exe -> %System32%\hkcmd.exe -> Intel Corporation [Ver = 3.0.0.2285 | Size = 118784 bytes | Modified Date = 2/3/2008 6:35:13 PM | Attr =	]

igfxtray.exe -> %System32%\igfxtray.exe -> Intel Corporation [Ver = 3.0.0.2285 | Size = 155648 bytes | Modified Date = 2/3/2008 6:35:18 PM | Attr =	]

kqgubstd -> %System32%\kqgubstd ->  [Folder | Modified Date = 2/3/2008 6:35:26 PM | Attr =	]

pavas.ico -> %System32%\pavas.ico ->  [Ver =  | Size = 30590 bytes | Modified Date = 2/3/2008 5:42:33 PM | Attr =	]

perfc009.dat -> %System32%\perfc009.dat ->  [Ver =  | Size = 40196 bytes | Modified Date = 2/5/2008 6:03:25 PM | Attr =	]

perfh009.dat -> %System32%\perfh009.dat ->  [Ver =  | Size = 311934 bytes | Modified Date = 2/5/2008 6:03:25 PM | Attr =	]

PerfStringBackup.INI -> %System32%\PerfStringBackup.INI ->  [Ver =  | Size = 356120 bytes | Modified Date = 2/5/2008 6:03:24 PM | Attr =	]

PreInstall -> %System32%\PreInstall ->  [Folder | Modified Date = 2/3/2008 9:54:22 PM | Attr =	]

SoftwareDistribution -> %System32%\SoftwareDistribution ->  [Folder | Modified Date = 1/24/2008 7:01:38 PM | Attr =	]

Uninstall.ico -> %System32%\Uninstall.ico ->  [Ver =  | Size = 2550 bytes | Modified Date = 2/3/2008 5:42:33 PM | Attr =	]

wbem -> %System32%\wbem ->  [Folder | Modified Date = 2/3/2008 6:36:38 PM | Attr =	]

wpa.dbl -> %System32%\wpa.dbl ->  [Ver =  | Size = 2206 bytes | Modified Date = 2/2/2008 8:36:01 PM | Attr =	]

$hf_mig$ -> %SystemRoot%\$hf_mig$ ->  [Folder | Modified Date = 2/5/2008 1:26:35 AM | Attr =  H ]

4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> 

$MSI31Uninstall_KB893803v2$ -> %SystemRoot%\$MSI31Uninstall_KB893803v2$ ->  [Folder | Modified Date = 2/3/2008 9:53:57 PM | Attr =  H ]

AppPatch -> %SystemRoot%\AppPatch ->  [Folder | Modified Date = 2/3/2008 6:28:47 PM | Attr =	]

bootstat.dat -> %SystemRoot%\bootstat.dat ->  [Ver =  | Size = 2048 bytes | Modified Date = 2/5/2008 9:41:50 PM | Attr =   S]

Downloaded Program Files -> %SystemRoot%\Downloaded Program Files ->  [Folder | Modified Date = 2/5/2008 6:56:29 PM | Attr =   S]

dXNlciAx -> %SystemRoot%\dXNlciAx ->  [Folder | Modified Date = 2/5/2008 5:44:37 PM | Attr =	]

ERDNT -> %SystemRoot%\ERDNT ->  [Folder | Modified Date = 2/5/2008 9:40:38 PM | Attr =	]

ERUNT -> %SystemRoot%\ERUNT ->  [Folder | Modified Date = 2/5/2008 5:40:11 PM | Attr =	]

Help -> %SystemRoot%\Help ->  [Folder | Modified Date = 1/24/2008 7:03:34 PM | Attr =	]

imsins.BAK -> %SystemRoot%\imsins.BAK ->  [Ver =  | Size = 1355 bytes | Modified Date = 2/5/2008 1:29:40 AM | Attr =	]

inf -> %SystemRoot%\inf ->  [Folder | Modified Date = 2/5/2008 1:33:14 AM | Attr =  H ]

Installer -> %SystemRoot%\Installer ->  [Folder | Modified Date = 2/2/2008 10:32:58 PM | Attr =  HS]

Media -> %SystemRoot%\Media ->  [Folder | Modified Date = 2/5/2008 9:35:30 PM | Attr =	]

msagent -> %SystemRoot%\msagent ->  [Folder | Modified Date = 2/5/2008 2:21:40 AM | Attr =	]

Prefetch -> %SystemRoot%\Prefetch ->  [Folder | Modified Date = 2/7/2008 4:19:31 PM | Attr =	]

pss -> %SystemRoot%\pss ->  [Folder | Modified Date = 2/2/2008 10:20:07 PM | Attr =	]

QTFont.for -> %SystemRoot%\QTFont.for ->  [Ver =  | Size = 1409 bytes | Modified Date = 2/2/2008 8:37:38 PM | Attr =	]

QTFont.qfn -> %SystemRoot%\QTFont.qfn ->  [Ver =  | Size = 54156 bytes | Modified Date = 2/2/2008 8:37:38 PM | Attr =  H ]

SoftwareDistribution -> %SystemRoot%\SoftwareDistribution ->  [Folder | Modified Date = 2/3/2008 9:48:43 PM | Attr =	]

system.ini -> %SystemRoot%\system.ini ->  [Ver =  | Size = 327 bytes | Modified Date = 2/6/2008 8:54:27 AM | Attr =	]

system32 -> %System32% ->  [Folder | Modified Date = 2/6/2008 8:55:16 AM | Attr =	]

TEMP -> %SystemRoot%\TEMP ->  [Folder | Modified Date = 2/6/2008 8:55:16 AM | Attr =	]

win.ini -> %SystemRoot%\win.ini ->  [Ver =  | Size = 992 bytes | Modified Date = 2/3/2008 2:51:29 PM | Attr =	]

WinSxS -> %SystemRoot%\WinSxS ->  [Folder | Modified Date = 2/5/2008 12:46:50 AM | Attr =	]

At1.job -> %SystemRoot%\tasks\At1.job ->  [Ver =  | Size = 350 bytes | Modified Date = 2/7/2008 | Attr =	]

At10.job -> %SystemRoot%\tasks\At10.job ->  [Ver =  | Size = 350 bytes | Modified Date = 2/7/2008 9:00:00 AM | Attr =	]

At11.job -> %SystemRoot%\tasks\At11.job ->  [Ver =  | Size = 350 bytes | Modified Date = 2/7/2008 10:00:00 AM | Attr =	]

At12.job -> %SystemRoot%\tasks\At12.job ->  [Ver =  | Size = 350 bytes | Modified Date = 2/7/2008 11:00:00 AM | Attr =	]

At13.job -> %SystemRoot%\tasks\At13.job ->  [Ver =  | Size = 350 bytes | Modified Date = 2/7/2008 12:00:00 PM | Attr =	]

At14.job -> %SystemRoot%\tasks\At14.job ->  [Ver =  | Size = 350 bytes | Modified Date = 2/7/2008 1:00:00 PM | Attr =	]

At15.job -> %SystemRoot%\tasks\At15.job ->  [Ver =  | Size = 350 bytes | Modified Date = 2/7/2008 2:00:00 PM | Attr =	]

At16.job -> %SystemRoot%\tasks\At16.job ->  [Ver =  | Size = 350 bytes | Modified Date = 2/7/2008 3:00:00 PM | Attr =	]

At17.job -> %SystemRoot%\tasks\At17.job ->  [Ver =  | Size = 350 bytes | Modified Date = 2/7/2008 4:00:00 PM | Attr =	]

At18.job -> %SystemRoot%\tasks\At18.job ->  [Ver =  | Size = 350 bytes | Modified Date = 2/6/2008 5:00:00 PM | Attr =	]

At19.job -> %SystemRoot%\tasks\At19.job ->  [Ver =  | Size = 350 bytes | Modified Date = 2/6/2008 6:00:00 PM | Attr =	]

At2.job -> %SystemRoot%\tasks\At2.job ->  [Ver =  | Size = 350 bytes | Modified Date = 2/7/2008 1:00:00 AM | Attr =	]

At20.job -> %SystemRoot%\tasks\At20.job ->  [Ver =  | Size = 350 bytes | Modified Date = 2/6/2008 7:00:00 PM | Attr =	]

At21.job -> %SystemRoot%\tasks\At21.job ->  [Ver =  | Size = 350 bytes | Modified Date = 2/6/2008 8:00:00 PM | Attr =	]

At22.job -> %SystemRoot%\tasks\At22.job ->  [Ver =  | Size = 350 bytes | Modified Date = 2/6/2008 9:00:00 PM | Attr =	]

At23.job -> %SystemRoot%\tasks\At23.job ->  [Ver =  | Size = 350 bytes | Modified Date = 2/6/2008 10:00:00 PM | Attr =	]

At24.job -> %SystemRoot%\tasks\At24.job ->  [Ver =  | Size = 350 bytes | Modified Date = 2/6/2008 11:00:00 PM | Attr =	]

At3.job -> %SystemRoot%\tasks\At3.job ->  [Ver =  | Size = 350 bytes | Modified Date = 2/7/2008 2:00:00 AM | Attr =	]

At4.job -> %SystemRoot%\tasks\At4.job ->  [Ver =  | Size = 350 bytes | Modified Date = 2/7/2008 3:00:00 AM | Attr =	]

At5.job -> %SystemRoot%\tasks\At5.job ->  [Ver =  | Size = 350 bytes | Modified Date = 2/7/2008 4:00:00 AM | Attr =	]

At6.job -> %SystemRoot%\tasks\At6.job ->  [Ver =  | Size = 350 bytes | Modified Date = 2/7/2008 5:00:00 AM | Attr =	]

At7.job -> %SystemRoot%\tasks\At7.job ->  [Ver =  | Size = 350 bytes | Modified Date = 2/7/2008 6:00:00 AM | Attr =	]

At8.job -> %SystemRoot%\tasks\At8.job ->  [Ver =  | Size = 350 bytes | Modified Date = 2/7/2008 7:00:00 AM | Attr =	]

At9.job -> %SystemRoot%\tasks\At9.job ->  [Ver =  | Size = 350 bytes | Modified Date = 2/7/2008 8:00:00 AM | Attr =	]

SA.DAT -> %SystemRoot%\tasks\SA.DAT ->  [Ver =  | Size = 6 bytes | Modified Date = 2/5/2008 9:42:07 PM | Attr =  H ]

qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat ->  [Ver =  | Size = 4232 bytes | Modified Date = 2/5/2008 9:45:31 PM | Attr =	]

qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat ->  [Ver =  | Size = 4617 bytes | Modified Date = 2/5/2008 9:45:31 PM | Attr =	]

opa11.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\opa11.dat ->  [Ver =  | Size = 8206 bytes | Modified Date = 8/4/2007 5:10:09 PM | Attr =	]



[CatchMe Rootkit Scan by GMER]

< Windows folder & sub-folders >

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

< Document and Settings folder & sub folders >

scanning hidden files ...

C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Thumbs.db:encryptable 0 bytes

C:\Documents and Settings\Owner\My Documents\My Pictures\Thumbs.db:encryptable 0 bytes

scan completed successfully

hidden files: 3



< End of report >

Attached Files


  • 0

#10
Rorschach112
Posted 07 February 2008 - 03:37 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Start WinPFind35U. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YN -> {88E34F55-2249-E5FF-C9E3-BDBA8E07AA7C} [HKEY_LOCAL_MACHINE] -> %System32%\xqs.dll [fNeLX]
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YN -> awvvw -> %System32%\awvvw.dll
YN -> crypt32set -> %SystemRoot%\Media\fuwarxyus.dll
YN -> jkkjgda -> jkkjgda.dll
YN -> khfdedb -> khfdedb.dll
YN -> NavLogon ->
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
YN -> ipp: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened.[Reg Error: Value does not exist or could not be read.]
YN -> msdaipp: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened.[Reg Error: Value does not exist or could not be read.]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}[HKEY_LOCAL_MACHINE] -> http://ak.exe.imgfar...p1.0.0.15-3.cab[Reg Error: Key does not exist or could not be opened.]
[Registry - Additional Scans - Non-Microsoft Only]
< Disabled MSConfig Registry Items [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\
YY -> {34-4F-F5-54-ZN} hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %System32%\lodsrngs.exe
YN -> Salestart hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %CommonProgramFiles%\SystemDoctor\dcpasmon.exe
YN -> Sen hkey=HKCU key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %SystemDrive%\PROGRA~1\COMMON~1\ECURIT~1\services.exe
YY -> SfKg6w hkey=HKCU key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %UserAppData%\Microsoft\Windows\whlwov.exe
YN -> startdrv hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %SystemRoot%\Temp\startdrv.exe
YN -> svchost hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %SystemRoot%\svchost.exe
YN -> SystemDoctor Free hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %ProgramFiles%\SystemDoctor Free\sdmain.exe
YN -> uwas6cw hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %ProgramFiles%\WinAntiSpyware 2006 Free\uwas6cw.exe
YN -> WebBuying hkey=HKCU key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %ProgramFiles%\Web Buying\v1.8.0\webbuying.exe
YN -> WinAble hkey=HKCU key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %ProgramFiles%\WinAble\winable.exe
YN -> WinAntiSpyware 2006 Free hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %ProgramFiles%\WinAntiSpyware 2006 Free\was6.exe
YN -> WinPop hkey=HKCU key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %ProgramFiles%\WinPop\winpop.exe
YN -> WinTouch hkey=HKCU key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %UserAppData%\WinTouch\WinTouch.exe
YY -> wmjwkrfk hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %ProgramFiles%\Qbkjqwxd\wmjwkrfk.exe
YN -> Words hkey=HKCU key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %ProgramFiles%\Words\Words.exe
YY -> zoku hkey=HKCU key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %CommonProgramFiles%\zoku\zokum.exe
[Files/Folders - Created Within 30 days]
YN -> 4 C:\*.tmp files -> C:\*.tmp
YN -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
YN -> 4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Files/Folders - Modified Within 30 days]
YN -> 4 C:\*.tmp files -> C:\*.tmp
YN -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
YY -> kqgubstd -> %System32%\kqgubstd
YN -> 4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
YY -> At1.job -> %SystemRoot%\tasks\At1.job
YY -> At10.job -> %SystemRoot%\tasks\At10.job
YY -> At11.job -> %SystemRoot%\tasks\At11.job
YY -> At12.job -> %SystemRoot%\tasks\At12.job
YY -> At13.job -> %SystemRoot%\tasks\At13.job
YY -> At14.job -> %SystemRoot%\tasks\At14.job
YY -> At15.job -> %SystemRoot%\tasks\At15.job
YY -> At16.job -> %SystemRoot%\tasks\At16.job
YY -> At17.job -> %SystemRoot%\tasks\At17.job
YY -> At18.job -> %SystemRoot%\tasks\At18.job
YY -> At19.job -> %SystemRoot%\tasks\At19.job
YY -> At2.job -> %SystemRoot%\tasks\At2.job
YY -> At20.job -> %SystemRoot%\tasks\At20.job
YY -> At21.job -> %SystemRoot%\tasks\At21.job
YY -> At22.job -> %SystemRoot%\tasks\At22.job
YY -> At23.job -> %SystemRoot%\tasks\At23.job
YY -> At24.job -> %SystemRoot%\tasks\At24.job
YY -> At3.job -> %SystemRoot%\tasks\At3.job
YY -> At4.job -> %SystemRoot%\tasks\At4.job
YY -> At5.job -> %SystemRoot%\tasks\At5.job
YY -> At6.job -> %SystemRoot%\tasks\At6.job
YY -> At7.job -> %SystemRoot%\tasks\At7.job
YY -> At8.job -> %SystemRoot%\tasks\At8.job
YY -> At9.job -> %SystemRoot%\tasks\At9.job
[Empty Temp Folders]
[Start Explorer]
[Reboot]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind3u scan(attach the WinPFind3 scan report).

I will review the information when it comes back in.



Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.



Reboot and post a new DSS log
  • 0

Advertisements

#11
kuraikinzoku
Posted 07 February 2008 - 04:06 PM

kuraikinzoku

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
a Notepad did notl open with a log of actions taken during the WinPFind3u fix. the computer just rebooted after the prompt said some items needs the computer to be resterted to removed

Edited by kuraikinzoku, 07 February 2008 - 04:07 PM.

  • 0

#12
Rorschach112
Posted 07 February 2008 - 06:22 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
No problem just continue on with the rest of the steps
  • 0

#13
kuraikinzoku
Posted 07 February 2008 - 10:04 PM

kuraikinzoku

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
SUPERAntiSpyware Scan Log
Generated 02/07/2008 at 06:59 PM

Application Version : 3.6.1000

Core Rules Database Version : 3394
Trace Rules Database Version: 1386

Scan type : Complete Scan
Total Scan Time : 00:28:52

Memory items scanned : 262
Memory threats detected : 0
Registry items scanned : 3955
Registry threats detected : 185
File items scanned : 20829
File threats detected : 83

Trojan.WinFixer
HKLM\Software\Classes\CLSID\{1230649B-B980-44A5-B259-9B09EBEA6331}
HKCR\CLSID\{1230649B-B980-44A5-B259-9B09EBEA6331}
HKCR\CLSID\{1230649B-B980-44A5-B259-9B09EBEA6331}
HKCR\CLSID\{1230649B-B980-44A5-B259-9B09EBEA6331}#AppID
HKCR\CLSID\{1230649B-B980-44A5-B259-9B09EBEA6331}\InprocServer32
HKCR\CLSID\{1230649B-B980-44A5-B259-9B09EBEA6331}\InprocServer32#ThreadingModel
HKCR\CLSID\{1230649B-B980-44A5-B259-9B09EBEA6331}\ProgID
HKCR\CLSID\{1230649B-B980-44A5-B259-9B09EBEA6331}\Programmable
HKCR\CLSID\{1230649B-B980-44A5-B259-9B09EBEA6331}\TypeLib
HKCR\CLSID\{1230649B-B980-44A5-B259-9B09EBEA6331}\VersionIndependentProgID
C:\PROGRAM FILES\WINANTISPYWARE 2006 FREE\SHELLEXT.DLL

Adware.AdSponsor/ISM
HKLM\Software\Classes\CLSID\{12DA1BC4-5384-42fd-A119-3C99D2D146A2}
HKCR\CLSID\{12DA1BC4-5384-42FD-A119-3C99D2D146A2}
HKCR\CLSID\{12DA1BC4-5384-42FD-A119-3C99D2D146A2}
HKCR\CLSID\{12DA1BC4-5384-42FD-A119-3C99D2D146A2}#AppID
HKCR\CLSID\{12DA1BC4-5384-42FD-A119-3C99D2D146A2}\Implemented Categories
HKCR\CLSID\{12DA1BC4-5384-42FD-A119-3C99D2D146A2}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
HKCR\CLSID\{12DA1BC4-5384-42FD-A119-3C99D2D146A2}\InprocServer32
HKCR\CLSID\{12DA1BC4-5384-42FD-A119-3C99D2D146A2}\InprocServer32#ThreadingModel
HKCR\CLSID\{12DA1BC4-5384-42FD-A119-3C99D2D146A2}\ProgID
HKCR\CLSID\{12DA1BC4-5384-42FD-A119-3C99D2D146A2}\TypeLib
HKCR\CLSID\{12DA1BC4-5384-42FD-A119-3C99D2D146A2}\VersionIndependentProgID
C:\PROGRAM FILES\ISM\BNDDRIVE3.DLL
HKLM\Software\Classes\CLSID\{1B2588F5-45CE-4322-B755-D79944AD1B17}
HKCR\CLSID\{1B2588F5-45CE-4322-B755-D79944AD1B17}
HKCR\CLSID\{1B2588F5-45CE-4322-B755-D79944AD1B17}
HKCR\CLSID\{1B2588F5-45CE-4322-B755-D79944AD1B17}#AppID
HKCR\CLSID\{1B2588F5-45CE-4322-B755-D79944AD1B17}\Implemented Categories
HKCR\CLSID\{1B2588F5-45CE-4322-B755-D79944AD1B17}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
HKCR\CLSID\{1B2588F5-45CE-4322-B755-D79944AD1B17}\InprocServer32
HKCR\CLSID\{1B2588F5-45CE-4322-B755-D79944AD1B17}\InprocServer32#ThreadingModel
HKCR\CLSID\{1B2588F5-45CE-4322-B755-D79944AD1B17}\ProgID
HKCR\CLSID\{1B2588F5-45CE-4322-B755-D79944AD1B17}\TypeLib
HKCR\CLSID\{1B2588F5-45CE-4322-B755-D79944AD1B17}\VersionIndependentProgID
C:\PROGRAM FILES\ISM\BNDDRIVE6.DLL
HKLM\Software\Classes\CLSID\{8B27CC68-110C-46a9-80D3-F3107DE6EB98}
HKCR\CLSID\{8B27CC68-110C-46A9-80D3-F3107DE6EB98}
HKCR\CLSID\{8B27CC68-110C-46A9-80D3-F3107DE6EB98}
HKCR\CLSID\{8B27CC68-110C-46A9-80D3-F3107DE6EB98}#AppID
HKCR\CLSID\{8B27CC68-110C-46A9-80D3-F3107DE6EB98}\InprocServer32
HKCR\CLSID\{8B27CC68-110C-46A9-80D3-F3107DE6EB98}\InprocServer32#ThreadingModel
HKCR\CLSID\{8B27CC68-110C-46A9-80D3-F3107DE6EB98}\ProgID
HKCR\CLSID\{8B27CC68-110C-46A9-80D3-F3107DE6EB98}\TypeLib
HKCR\CLSID\{8B27CC68-110C-46A9-80D3-F3107DE6EB98}\VersionIndependentProgID
HKLM\Software\Classes\CLSID\{8C6D5A56-791E-4fe8-9D64-81781FA15D68}
HKCR\CLSID\{8C6D5A56-791E-4FE8-9D64-81781FA15D68}
HKCR\CLSID\{8C6D5A56-791E-4FE8-9D64-81781FA15D68}
HKCR\CLSID\{8C6D5A56-791E-4FE8-9D64-81781FA15D68}#AppID
HKCR\CLSID\{8C6D5A56-791E-4FE8-9D64-81781FA15D68}\InprocServer32
HKCR\CLSID\{8C6D5A56-791E-4FE8-9D64-81781FA15D68}\InprocServer32#ThreadingModel
HKCR\CLSID\{8C6D5A56-791E-4FE8-9D64-81781FA15D68}\ProgID
HKCR\CLSID\{8C6D5A56-791E-4FE8-9D64-81781FA15D68}\TypeLib
HKCR\CLSID\{8C6D5A56-791E-4FE8-9D64-81781FA15D68}\VersionIndependentProgID
HKLM\Software\Classes\CLSID\{9815DA81-2E0C-478c-90E4-06E474E704D0}
HKCR\CLSID\{9815DA81-2E0C-478C-90E4-06E474E704D0}
HKCR\CLSID\{9815DA81-2E0C-478C-90E4-06E474E704D0}
HKCR\CLSID\{9815DA81-2E0C-478C-90E4-06E474E704D0}#AppID
HKCR\CLSID\{9815DA81-2E0C-478C-90E4-06E474E704D0}\InprocServer32
HKCR\CLSID\{9815DA81-2E0C-478C-90E4-06E474E704D0}\InprocServer32#ThreadingModel
HKCR\CLSID\{9815DA81-2E0C-478C-90E4-06E474E704D0}\ProgID
HKCR\CLSID\{9815DA81-2E0C-478C-90E4-06E474E704D0}\TypeLib
HKCR\CLSID\{9815DA81-2E0C-478C-90E4-06E474E704D0}\VersionIndependentProgID
C:\PROGRAM FILES\ISM\BNDDRIVE.DLL
HKCR\BndDrive.Band
HKCR\BndDrive.Band\CLSID
HKCR\BndDrive.Band\CurVer
HKCR\BndDrive.Band.1
HKCR\BndDrive.Band.1\CLSID
HKCR\BndDrive.BHO
HKCR\BndDrive.BHO\CLSID
HKCR\BndDrive.BHO\CurVer
HKCR\BndDrive.BHO.1
HKCR\BndDrive.BHO.1\CLSID
HKCR\CLSID\{231F6FAB-ECED-4975-9EF2-C0C7BC81927B}
HKCR\CLSID\{231F6FAB-ECED-4975-9EF2-C0C7BC81927B}#AppID
HKCR\CLSID\{231F6FAB-ECED-4975-9EF2-C0C7BC81927B}\Implemented Categories
HKCR\CLSID\{231F6FAB-ECED-4975-9EF2-C0C7BC81927B}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
HKCR\CLSID\{231F6FAB-ECED-4975-9EF2-C0C7BC81927B}\InprocServer32
HKCR\CLSID\{231F6FAB-ECED-4975-9EF2-C0C7BC81927B}\InprocServer32#ThreadingModel
HKCR\CLSID\{231F6FAB-ECED-4975-9EF2-C0C7BC81927B}\ProgID
HKCR\CLSID\{231F6FAB-ECED-4975-9EF2-C0C7BC81927B}\TypeLib
HKCR\CLSID\{231F6FAB-ECED-4975-9EF2-C0C7BC81927B}\VersionIndependentProgID
HKCR\TypeLib\{DCD2F298-BFA3-410F-8C21-B422AF11F363}
HKCR\TypeLib\{DCD2F298-BFA3-410F-8C21-B422AF11F363}\1.0
HKCR\TypeLib\{DCD2F298-BFA3-410F-8C21-B422AF11F363}\1.0\0
HKCR\TypeLib\{DCD2F298-BFA3-410F-8C21-B422AF11F363}\1.0\0\win32
HKCR\TypeLib\{DCD2F298-BFA3-410F-8C21-B422AF11F363}\1.0\FLAGS
HKCR\TypeLib\{DCD2F298-BFA3-410F-8C21-B422AF11F363}\1.0\HELPDIR
HKCR\AppId\{1F5E0EA2-ABEA-44c3-95EC-2D1E721FE95E}
HKU\.DEFAULT\Software\BndDrive
HKU\S-1-5-18\Software\BndDrive
HKU\.DEFAULT\Software\QdrModule
HKU\S-1-5-21-1275210071-287218729-1801674531-1003\Software\QdrModule
HKU\S-1-5-18\Software\QdrModule
HKU\.DEFAULT\Software\QdrPack
HKU\S-1-5-18\Software\QdrPack
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\ISM\BNDDRIVE2.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\ISM\BNDLOADER.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\ISM\ISM.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\ISM2\ISMPACK6.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\QDRPACK\QDRPACK10.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\QDRPACK\QDRPACK11.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108571.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108572.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108573.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108578.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108582.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108583.EXE

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{89354FAB-3E61-4869-8F70-030A5DBB55CD}
HKCR\CLSID\{89354FAB-3E61-4869-8F70-030A5DBB55CD}
HKCR\CLSID\{89354FAB-3E61-4869-8F70-030A5DBB55CD}\InprocServer32
HKCR\CLSID\{89354FAB-3E61-4869-8F70-030A5DBB55CD}\InprocServer32#ThreadingModel
HKCR\CLSID\{89354FAB-3E61-4869-8F70-030A5DBB55CD}\TreatAs
C:\WINDOWS\SYSTEM32\AWVVW.DLL
HKLM\Software\Classes\CLSID\{9396D86D-4B78-40E3-8750-E26DC9D585DB}
HKCR\CLSID\{9396D86D-4B78-40E3-8750-E26DC9D585DB}
HKCR\CLSID\{9396D86D-4B78-40E3-8750-E26DC9D585DB}\InprocServer32
HKCR\CLSID\{9396D86D-4B78-40E3-8750-E26DC9D585DB}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\VTUTT.DLL

Trojan.WinAntiSpyware/WinAntiVirus 2006/2007
HKCR\UWAS6.UWAS6
HKCR\UWAS6.UWAS6\CLSID
HKCR\uwasfsd.CreationNotifier
HKCR\uwasfsd.CreationNotifier\CLSID
HKCR\uwasfsd.CreationNotifier\CurVer
HKCR\uwasfsd.CreationNotifier.1
HKCR\uwasfsd.CreationNotifier.1\CLSID
HKCR\uwashellext.ShellHook
HKCR\uwashellext.ShellHook\CLSID
HKCR\uwashellext.ShellHook\CurVer
HKCR\uwashellext.ShellHook.1
HKCR\uwashellext.ShellHook.1\CLSID
HKCR\uwashellext.WASContextMenu
HKCR\uwashellext.WASContextMenu\CLSID
HKCR\uwashellext.WASContextMenu\CurVer
HKCR\uwashellext.WASContextMenu.1
HKCR\uwashellext.WASContextMenu.1\CLSID
HKCR\CLSID\{1236DE55-EDED-4675-AF10-BA15EDDB4D7A}
HKCR\CLSID\{1236DE55-EDED-4675-AF10-BA15EDDB4D7A}#AppID
HKCR\CLSID\{1236DE55-EDED-4675-AF10-BA15EDDB4D7A}\InprocServer32
HKCR\CLSID\{1236DE55-EDED-4675-AF10-BA15EDDB4D7A}\InprocServer32#ThreadingModel
HKCR\CLSID\{1236DE55-EDED-4675-AF10-BA15EDDB4D7A}\ProgID
HKCR\CLSID\{1236DE55-EDED-4675-AF10-BA15EDDB4D7A}\Programmable
HKCR\CLSID\{1236DE55-EDED-4675-AF10-BA15EDDB4D7A}\TypeLib
HKCR\CLSID\{1236DE55-EDED-4675-AF10-BA15EDDB4D7A}\VersionIndependentProgID
HKCR\CLSID\{ABCD4567-76B5-4bc7-AAC5-396D70925B11}
HKCR\CLSID\{ABCD4567-76B5-4bc7-AAC5-396D70925B11}#AppID
HKCR\CLSID\{ABCD4567-76B5-4bc7-AAC5-396D70925B11}\LocalServer32
HKCR\CLSID\{ABCD4567-76B5-4bc7-AAC5-396D70925B11}\LocalServer32#ThreadingModel
HKCR\CLSID\{ABCD4567-76B5-4bc7-AAC5-396D70925B11}\ProgID
HKCR\CLSID\{ABCD4567-76B5-4bc7-AAC5-396D70925B11}\Programmable
HKCR\CLSID\{ABCD4567-76B5-4bc7-AAC5-396D70925B11}\TypeLib
HKCR\CLSID\{ABCD4567-76B5-4bc7-AAC5-396D70925B11}\VersionIndependentProgID
HKCR\CLSID\{_CLSID_WAShellExecuteCheck}
HKCR\CLSID\{_CLSID_WAShellExecuteCheck}#AppID
HKCR\CLSID\{_CLSID_WAShellExecuteCheck}\LocalServer32
HKCR\CLSID\{_CLSID_WAShellExecuteCheck}\Programmable
HKCR\TypeLib\{12398A44-7DFC-4C46-BD8F-41259D169A0D}
HKCR\TypeLib\{12398A44-7DFC-4C46-BD8F-41259D169A0D}\1.0
HKCR\TypeLib\{12398A44-7DFC-4C46-BD8F-41259D169A0D}\1.0\0
HKCR\TypeLib\{12398A44-7DFC-4C46-BD8F-41259D169A0D}\1.0\0\win32
HKCR\TypeLib\{12398A44-7DFC-4C46-BD8F-41259D169A0D}\1.0\FLAGS
HKCR\TypeLib\{12398A44-7DFC-4C46-BD8F-41259D169A0D}\1.0\HELPDIR
HKCR\TypeLib\{4567AB12-AE24-4FD6-B479-E2B464F32DA6}
HKCR\TypeLib\{4567AB12-AE24-4FD6-B479-E2B464F32DA6}\1.0
HKCR\TypeLib\{4567AB12-AE24-4FD6-B479-E2B464F32DA6}\1.0\0
HKCR\TypeLib\{4567AB12-AE24-4FD6-B479-E2B464F32DA6}\1.0\0\win32
HKCR\TypeLib\{4567AB12-AE24-4FD6-B479-E2B464F32DA6}\1.0\FLAGS
HKCR\TypeLib\{4567AB12-AE24-4FD6-B479-E2B464F32DA6}\1.0\HELPDIR
HKCR\TypeLib\{ABCD4567-7437-43EF-AB74-4AB1D3A37411}
HKCR\TypeLib\{ABCD4567-7437-43EF-AB74-4AB1D3A37411}\1.0
HKCR\TypeLib\{ABCD4567-7437-43EF-AB74-4AB1D3A37411}\1.0\0
HKCR\TypeLib\{ABCD4567-7437-43EF-AB74-4AB1D3A37411}\1.0\0\win32
HKCR\TypeLib\{ABCD4567-7437-43EF-AB74-4AB1D3A37411}\1.0\FLAGS
HKCR\TypeLib\{ABCD4567-7437-43EF-AB74-4AB1D3A37411}\1.0\HELPDIR
HKCR\Interface\{4567AB12-A884-4CA6-B739-CEDB12FEF096}
HKCR\Interface\{4567AB12-A884-4CA6-B739-CEDB12FEF096}\ProxyStubClsid
HKCR\Interface\{4567AB12-A884-4CA6-B739-CEDB12FEF096}\ProxyStubClsid32
HKCR\Interface\{4567AB12-A884-4CA6-B739-CEDB12FEF096}\TypeLib
HKCR\Interface\{4567AB12-A884-4CA6-B739-CEDB12FEF096}\TypeLib#Version
HKCR\Interface\{ABCD4567-4D73-43E9-85E5-53A2DBD95411}
HKCR\Interface\{ABCD4567-4D73-43E9-85E5-53A2DBD95411}\ProxyStubClsid
HKCR\Interface\{ABCD4567-4D73-43E9-85E5-53A2DBD95411}\ProxyStubClsid32
HKCR\Interface\{ABCD4567-4D73-43E9-85E5-53A2DBD95411}\TypeLib
HKCR\Interface\{ABCD4567-4D73-43E9-85E5-53A2DBD95411}\TypeLib#Version
HKCR\Interface\{ABCD4567-D8E8-4DF1-A3EA-D0AA72F42611}
HKCR\Interface\{ABCD4567-D8E8-4DF1-A3EA-D0AA72F42611}\ProxyStubClsid
HKCR\Interface\{ABCD4567-D8E8-4DF1-A3EA-D0AA72F42611}\ProxyStubClsid32
HKCR\Interface\{ABCD4567-D8E8-4DF1-A3EA-D0AA72F42611}\TypeLib
HKCR\Interface\{ABCD4567-D8E8-4DF1-A3EA-D0AA72F42611}\TypeLib#Version
HKLM\SYSTEM\CurrentControlSet\Services\uwasfsd
HKLM\SYSTEM\CurrentControlSet\Services\uwasfsd#Type
HKLM\SYSTEM\CurrentControlSet\Services\uwasfsd#Start
HKLM\SYSTEM\CurrentControlSet\Services\uwasfsd#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\uwasfsd#Tag
HKLM\SYSTEM\CurrentControlSet\Services\uwasfsd#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\uwasfsd#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\uwasfsd#Group
HKLM\SYSTEM\CurrentControlSet\Services\uwasfsd\Security
HKLM\SYSTEM\CurrentControlSet\Services\uwasfsd\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\uwasfsd\Enum
HKLM\SYSTEM\CurrentControlSet\Services\uwasfsd\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\uwasfsd\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\uwasfsd\Enum#NextInstance

Adware.Tracking Cookie
C:\Documents and Settings\LocalService\Cookies\system@enhance[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@adserver[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@dealtime[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@doubleclick[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@fastclick[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@overture[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@revsci[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@zedo[1].txt

Trojan.Unknown Origin
C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\WINPFIND35U\MOVEDFILES\02072008_165906\PROGRAM FILES\COMMON FILES\ZOKU\ZOKUM.EXE
C:\PROGRAM FILES\COMMON FILES\ZOKU\ZOKUA.EXE
C:\PROGRAM FILES\COMMON FILES\ZOKU\ZOKUL.EXE
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WNSINTICOM32.EXE.VIR
C:\SDFIX\BACKUPS\UNINSTALL_NMON.VBS
C:\SDFIX\BACKUPS\XRH5W2EU.VBS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP20\A0108531.VBS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP20\A0108553.VBS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108606.EXE

Malware.Ultimate Defender
C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\WINPFIND35U\MOVEDFILES\02072008_165906\WINDOWS\SYSTEM32\KQGUBSTD\KQGUBSTD3.EXE

Adware.ZenoSearch-NVON
C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\WINPFIND35U\MOVEDFILES\02072008_165906\WINDOWS\SYSTEM32\LODSRNGS.EXE
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DWDSRNGT.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108598.EXE

Malware.SystemDoctor
C:\DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\SYSTEMDOCTORNEWRELEASEINSTALL.EXE

Adware.Unknown Origin
C:\PROGRAM FILES\COMMON FILES\ZOKU\ZOKUD\CLASS-BARREL
C:\PROGRAM FILES\COMMON FILES\ZOKU\ZOKUD\VOCABULARY
C:\SDFIX\BACKUPS\ZXDNT3D.CFG
C:\SYSTEM VOLUME INFORMATION\_RESTORE{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP20\A0108552.CFG

Unclassified.Unknown Origin/System
C:\PROGRAM FILES\COMMON FILES\ZOKU\ZOKUD\ZOKUC.DLL

Trojan.Downloader-Gen
C:\PROGRAM FILES\COMMON FILES\ZOKU\ZOKUP.EXE

Adware.ClickSpring
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\ECURIT~1\SERVICES.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108569.EXE

Trojan.Downloader-Gen/QDRModule
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\QDRMODULE\QDRMODULE9.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108581.EXE

Trojan.WinAntiSpyware/WinAntiVirus 2006
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WINANTISPYWARE 2006 FREE\UWAS6CW.EXE.VIR
C:\SDFIX\BACKUPS\UWA7P_0001_N91M0809NETINSTALLER.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108593.EXE

Trojan.Downloader-Gen/DDC
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DBUXURMT.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\NAQGWSND.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\RQYJXXUG.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\XRKMUVLG.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108607.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108608.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108609.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108610.EXE

TargetSaver, Inc. Process
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\TSUNINST.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP23\A0108601.EXE

Adware.Adservs
C:\SDFIX\BACKUPS\ASAPPSRV.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP20\A0108529.DLL

Trojan.Downloader-Gen/Installer
C:\SDFIX\BACKUPS\B128.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP20\A0108544.EXE

Unclassified.Unknown Origin
C:\SDFIX\BACKUPS\COMMAND.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP20\A0108530.EXE

Trojan.IP6FW/Rootkit
C:\SDFIX\BACKUPS\IP6FW.SYS

Trojan.NetMon/DNSChange
C:\SDFIX\BACKUPS\NETMON.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{43B78486-6683-49D7-8CB0-136F80BEDD14}\RP20\A0108545.EXE

Adware.ClickSpring/Yazzle
C:\SDFIX\BACKUPS\YAZZLE1122OINADMIN.EXE
C:\SDFIX\BACKUPS\YAZZLE1122OINUNINSTALLER.EXE
C:\SDFIX\BACKUPS\YAZZLE1281OINADMIN.EXE
C:\SDFIX\BACKUPS\YAZZLE1281OINUNINSTALLER.EXE
C:\SDFIX\BACKUPS\YAZZLE1552OINADMIN.EXE
C:\SDFIX\BACKUPS\YAZZLE1552OINUNINSTALLER.EXE

Trojan.ZenoSearch
C:\WINDOWS\SYSTEM32\SWINPMDQ.EXE
C:\WINDOWS\SYSTEM32\SWINPMDS.EXE
C:\WINDOWS\SYSTEM32\SWINPMDT.EXE
  • 0

#14
Rorschach112
Posted 08 February 2008 - 07:46 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please post a new DSS log and tell me how your PC is running
  • 0

#15
kuraikinzoku
Posted 08 February 2008 - 04:39 PM

kuraikinzoku

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Deckard's System Scanner v20071014.68
Run by Owner on 2008-02-08 17:35:38
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 92% (more than 75%).
Total Physical Memory: 255 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:35:53 PM, on 2/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\WINDOWS\system32\wuauclt.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [{34-4F-F5-54-ZN}] C:\WINDOWS\system32\lodsrngs.exe CHD003
O4 - HKLM\..\Run: [wmjwkrfk] C:\Program Files\Qbkjqwxd\wmjwkrfk.exe
O4 - HKLM\..\Run: [WinAntiSpyware 2006 Free] "C:\Program Files\WinAntiSpyware 2006 Free\was6.exe" /min
O4 - HKLM\..\Run: [uwas6cw] "C:\Program Files\WinAntiSpyware 2006 Free\uwas6cw.exe" -c
O4 - HKLM\..\Run: [SystemDoctor Free] C:\Program Files\SystemDoctor Free\sdmain.exe -scan
O4 - HKLM\..\Run: [svchost] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [startdrv] C:\WINDOWS\Temp\startdrv.exe
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\SystemDoctor\dcpasmon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [zoku] C:\PROGRA~1\COMMON~1\zoku\zokum.exe
O4 - HKCU\..\Run: [Words] C:\Program Files\Words\Words.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\Owner\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.0\webbuying.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\whlwov.exe
O4 - HKCU\..\Run: [Sen] "C:\PROGRA~1\COMMON~1\ECURIT~1\services.exe" -vt yazb
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1202104112593
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 4755 bytes

-- Files created between 2008-01-08 and 2008-02-08 -----------------------------

2008-02-05 21:35:37 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-02-05 21:35:37 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-02-05 21:35:37 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-02-05 21:35:37 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-02-05 17:40:10 0 d-------- C:\WINDOWS\ERUNT
2008-02-03 22:21:55 0 d-------- C:\Program Files\Trend Micro
2008-02-03 21:54:22 0 d-------- C:\WINDOWS\system32\PreInstall
2008-02-03 11:19:57 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-02-02 22:33:15 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-02 22:29:59 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-02-02 22:29:58 0 d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-02-02 22:24:27 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-02 21:35:38 0 d--h----- C:\WINDOWS\$hf_mig$
2008-02-02 21:30:56 0 d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-02-02 21:29:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-02 21:25:38 0 d-------- C:\WINDOWS\pss
2008-02-02 21:21:08 0 d--h----- C:\Documents and Settings\Administrator.USER-0358FF83F2\Templates
2008-02-02 21:21:08 0 dr------- C:\Documents and Settings\Administrator.USER-0358FF83F2\Start Menu
2008-02-02 21:21:08 0 dr-h----- C:\Documents and Settings\Administrator.USER-0358FF83F2\SendTo
2008-02-02 21:21:08 0 d--h----- C:\Documents and Settings\Administrator.USER-0358FF83F2\Recent
2008-02-02 21:21:08 0 d--h----- C:\Documents and Settings\Administrator.USER-0358FF83F2\PrintHood
2008-02-02 21:21:08 0 d--h----- C:\Documents and Settings\Administrator.USER-0358FF83F2\NetHood
2008-02-02 21:21:08 0 d-------- C:\Documents and Settings\Administrator.USER-0358FF83F2\My Documents
2008-02-02 21:21:08 0 d--h----- C:\Documents and Settings\Administrator.USER-0358FF83F2\Local Settings
2008-02-02 21:21:08 0 d-------- C:\Documents and Settings\Administrator.USER-0358FF83F2\Favorites
2008-02-02 21:21:08 0 d-------- C:\Documents and Settings\Administrator.USER-0358FF83F2\Desktop
2008-02-02 21:21:08 0 d---s---- C:\Documents and Settings\Administrator.USER-0358FF83F2\Cookies
2008-02-02 21:21:08 0 dr-h----- C:\Documents and Settings\Administrator.USER-0358FF83F2\Application Data
2008-02-02 21:21:08 0 d---s---- C:\Documents and Settings\Administrator.USER-0358FF83F2\Application Data\Microsoft
2008-02-02 21:21:07 524288 --ah----- C:\Documents and Settings\Administrator.USER-0358FF83F2\NTUSER.DAT
2008-01-24 19:01:38 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-01-24 18:59:39 0 d-------- C:\Program Files\RcvSystem


-- Find3M Report ---------------------------------------------------------------

2008-02-07 16:59:06 0 d-------- C:\Program Files\Qbkjqwxd
2008-02-05 21:40:26 0 d-------- C:\Program Files\Common Files
2008-02-05 00:24:34 0 d-------- C:\Program Files\Messenger
2008-02-03 18:35:18 155648 --a------ C:\WINDOWS\system32\igfxtray.exe <Not Verified; Intel Corporation; Intel® Common User Interface>
2008-02-03 18:35:13 118784 --a------ C:\WINDOWS\system32\hkcmd.exe <Not Verified; Intel Corporation; Intel® Common User Interface>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 01:25 AM]
"{34-4F-F5-54-ZN}"="C:\WINDOWS\system32\lodsrngs.exe" []
"wmjwkrfk"="C:\Program Files\Qbkjqwxd\wmjwkrfk.exe" []
"WinAntiSpyware 2006 Free"="C:\Program Files\WinAntiSpyware 2006 Free\was6.exe" []
"uwas6cw"="C:\Program Files\WinAntiSpyware 2006 Free\uwas6cw.exe" []
"SystemDoctor Free"="C:\Program Files\SystemDoctor Free\sdmain.exe" []
"svchost"="C:\WINDOWS\svchost.exe" []
"startdrv"="C:\WINDOWS\Temp\startdrv.exe" []
"Salestart"="C:\Program Files\Common Files\SystemDoctor\dcpasmon.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 05:24 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [08/15/2007 07:15 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [07/27/2004 03:50 PM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [07/27/2004 03:50 PM]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [02/03/2008 06:35 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [02/03/2008 06:35 PM]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [02/03/2008 06:33 PM]
"BCMSMMSG"="BCMSMMSG.exe" [08/29/2003 04:59 AM C:\WINDOWS\BCMSMMSG.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/27/2007 11:39 AM]
"zoku"="C:\PROGRA~1\COMMON~1\zoku\zokum.exe" []
"Words"="C:\Program Files\Words\Words.exe" []
"WinTouch"="C:\Documents and Settings\Owner\Application Data\WinTouch\WinTouch.exe" []
"WinPop"="C:\Program Files\WinPop\winpop.exe" []
"WinAble"="C:\Program Files\WinAble\winable.exe" []
"WebBuying"="C:\Program Files\Web Buying\v1.8.0\webbuying.exe" []
"SfKg6w"="C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\whlwov.exe" []
"Sen"="C:\PROGRA~1\COMMON~1\ECURIT~1\services.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 02/27/2007 11:39 AM 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Qvb05.sys]
@="Driver"




-- End of Deckard's System Scanner: finished at 2008-02-08 17:37:09 ------------
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP