Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

win32/conhook.d removal? [CLOSED]

Started by renaldoaoa , Apr 24 2008 12:02 PM

This topic is locked

#1
renaldoaoa

Posted 24 April 2008 - 12:02 PM

Member

Member
35 posts

I have no earthly clue on where I picked this up, but nonetheless I have it.
Windows defender found it and cleaned 3 or 4 times, but it still comes back and when it does come back spysweeper shows that explore.exe (brower addon) and blocks it from running.

Step by step what I've done...
1.
I ran hijackthis and got the log

2.
I ran malewarebytes on full scan and told it to fix everything selected. The report said there were a few things it had to restart to get rid of. When I restarted I get "bad image c:windows\system32\jrhwucxu.dll" and "rundll error with the same name %1 is not a valid win32 application.

3.
I ran hijackthis and got the log

4.
I ran ATF cleaner and selected all for win xp and firefox (except saved passwords)After I did this spysweeper showed lsass.exe as a brower addon
so I blocked it.

5.
I ran hijackthis and got the log

------------------------------------------
Hijackthis log BEFORE doing anything
------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:16:07 PM, on 4/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\MSI\LAN Utility\DiagAP8169.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DiagAP8169] C:\Program Files\MSI\LAN Utility\DiagAP8169 /hw
O4 - HKLM\..\Run: [Media Codec Update Service] "C:\Program Files\Essentials Codec Pack\update.exe" -silent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BDRegion] "C:\Program Files\Cyberlink\Shared Files\brs.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Service] C:\WINDOWS\service.exe
O4 - HKLM\..\Run: [5cfa73f7] "rundll32.exe" "C:\WINDOWS\system32\jrhwucxu.dll",b
O4 - HKLM\..\Run: [BM5fc9406b] Rundll32.exe "C:\WINDOWS\system32\ktvcptmn.dll",s
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\RunServices: [Service] C:\WINDOWS\service.exe
O4 - HKCU\..\Run: [Service] C:\WINDOWS\service.exe
O4 - HKCU\..\RunServices: [Service] C:\WINDOWS\service.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 7484 bytes
-----------------------------------------------

Malwarebytes' Anti-Malware 1.11
Database version: 676

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 117287
Time elapsed: 50 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 15
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\jrhwucxu.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\rqRIcYrR.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\wvUlijGV.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a90018aa-5c0d-4348-b338-42509a169072} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{a90018aa-5c0d-4348-b338-42509a169072} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{f3aef888-a3e2-44eb-bd85-f0c85ba7673f} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f3aef888-a3e2-44eb-bd85-f0c85ba7673f} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wvulijgv (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{f3aef888-a3e2-44eb-bd85-f0c85ba7673f} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM5fc9406b (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\rqricyrr -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\rqricyrr -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\jrhwucxu.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\uxcuwhrj.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\rqRIcYrR.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\RrYcIRqr.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\RrYcIRqr.ini2 (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\wvUlijGV.dll (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\YL2F85QF\css4[1] (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\ktvcptmn.dll (Trojan.Agent) -> No action taken.

--------------------------------------------
Hijackthis log after Malwarebytes
--------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:18:08 PM, on 4/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\MSI\LAN Utility\DiagAP8169.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\TechSmith\SnagIt 8\SnagPriv.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1BA8C76D-27F5-4A5D-BC48-066AB64E0394} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DiagAP8169] C:\Program Files\MSI\LAN Utility\DiagAP8169 /hw
O4 - HKLM\..\Run: [Media Codec Update Service] "C:\Program Files\Essentials Codec Pack\update.exe" -silent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BDRegion] "C:\Program Files\Cyberlink\Shared Files\brs.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Service] C:\WINDOWS\service.exe
O4 - HKLM\..\Run: [5cfa73f7] "rundll32.exe" "C:\WINDOWS\system32\jrhwucxu.dll",b
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKLM\..\RunServices: [Service] C:\WINDOWS\service.exe
O4 - HKCU\..\Run: [Service] C:\WINDOWS\service.exe
O4 - HKCU\..\RunServices: [Service] C:\WINDOWS\service.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8056 bytes

---------------------------------------
hijackthis log after ATF cleaner
---------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:27:45 PM, on 4/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\MSI\LAN Utility\DiagAP8169.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1BA8C76D-27F5-4A5D-BC48-066AB64E0394} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DiagAP8169] C:\Program Files\MSI\LAN Utility\DiagAP8169 /hw
O4 - HKLM\..\Run: [Media Codec Update Service] "C:\Program Files\Essentials Codec Pack\update.exe" -silent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BDRegion] "C:\Program Files\Cyberlink\Shared Files\brs.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Service] C:\WINDOWS\service.exe
O4 - HKLM\..\Run: [5cfa73f7] "rundll32.exe" "C:\WINDOWS\system32\jrhwucxu.dll",b
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\RunServices: [Service] C:\WINDOWS\service.exe
O4 - HKCU\..\Run: [Service] C:\WINDOWS\service.exe
O4 - HKCU\..\RunServices: [Service] C:\WINDOWS\service.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 7909 bytes

I'm not exactly sure what I'm looking for, but how are things looking?

#2
sarahw

Posted 24 April 2008 - 06:20 PM

Malware Staff

Member
2,781 posts

Hi,
Welcome to the site

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

I want you to show hidden files. There are instructions HERE to help you do this.
You should have Administrator rights to perform the fixes. Some of the instructions I give may need to be printed or saved for reference during the fix. Some of the fix will be done in Safe Mode so you will be unable to access this thread at that time.
Please dont use any of the tools without specific instructions. Some of them are dangerous (and could leave your computer in worse condition that it is when infected) if used incorrectly.
These instuctions should be read first, then followed. If you do not understand something, don't be afraid to ask, or see if I'm on chat.

#3
sarahw

Posted 24 April 2008 - 06:29 PM

Malware Staff

Member
2,781 posts

Hi,
Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#4
renaldoaoa

Posted 25 April 2008 - 12:11 PM

Member

Topic Starter
Member
35 posts

Hi there sarahw

First off thanks for taking the time to review and help me through this process. It's a pain when
some of these things slip by when you think your protected.

In a situation such as this I will proly give you more info that is needed, but I figure I might
as well let you know how things go step by step. I tend to want to get as much info from my
friends when helping them with their cp's. Not enough info is worse than too much.

Hidden files are now shown via the instructions you've provided.
Admin rights and working in safe mode shouldnt pose a problem.

Ok, running combofix I got a warning from spysweeper about letting something prolaunch which I
guessed is combofix so I allowed access. I also get a macafee security center warning "the
potentially unwanted program c:\ 327882r2fwjfw\psexec.cfexe has been trusted. you can restart the
program now to run it.

While combo fix was running macafee found elcar. Combofix rebooted and I got
"windows\system32\jrhwucxu.dll"error

Combofix finished, I saved the log but when it was done the only thing I could see was my desktop
wallpaper. I couldn't access anything except task manager so I restarted and now I can access
everything.

After reboot I get no warnings. Biofix changed my default browers from Firefox to IE.

ComboFix 08-04-24.1 - Owner 2008-04-25 13:40:28.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1008 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\jrhwucxu.dll
C:\WINDOWS\system32\ktvcptmn.dll
C:\WINDOWS\system32\rqRIcYrR.dll
C:\WINDOWS\system32\RrYcIRqr.ini
C:\WINDOWS\system32\RrYcIRqr.ini2
C:\WINDOWS\system32\uxcuwhrj.ini
C:\WINDOWS\system32\wvUlijGV.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-25 to 2008-04-25 )))))))))))))))))))))))))))))))
.

2008-04-25 13:40 . 2008-04-25 13:40 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-04-24 12:18 . 2008-04-24 12:18 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-24 12:17 . 2008-04-24 13:11 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-24 12:17 . 2008-04-24 12:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-24 12:14 . 2008-04-24 12:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-23 07:07 . 2008-04-23 07:07 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Webroot
2008-04-23 02:59 . 2008-04-24 07:24 109,738 --a------ C:\WINDOWS\BM5fc9406b.xml
2008-04-22 16:40 . 2008-04-22 16:40 <DIR> d-------- C:\Program Files\Kalypso
2008-04-21 16:34 . 2008-04-21 16:34 <DIR> d-------- C:\Documents and Settings\Owner\Logs
2008-04-21 16:27 . 2008-04-21 16:27 <DIR> d-------- C:\Logs
2008-04-21 13:13 . 2008-04-22 16:50 <DIR> d-------- C:\Program Files\World of Warcraft
2008-04-21 13:13 . 2008-04-21 13:13 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-04-19 02:11 . 2008-04-21 12:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-19 02:11 . 2008-04-19 02:11 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-16 19:14 . 2008-04-16 19:14 <DIR> d-------- C:\Program Files\Telltale Games
2008-04-16 17:53 . 2008-04-16 17:53 <DIR> d-------- C:\Program Files\Webroot
2008-04-16 17:53 . 2008-04-16 17:53 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-04-16 17:53 . 2008-04-16 17:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-04-16 17:53 . 2007-01-25 21:57 144,448 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-04-16 17:53 . 2007-01-25 21:57 22,080 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-04-16 17:53 . 2007-01-25 21:57 21,056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-04-16 17:53 . 2007-01-25 21:57 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2008-04-16 17:51 . 2008-04-16 17:51 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2008-04-16 16:23 . 2008-04-16 16:23 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\McAfee
2008-04-13 22:21 . 2008-04-14 13:54 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Petroglyph
2008-04-13 22:19 . 2008-04-13 22:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\LucasArts
2008-04-13 22:19 . 2008-04-13 22:19 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-04-13 22:12 . 2008-04-14 13:43 <DIR> d-------- C:\Program Files\LucasArts
2008-04-13 12:36 . 2008-04-13 12:40 <DIR> d-------- C:\Program Files\illusion
2008-04-13 10:49 . 2008-04-13 12:24 3,020 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-13 09:25 . 2008-04-13 09:25 49 --a------ C:\smp.bat
2008-04-13 02:35 . 2008-04-13 02:35 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-04-13 02:35 . 2008-04-13 02:35 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-04-13 02:29 . 2008-04-13 02:29 <DIR> d-------- C:\WINDOWS\Crusaders - Thy Kingdom Come
2008-04-13 02:29 . 2008-04-13 02:29 <DIR> d-------- C:\NeocoreGames
2008-04-09 04:30 . 2008-04-09 04:30 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\InstallShield
2008-04-09 04:13 . 2008-04-09 04:13 <DIR> d-------- C:\Program Files\Firaxis Games
2008-04-09 04:12 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-04-08 18:43 . 2008-04-24 22:29 <DIR> d-------- C:\Program Files\BOINC
2008-04-06 17:39 . 2008-04-06 17:39 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Hewlett-Packard
2008-04-06 17:37 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-04-06 17:37 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-04-06 17:37 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-06 17:37 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-04-06 17:37 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-04-06 17:37 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-04-06 17:35 . 2008-04-06 17:35 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-04-06 17:35 . 2008-04-06 17:35 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-04-06 17:34 . 2008-04-06 17:38 19,558 --a------ C:\WINDOWS\hpoins01.dat
2008-04-06 17:34 . 2003-04-22 10:24 16,606 --------- C:\WINDOWS\hpomdl01.dat
2008-04-05 17:22 . 2008-04-05 17:22 <DIR> d-------- C:\Program Files\TechSmith
2008-04-05 17:22 . 2008-04-05 17:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TechSmith
2008-04-05 17:21 . 2008-04-13 02:34 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-04 14:55 . 2008-04-04 14:55 <DIR> d-------- C:\Program Files\Common Files\ChessBase
2008-04-04 14:53 . 2008-04-04 14:55 <DIR> d-------- C:\Program Files\ChessBase
2008-04-03 20:37 . 2008-04-03 20:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Jane s Hotel Family Hero
2008-04-03 20:36 . 2008-04-03 20:36 <DIR> d-------- C:\WINDOWS\Jane's Hotel. Family Hero
2008-04-03 18:37 . 2008-04-03 18:37 <DIR> d-------- C:\Program Files\LG Drivers
2008-04-03 18:37 . 2005-06-24 18:36 39,036 --a------ C:\WINDOWS\system32\drivers\lgusbmodem.sys
2008-04-03 18:37 . 2005-05-26 11:01 38,144 --a------ C:\WINDOWS\system32\drivers\lgusbdiag.sys
2008-04-03 18:37 . 2005-05-26 11:01 21,344 --a------ C:\WINDOWS\system32\drivers\lgusbbus.sys
2008-04-03 18:15 . 2008-04-03 18:16 <DIR> d-------- C:\Program Files\BitPim
2008-04-03 15:45 . 2008-04-03 16:12 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\ChessBase
2008-03-29 14:21 . 2008-03-29 14:21 180 --a------ C:\WINDOWS\system32\sam.ini
2008-03-28 13:25 . 2008-03-28 13:25 <DIR> d-------- C:\Program Files\MySpace
2008-03-28 13:25 . 2008-03-28 13:25 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MySpace
2008-03-28 12:57 . 2008-03-28 12:57 <DIR> d-------- C:\Program Files\Game Elements
2008-03-28 12:57 . 2006-02-16 09:54 487,424 --a------ C:\WINDOWS\system32\FDRpage.dll
2008-03-28 12:57 . 2005-12-09 12:24 192,512 --a------ C:\WINDOWS\system32\CreateDir.exe
2008-03-28 12:57 . 2006-01-04 16:39 77,824 --a------ C:\WINDOWS\system32\FDRdriver.dll
2008-03-28 12:57 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-03-28 12:57 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-03-28 12:57 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-03-28 12:57 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-03-28 12:57 . 2006-01-07 12:09 7,548 --a------ C:\WINDOWS\system32\drivers\Samhid.sys
2008-03-28 12:48 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-03-28 12:48 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-03-27 16:58 . 2008-03-27 16:58 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\CyberLink
2008-03-27 16:55 . 2008-03-27 16:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-03-27 16:54 . 2008-03-27 16:55 <DIR> d-------- C:\Program Files\CyberLink
2008-03-27 16:23 . 2008-03-27 16:23 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\DivX
2008-03-26 01:46 . 2008-03-26 01:46 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\{0E8E33D8-193A-414A-A909-0F101A142D26}
2008-03-26 01:44 . 2008-03-26 01:44 <DIR> d-------- C:\Program Files\Stardock Games
2008-03-26 01:40 . 2008-03-26 01:40 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-03-26 01:37 . 2008-03-26 01:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\DAEMON Tools
2008-03-26 01:37 . 2008-03-26 01:37 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-03-26 01:33 . 2008-03-26 01:33 <DIR> d-------- C:\Program Files\[bleep] NFO Viewer
2008-03-25 21:19 . 2008-04-03 23:56 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-03-25 21:19 . 2008-03-25 21:19 669 --a------ C:\WINDOWS\mozver.dat
2008-03-25 16:18 . 2008-03-25 16:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Raxco
2008-03-25 16:18 . 2008-01-09 22:00 68,624 -ra------ C:\WINDOWS\system32\drivers\DefragFS.sys
2008-03-25 15:45 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-03-25 15:36 . 2008-03-25 16:18 <DIR> d-------- C:\Program Files\Raxco
2008-03-25 15:24 . 2008-04-23 23:35 <DIR> d-------- C:\Program Files\eMule
2008-03-25 15:07 . 2008-03-25 15:07 <DIR> d-------- C:\Program Files\VSO
2008-03-25 15:07 . 2008-04-17 17:39 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Vso
2008-03-25 15:07 . 2004-05-04 11:53 1,645,320 --a------ C:\WINDOWS\gdiplus.dll
2008-03-25 15:07 . 2006-05-20 16:16 1,184,984 --a------ C:\WINDOWS\system32\wvc1dmod.dll
2008-03-25 15:07 . 2006-05-11 19:21 626,688 --a------ C:\WINDOWS\system32\vp7vfw.dll
2008-03-25 15:07 . 2006-09-29 12:24 217,127 --a------ C:\WINDOWS\system32\drv43260.dll
2008-03-25 15:07 . 2006-09-29 12:25 208,935 --a------ C:\WINDOWS\system32\drv33260.dll
2008-03-25 15:07 . 2006-09-29 12:26 176,165 --a------ C:\WINDOWS\system32\drv23260.dll
2008-03-25 15:07 . 2008-03-25 15:07 87,608 --a------ C:\Documents and Settings\Owner\Application Data\inst.exe
2008-03-25 15:07 . 2007-03-18 20:37 65,602 --a------ C:\WINDOWS\system32\cook3260.dll
2008-03-25 15:07 . 2008-03-25 15:07 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-03-25 15:07 . 2008-03-25 15:07 47,360 --a------ C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2008-03-25 14:53 . 2008-03-25 14:53 <DIR> d-------- C:\Program Files\uTorrent
2008-03-25 14:53 . 2008-04-24 09:28 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
2008-03-25 14:32 . 2008-03-25 14:32 <DIR> d-------- C:\Program Files\VideoLAN
2008-03-25 14:32 . 2008-03-25 14:32 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\vlc
2008-03-25 13:58 . 2008-03-25 13:58 <DIR> d-------- C:\Program Files\Windows Defender
2008-03-25 13:20 . 2008-04-25 13:44 10,694 --a------ C:\WINDOWS\system32\Config.MPF
2008-03-25 13:18 . 2008-03-25 13:18 <DIR> d-------- C:\Program Files\McAfee.com
2008-03-25 13:18 . 2008-04-21 16:32 <DIR> d-------- C:\Program Files\McAfee
2008-03-25 13:18 . 2008-03-25 15:44 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-03-25 13:18 . 2008-02-06 09:51 171,400 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-03-25 13:18 . 2007-03-02 14:16 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-03-25 13:18 . 2007-06-25 14:54 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-03-25 13:18 . 2007-06-25 10:57 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-03-25 13:18 . 2007-06-25 10:57 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-03-25 13:18 . 2007-06-25 10:57 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-03-25 13:12 . 2008-03-25 13:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-25 13:06 . 2008-04-16 16:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-21 16:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-16 23:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-11 18:46 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-03-25 17:31 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-25 17:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-25 17:03 --------- d-----w C:\Program Files\Java
2008-03-21 22:42 --------- d-----w C:\Program Files\Bonjour
2008-03-21 22:42 --------- d-----w C:\Program Files\Apple Software Update
2008-03-21 22:41 --------- d-----w C:\Program Files\Common Files\Apple
2008-03-21 22:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-03-21 22:40 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2008-03-21 22:39 --------- d-----w C:\Program Files\Common Files\Java
2008-03-21 22:38 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-21 22:38 --------- d-----w C:\Program Files\BurnAware Free Edition
2008-03-21 22:37 --------- d-----w C:\Program Files\7-Zip
2008-03-21 22:23 --------- d-----w C:\Program Files\PKWARE
2008-03-21 22:23 --------- d-----w C:\Program Files\Essentials Codec Pack
2008-03-21 22:23 --------- d-----w C:\Program Files\DivX
2008-03-21 22:23 --------- d-----w C:\Program Files\Common Files\PKWARE
2008-03-21 22:22 --------- d-----w C:\Program Files\Combined Community Codec Pack
2008-03-21 22:03 --------- d-----w C:\Program Files\VIA
2008-03-21 22:02 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-21 22:01 --------- d-----w C:\Program Files\MSI
2008-03-21 22:00 --------- d-----w C:\Program Files\Realtek Sound Manager
2008-03-21 22:00 --------- d-----w C:\Program Files\Realtek AC97
2008-03-21 22:00 --------- d-----w C:\Program Files\AvRack
2008-03-21 21:59 --------- d-----w C:\Program Files\MSBuild
2008-03-21 21:59 --------- d-----w C:\Program Files\AMD
2008-03-21 21:56 --------- d-----w C:\Program Files\Reference Assemblies
2008-03-21 21:54 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-21 21:17 --------- d-----w C:\Program Files\MSXML 6.0
2008-03-21 20:20 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-04 18:00 811,776 ----a-w C:\WINDOWS\boinc.scr
2008-02-25 16:54 105,088 ----a-w C:\WINDOWS\system32\drivers\Rtnicxp.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1BA8C76D-27F5-4A5D-BC48-066AB64E0394}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Service"="C:\WINDOWS\service.exe" [ ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Service"="C:\WINDOWS\service.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2006-02-28 08:00 33280 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2006-02-28 08:00 33280 C:\WINDOWS\system32\rundll32.exe]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 05:42 577536 C:\WINDOWS\soundman.exe]
"DiagAP8169"="C:\Program Files\MSI\LAN Utility\DiagAP8169 /hw" [ ]
"Media Codec Update Service"="C:\Program Files\Essentials Codec Pack\update.exe" [2007-04-08 12:44 303104]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"BDRegion"="C:\Program Files\Cyberlink\Shared Files\brs.exe" [2008-02-21 10:24 91432]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2008-01-22 14:23 81920]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 12:06 62760]
"5cfa73f7"="rundll32.exe" [2006-02-28 08:00 33280 C:\WINDOWS\system32\rundll32.exe]
"combofix"="C:\WINDOWS\system32\CF13532.exe" [2006-02-28 08:00 388608]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-01-25 21:58 4865600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Service"="C:\WINDOWS\service.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 16:32 8699904]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-09 18:21:38 147456]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 18:11:12 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\ff_vfw.dll
"vidc.wmv3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Empire at War Forces of Corruption\\swfoc.exe"=

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 20:22]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2008-01-18 23:01]
R2 LANPkt;Realtek LANPkt Protocol;C:\WINDOWS\system32\DRIVERS\LANPkt.sys [2003-09-17 15:57]
R2 PD91Agent;PD91Agent;"C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe" [2008-01-16 10:52]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-03 18:31]
R3 Diag69xp;Diag69xp;C:\WINDOWS\system32\Drivers\Diag69xp.sys [2003-09-02 11:25]
S3 PD91Engine;PD91Engine;"C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe" [2008-01-16 10:52]
S3 samhid;samhid;C:\WINDOWS\system32\drivers\samhid.sys [2006-01-07 12:09]
S3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\RTL8150.SYS [2006-05-10 16:22]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchEAW.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-14 13:24:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-06 21:39:32 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1207517937.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-04-25 17:46:43 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-25 13:44:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\MSI\LAN Utility\DiagAP8169.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
C:\Program Files\Webroot\Spy Sweeper\ssu.exe
.
**************************************************************************
.
Completion time: 2008-04-25 13:47:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-25 17:47:13

Pre-Run: 263,032,623,104 bytes free
Post-Run: 263,453,253,632 bytes free

311 --- E O F --- 2008-04-25 02:29:51

---------------------------------------------------------------------------------
Just for the heck of it I also did another hijackthis log after combofix.
---------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:14:41 PM, on 4/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\MSI\LAN Utility\DiagAP8169.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DiagAP8169] C:\Program Files\MSI\LAN Utility\DiagAP8169 /hw
O4 - HKLM\..\Run: [Media Codec Update Service] "C:\Program Files\Essentials Codec Pack\update.exe" -silent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BDRegion] "C:\Program Files\Cyberlink\Shared Files\brs.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKLM\..\RunServices: [Service] C:\WINDOWS\service.exe
O4 - HKCU\..\Run: [Service] C:\WINDOWS\service.exe
O4 - HKCU\..\RunServices: [Service] C:\WINDOWS\service.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 7757 bytes

Again thanks for the help!!

Edited by renaldoaoa, 25 April 2008 - 12:16 PM.

#5
sarahw

Posted 25 April 2008 - 08:44 PM

Malware Staff

Member
2,781 posts

Hi there,
Please go to UploadMalware to upload a suspicious file for analysis.

Enter your username from this forum
Copy and paste the link to this thread
Browse for this filename: C:\WINDOWS\service.exe
In the comments, please mention that I asked you to upload this file
Click on Send File

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\service.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1BA8C76D-27F5-4A5D-BC48-066AB64E0394}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Service"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Service"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"5cfa73f7"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Service"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

#6
renaldoaoa

Posted 26 April 2008 - 06:00 AM

Member

Topic Starter
Member
35 posts

Ran into a little problem here. I can't find C:\WINDOWS\service.exe.
I've browsed the windows folder and did a C drive search for service & service.exe to no avail.

The search I did for service. Pic shows everything pertaining to windows.
http://img167.images...cesearchlm2.jpg

I'm gonna sit tight and wait for a reply before going forward with the CFScript.txt.

#7
sarahw

Posted 26 April 2008 - 06:14 AM

Malware Staff

Member
2,781 posts

ok, we'll do that in a moment. Go ahead with the CFScript.txt for now

#8
renaldoaoa

Posted 26 April 2008 - 09:14 AM

Member

Topic Starter
Member
35 posts

Ok. got the CFScript.txt process done. Mcafee found something and auto blocked it, I have no clue as the warning only stayed up for 3 seconds.

Combofix didn't ask me to restart.

ComboFix 08-04-24.1 - Owner 2008-04-26 11:03:22.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1020 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt.txt
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\service.exe
.

((((((((((((((((((((((((( Files Created from 2008-03-26 to 2008-04-26 )))))))))))))))))))))))))))))))
.

2008-04-26 08:15 . 2008-04-26 08:15 <DIR> d-------- C:\WINDOWS\LastGood
2008-04-26 08:15 . 2008-04-26 08:15 <DIR> d-------- C:\Program Files\2K Games
2008-04-25 13:40 . 2008-04-25 13:40 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-04-24 12:18 . 2008-04-24 12:18 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-24 12:17 . 2008-04-24 13:11 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-24 12:17 . 2008-04-24 12:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-24 12:14 . 2008-04-24 12:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-23 07:07 . 2008-04-23 07:07 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Webroot
2008-04-23 02:59 . 2008-04-24 07:24 109,738 --a------ C:\WINDOWS\BM5fc9406b.xml
2008-04-22 16:40 . 2008-04-22 16:40 <DIR> d-------- C:\Program Files\Kalypso
2008-04-21 16:34 . 2008-04-21 16:34 <DIR> d-------- C:\Documents and Settings\Owner\Logs
2008-04-21 16:27 . 2008-04-21 16:27 <DIR> d-------- C:\Logs
2008-04-21 13:13 . 2008-04-22 16:50 <DIR> d-------- C:\Program Files\World of Warcraft
2008-04-21 13:13 . 2008-04-21 13:13 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-04-19 02:11 . 2008-04-21 12:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-19 02:11 . 2008-04-19 02:11 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-16 19:14 . 2008-04-16 19:14 <DIR> d-------- C:\Program Files\Telltale Games
2008-04-16 17:53 . 2008-04-16 17:53 <DIR> d-------- C:\Program Files\Webroot
2008-04-16 17:53 . 2008-04-16 17:53 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-04-16 17:53 . 2008-04-16 17:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-04-16 17:53 . 2007-01-25 21:57 144,448 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-04-16 17:53 . 2007-01-25 21:57 22,080 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-04-16 17:53 . 2007-01-25 21:57 21,056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-04-16 17:53 . 2007-01-25 21:57 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2008-04-16 17:51 . 2008-04-16 17:51 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2008-04-16 16:23 . 2008-04-16 16:23 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\McAfee
2008-04-13 22:21 . 2008-04-14 13:54 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Petroglyph
2008-04-13 22:19 . 2008-04-13 22:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\LucasArts
2008-04-13 22:19 . 2008-04-13 22:19 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-04-13 22:12 . 2008-04-14 13:43 <DIR> d-------- C:\Program Files\LucasArts
2008-04-13 12:36 . 2008-04-13 12:40 <DIR> d-------- C:\Program Files\illusion
2008-04-13 10:49 . 2008-04-13 12:24 3,020 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-13 09:25 . 2008-04-13 09:25 49 --a------ C:\smp.bat
2008-04-13 02:35 . 2008-04-13 02:35 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-04-13 02:35 . 2008-04-13 02:35 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-04-13 02:29 . 2008-04-13 02:29 <DIR> d-------- C:\WINDOWS\Crusaders - Thy Kingdom Come
2008-04-13 02:29 . 2008-04-13 02:29 <DIR> d-------- C:\NeocoreGames
2008-04-09 04:30 . 2008-04-09 04:30 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\InstallShield
2008-04-09 04:13 . 2008-04-09 04:13 <DIR> d-------- C:\Program Files\Firaxis Games
2008-04-09 04:12 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-04-08 18:43 . 2008-04-24 22:29 <DIR> d-------- C:\Program Files\BOINC
2008-04-06 17:39 . 2008-04-06 17:39 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Hewlett-Packard
2008-04-06 17:37 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-04-06 17:37 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-04-06 17:37 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-06 17:37 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-04-06 17:37 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-04-06 17:37 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-04-06 17:35 . 2008-04-06 17:35 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-04-06 17:35 . 2008-04-06 17:35 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-04-06 17:34 . 2008-04-06 17:38 19,558 --a------ C:\WINDOWS\hpoins01.dat
2008-04-06 17:34 . 2003-04-22 10:24 16,606 --------- C:\WINDOWS\hpomdl01.dat
2008-04-05 17:22 . 2008-04-05 17:22 <DIR> d-------- C:\Program Files\TechSmith
2008-04-05 17:22 . 2008-04-05 17:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TechSmith
2008-04-05 17:21 . 2008-04-13 02:34 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-04 14:55 . 2008-04-04 14:55 <DIR> d-------- C:\Program Files\Common Files\ChessBase
2008-04-04 14:53 . 2008-04-04 14:55 <DIR> d-------- C:\Program Files\ChessBase
2008-04-03 20:37 . 2008-04-03 20:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Jane s Hotel Family Hero
2008-04-03 20:36 . 2008-04-03 20:36 <DIR> d-------- C:\WINDOWS\Jane's Hotel. Family Hero
2008-04-03 18:37 . 2008-04-03 18:37 <DIR> d-------- C:\Program Files\LG Drivers
2008-04-03 18:37 . 2005-06-24 18:36 39,036 --a------ C:\WINDOWS\system32\drivers\lgusbmodem.sys
2008-04-03 18:37 . 2005-05-26 11:01 38,144 --a------ C:\WINDOWS\system32\drivers\lgusbdiag.sys
2008-04-03 18:37 . 2005-05-26 11:01 21,344 --a------ C:\WINDOWS\system32\drivers\lgusbbus.sys
2008-04-03 18:15 . 2008-04-03 18:16 <DIR> d-------- C:\Program Files\BitPim
2008-04-03 15:45 . 2008-04-03 16:12 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\ChessBase
2008-03-29 14:21 . 2008-03-29 14:21 180 --a------ C:\WINDOWS\system32\sam.ini
2008-03-28 13:25 . 2008-03-28 13:25 <DIR> d-------- C:\Program Files\MySpace
2008-03-28 13:25 . 2008-03-28 13:25 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MySpace
2008-03-28 12:57 . 2008-03-28 12:57 <DIR> d-------- C:\Program Files\Game Elements
2008-03-28 12:57 . 2006-02-16 09:54 487,424 --a------ C:\WINDOWS\system32\FDRpage.dll
2008-03-28 12:57 . 2005-12-09 12:24 192,512 --a------ C:\WINDOWS\system32\CreateDir.exe
2008-03-28 12:57 . 2006-01-04 16:39 77,824 --a------ C:\WINDOWS\system32\FDRdriver.dll
2008-03-28 12:57 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-03-28 12:57 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-03-28 12:57 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-03-28 12:57 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-03-28 12:57 . 2006-01-07 12:09 7,548 --a------ C:\WINDOWS\system32\drivers\Samhid.sys
2008-03-28 12:48 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-03-28 12:48 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-03-27 16:58 . 2008-03-27 16:58 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\CyberLink
2008-03-27 16:55 . 2008-03-27 16:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-03-27 16:54 . 2008-03-27 16:55 <DIR> d-------- C:\Program Files\CyberLink
2008-03-27 16:23 . 2008-03-27 16:23 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\DivX
2008-03-26 01:46 . 2008-03-26 01:46 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\{0E8E33D8-193A-414A-A909-0F101A142D26}
2008-03-26 01:44 . 2008-03-26 01:44 <DIR> d-------- C:\Program Files\Stardock Games
2008-03-26 01:40 . 2008-03-26 01:40 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-03-26 01:37 . 2008-03-26 01:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\DAEMON Tools
2008-03-26 01:37 . 2008-03-26 01:37 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-03-26 01:33 . 2008-03-26 01:33 <DIR> d-------- C:\Program Files\[bleep] NFO Viewer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-26 14:59 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-04-26 12:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-26 00:56 --------- d-----w C:\Program Files\eMule
2008-04-21 20:32 --------- d-----w C:\Program Files\McAfee
2008-04-21 16:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-17 21:39 --------- d-----w C:\Documents and Settings\Owner\Application Data\Vso
2008-04-16 20:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-11 18:46 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-03-27 20:53 505,392 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-03-25 20:18 --------- d-----w C:\Program Files\Raxco
2008-03-25 20:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Raxco
2008-03-25 19:44 --------- d-----w C:\Program Files\Common Files\McAfee
2008-03-25 19:07 87,608 ----a-w C:\Documents and Settings\Owner\Application Data\inst.exe
2008-03-25 19:07 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-03-25 19:07 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2008-03-25 19:07 --------- d-----w C:\Program Files\VSO
2008-03-25 18:53 --------- d-----w C:\Program Files\uTorrent
2008-03-25 18:32 --------- d-----w C:\Program Files\VideoLAN
2008-03-25 18:32 --------- d-----w C:\Documents and Settings\Owner\Application Data\vlc
2008-03-25 17:58 --------- d-----w C:\Program Files\Windows Defender
2008-03-25 17:31 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-25 17:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-25 17:18 --------- d-----w C:\Program Files\McAfee.com
2008-03-25 17:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-25 17:03 --------- d-----w C:\Program Files\Java
2008-03-21 22:42 --------- d-----w C:\Program Files\Bonjour
2008-03-21 22:42 --------- d-----w C:\Program Files\Apple Software Update
2008-03-21 22:41 --------- d-----w C:\Program Files\Common Files\Apple
2008-03-21 22:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-03-21 22:40 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2008-03-21 22:39 --------- d-----w C:\Program Files\Common Files\Java
2008-03-21 22:38 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-21 22:38 --------- d-----w C:\Program Files\BurnAware Free Edition
2008-03-21 22:37 --------- d-----w C:\Program Files\7-Zip
2008-03-21 22:23 --------- d-----w C:\Program Files\PKWARE
2008-03-21 22:23 --------- d-----w C:\Program Files\Essentials Codec Pack
2008-03-21 22:23 --------- d-----w C:\Program Files\DivX
2008-03-21 22:23 --------- d-----w C:\Program Files\Common Files\PKWARE
2008-03-21 22:22 --------- d-----w C:\Program Files\Combined Community Codec Pack
2008-03-21 22:21 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-03-21 22:03 --------- d-----w C:\Program Files\VIA
2008-03-21 22:02 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-21 22:01 --------- d-----w C:\Program Files\MSI
2008-03-21 22:00 --------- d-----w C:\Program Files\Realtek Sound Manager
2008-03-21 22:00 --------- d-----w C:\Program Files\Realtek AC97
2008-03-21 22:00 --------- d-----w C:\Program Files\AvRack
2008-03-21 21:59 --------- d-----w C:\Program Files\MSBuild
2008-03-21 21:59 --------- d-----w C:\Program Files\AMD
2008-03-21 21:56 --------- d-----w C:\Program Files\Reference Assemblies
2008-03-21 21:54 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-21 21:17 --------- d-----w C:\Program Files\MSXML 6.0
2008-03-21 20:20 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-04 18:00 811,776 ----a-w C:\WINDOWS\boinc.scr
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((( snapshot@2008-04-25_13.46.59.75 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-09 08:31:47 53,248 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
+ 2008-04-26 12:15:26 53,248 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
- 2008-04-09 08:31:47 12,800 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
+ 2008-04-26 12:15:26 12,800 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
- 2008-04-09 08:31:47 473,600 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
+ 2008-04-26 12:15:27 473,600 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
- 2008-04-09 08:31:42 2,676,224 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-26 12:15:21 2,676,224 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-09 08:31:43 2,846,720 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-26 12:15:22 2,846,720 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-09 08:31:43 563,712 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-26 12:15:23 563,712 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-09 08:31:44 567,296 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-26 12:15:23 567,296 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-09 08:31:44 576,000 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-26 12:15:24 576,000 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-09 08:31:45 577,024 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-26 12:15:24 577,024 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-09 08:31:45 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-26 12:15:25 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-09 08:31:45 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-26 12:15:27 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-09 08:31:48 145,920 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
+ 2008-04-26 12:15:28 145,920 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
- 2008-04-09 08:31:48 159,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
+ 2008-04-26 12:15:28 159,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
- 2008-04-09 08:31:48 364,544 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
+ 2008-04-26 12:15:28 364,544 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
- 2008-04-09 08:31:49 178,176 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
+ 2008-04-26 12:15:29 178,176 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
- 2008-04-09 08:31:46 223,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
+ 2008-04-26 12:15:26 223,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
- 2008-04-25 17:43:37 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-26 11:29:49 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-02-05 23:45:26 2,222,800 ----a-w C:\WINDOWS\LastGood\system32\d3dx9_24.dll
+ 2005-03-18 21:19:58 2,337,488 ----a-w C:\WINDOWS\LastGood\system32\d3dx9_25.dll
+ 2005-05-26 19:34:52 2,297,552 ----a-w C:\WINDOWS\LastGood\system32\d3dx9_26.dll
+ 2005-07-22 23:59:04 2,319,568 ----a-w C:\WINDOWS\LastGood\system32\d3dx9_27.dll
+ 2005-12-05 22:09:18 2,323,664 ----a-w C:\WINDOWS\LastGood\system32\d3dx9_28.dll
+ 2005-12-05 22:07:30 61,136 ----a-w C:\WINDOWS\LastGood\system32\xinput9_1_0.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Service"="C:\WINDOWS\service.exe" [ ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Service"="C:\WINDOWS\service.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2006-02-28 08:00 33280 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2006-02-28 08:00 33280 C:\WINDOWS\system32\rundll32.exe]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 05:42 577536 C:\WINDOWS\soundman.exe]
"DiagAP8169"="C:\Program Files\MSI\LAN Utility\DiagAP8169 /hw" [ ]
"Media Codec Update Service"="C:\Program Files\Essentials Codec Pack\update.exe" [2007-04-08 12:44 303104]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"BDRegion"="C:\Program Files\Cyberlink\Shared Files\brs.exe" [2008-02-21 10:24 91432]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2008-01-22 14:23 81920]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 12:06 62760]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-01-25 21:58 4865600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Service"="C:\WINDOWS\service.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 16:32 8699904]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-09 18:21:38 147456]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 18:11:12 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\ff_vfw.dll
"vidc.wmv3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Empire at War Forces of Corruption\\swfoc.exe"=

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 20:22]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2008-01-18 23:01]
R2 LANPkt;Realtek LANPkt Protocol;C:\WINDOWS\system32\DRIVERS\LANPkt.sys [2003-09-17 15:57]
R2 PD91Agent;PD91Agent;"C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe" [2008-01-16 10:52]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-03 18:31]
R3 Diag69xp;Diag69xp;C:\WINDOWS\system32\Drivers\Diag69xp.sys [2003-09-02 11:25]
S3 PD91Engine;PD91Engine;"C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe" [2008-01-16 10:52]
S3 samhid;samhid;C:\WINDOWS\system32\drivers\samhid.sys [2006-01-07 12:09]
S3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\RTL8150.SYS [2006-05-10 16:22]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchEAW.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-14 13:24:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-06 21:39:32 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1207517937.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-04-26 11:32:53 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-26 11:05:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> ?:\WINDOWS\System32\CSCDLL.dll
.
Completion time: 2008-04-26 11:06:13
ComboFix-quarantined-files.txt 2008-04-26 15:06:06
ComboFix2.txt 2008-04-25 17:47:17

Pre-Run: 243,623,247,872 bytes free
Post-Run: 243,614,171,136 bytes free

307 --- E O F --- 2008-04-25 02:29:51

-------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:08 AM, on 4/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\MSI\LAN Utility\DiagAP8169.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DiagAP8169] C:\Program Files\MSI\LAN Utility\DiagAP8169 /hw
O4 - HKLM\..\Run: [Media Codec Update Service] "C:\Program Files\Essentials Codec Pack\update.exe" -silent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BDRegion] "C:\Program Files\Cyberlink\Shared Files\brs.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 7488 bytes

#9
sarahw

Posted 26 April 2008 - 05:44 PM

Malware Staff

Member
2,781 posts

Hi,
Could you please open My Computer and navigate to C: and Zip a folder called Qoobox. There should be the original there, as well as a zipped file.

Please go to UploadMalware to upload the file.

Enter your username from this forum
Copy and paste the link to this thread
Browse for the zipped file (Qoobox)
In the comments, please mention that I asked you to upload this file
Click on Send File

#10
renaldoaoa

Posted 27 April 2008 - 01:38 PM

Member

Topic Starter
Member
35 posts

Zipped and sent.

Your file (QooBox.zip) was successfully submitted. If someone requested you submit this file please let them know that you have submitted the file.

#11
sarahw

Posted 28 April 2008 - 01:48 AM

Malware Staff

Member
2,781 posts

1.
First download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
- Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

2.
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
Do not Run it yet, we will use it later. Save it somewhere you will remember, like your desktop.

3.
Reboot into Safe Mode by continuously tapping the F8 key as soon as the computer begins to boot. A menu should come up where you will be given the option to enter Safe Mode.

4.
Please open ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

5.

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.

5.
Click HERE and run an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases

[*]Click OK
[*]Now under select a target to scan:Select My Computer
[*]This will program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
[*]Save the file to your desktop.
[*]Copy and paste that information into your next post.
[/list]

#12
renaldoaoa

Posted 29 April 2008 - 05:47 PM

Member

Topic Starter
Member
35 posts

ATF'd and...

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:06:02 PM 4/29/2008

+ Scan result:

Nothing found.

::Report end

--------------------------------------------------------
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, April 29, 2008 7:43:26 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/04/2008
Kaspersky Anti-Virus database records: 731917
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 102321
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 00:48:00

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\CyberLink\BDNAV\BRF.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\logout.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{9D600E0B-A059-46AB-A8AA-7F6D8654E57F}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-03252008-135809.log Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS007BF2CF-0FD4-494D-B95B-42C184444BFA.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS0B461552-A409-42D1-82A9-BA447EBEF0F2.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS0DE040B6-10AF-493D-A1C9-6E3034026BD4.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS0E6DE6DF-512D-40DD-9498-C00041DADAC3.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS16E0FFDB-9C5F-4CDC-9900-3516DEEC6039.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS175B4929-9942-4646-A6F5-F9F4EA4F86CE.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1EA74046-E85A-42C1-9433-25C0292BF2FE.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS20A93BDF-86FC-4DD9-BED8-324C1BCECBD1.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS237849A6-7498-4429-AC50-D4EDD2F1C296.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS2A2944CE-95E9-4908-B325-DA3B09C6D0C5.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS2CE67F64-E77E-4678-9F84-C012D579A2D9.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS31E92F4C-030B-4B71-BEE3-6E167A33A773.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS38740D73-7B66-43CC-93D1-1CF8D973ADE2.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3B122847-9B95-4FB5-92ED-6C4A37F1BE30.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3B27C3B5-FC13-47AF-BC69-7E9B7E9340B9.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS46C10291-79FE-4850-8DB6-6486CED963C1.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS48FD75F6-97FE-402B-8E81-262E9D1EFD41.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS49DBF0C3-8C1C-476B-8840-BD3F14AE9EE5.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4CE8B269-FC8C-4C48-86EB-A325C91285C0.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4EA1B97A-0B93-4F5A-AEA1-05864C0197FB.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4F03CCC5-F8AC-47A0-B8BC-6EBEF2D9D2E1.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS52AED953-6AB7-4AE2-997D-3DCB05102EBF.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS56129177-BB89-43C8-B6C9-CBB5767D5754.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS5790F557-8ED4-4047-9437-2024DB227BA5.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS57D759D9-8303-4CDC-88DE-B6DE2DA097C4.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS584F31E7-E27C-4638-B9FA-BB22911A36F6.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS5F1F721B-C1F6-4272-A6A8-99D84A5831ED.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS60D2AE99-4890-430D-93F5-D3155F7CBA1A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6465E121-A1E8-48E2-8BAD-11271EC2837E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS64C126CD-F3D1-4B15-8C12-86E1A5042D45.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6755AD8E-79D7-4095-96A7-FCA17C969D39.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6CFBB340-5D7E-4180-8518-037E01B9FF15.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6F0496D2-FD7F-4F12-B27A-F3212037F146.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS72716889-A40E-4237-B652-8AF69DE276ED.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS7A9947CF-8B39-4E97-A2E2-EBF4A62F1225.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS7B4A3B1F-8749-464F-AA6F-D77E4BBFD79A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS7CA707F7-189E-4A20-ACFB-2C3C58769CD8.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS7D974E8C-0F64-41DA-B479-0B6CF4138207.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS8102A898-90A9-4CCC-9E02-6964977D479F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS8553DFFD-B411-4A80-9291-F048A0C6EFE5.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS86DE75C4-1A29-414F-9693-6C06F29601F1.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS86FA7832-9112-4FFA-AF54-C1C3E5183B36.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS8AC1903C-E0CE-4998-A5C6-C84D600AFAB3.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS8F536670-537A-4216-B45B-FE0D48E3FB25.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS90665405-D6CE-4504-9F65-F7ADC8838887.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS90A85165-AFF5-4AD5-8AC0-7C5B1E873CF3.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS943DD65D-D2CA-4925-8539-FE05219CE4C2.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS94C3E9B5-B31F-4237-9467-A06EF0613616.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9552CE88-41D0-46E5-86EA-3B524D89914F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS96206BC4-03B4-44D9-9605-AF8BF1181E65.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9C1B5839-0D93-4274-A430-8D22C373F6B4.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9C6DAEB9-127C-4430-BB56-E88B47DC4796.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9D334DB7-C809-4CA1-885F-738D41DDD214.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9E71A7DA-AD7E-4F93-99B2-425FFEBB4C4D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9EAADE26-1E80-46A8-AE7D-A240BDB45A2D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA2CEF499-60B8-46E3-9BC4-CF6BC92531E3.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA6808199-4F7B-4A45-98C0-13F0E413A233.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSAA56BED7-3E4F-4375-A3F4-A10387761683.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSACF7AE9A-EEC8-47F3-AC95-BD85C8285A53.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSAEF59D77-5186-47A2-B63A-8F67E2FDA0CB.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB014FEE2-CDBA-4327-A9F2-69C4E38A129C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB49EFB91-6F69-43D4-ADCF-AEA54BDA088A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB6CD1AC0-1B7D-43B7-94EE-6A8ACB4172B9.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB8B477C4-1D49-4F89-B8E5-8D631726A9FF.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSBEB8A7CF-548C-41BB-93E4-92FD0667447F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC0E8D320-955D-46BD-B262-4DC130885791.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC299C186-E7AB-4266-9605-19B27474B691.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC3F9D04C-FE1C-4B14-AA46-3492DAD41898.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC4543E67-4487-4C7F-AAF7-D8136029D898.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC7BAA962-F627-4170-B227-E27D17C86459.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC7E6090F-A8D3-47BB-AAD8-593F95B488C8.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC8EC9CA9-D2C3-4F9E-8D01-E5F8B1769D4E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC9D87DE4-0477-43ED-AC2F-3A06D829BD0E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSCD8272A8-BDB9-4611-8C95-25DA5DCBC9C1.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD56BC20A-2C1B-4CCD-AE96-D17B5DDAFCC7.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD718A79E-B73F-4DEC-9F03-178099642E38.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD8886F84-BACE-40D1-A4C5-508068F7F003.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD8A86B3D-94E7-4D5B-A0A2-253CC6C5F5F5.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD9131193-8A50-40C1-8747-7D6CC5F52831.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSDB8A3975-0A6E-461C-9DEB-8D4B6B7BBCD4.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSDD5BDB7B-5B71-4767-B77D-99383208BE2A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE2762BCF-0386-4CD4-96F0-E246E64F39BA.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE66B156A-040D-48D2-A070-1756EE592F01.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE96A93EE-1236-40D3-91A5-817B6A07298D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSEA4FE90F-982E-45C7-98E7-4683C8BC48A9.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSEAA6FB3A-E641-4E09-BD62-FB385D5DBC92.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSEBBEC674-390E-4071-A4F3-FA3E05591CDC.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSEF2B3456-285D-40D8-B0B4-4AAE7BCD7D89.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSF9D6CA80-D120-473E-A586-FCC08758784C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSFAE2B6E3-7A3A-4ED8-B4EB-0A38B1065964.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSFE0F4ECF-9A59-45EA-85F6-A62491772470.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Webroot\Spy Sweeper\Logs\080429181317.ses Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{36529858-688D-43E5-9B7F-841582DAF3D8} Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.mst Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{71666199-421D-4144-85D0-301A510D4919}\RP106\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{6D523940-6679-47BB-9053-C047A28FF712}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcafee_00YVOa56gBNN74p Object is locked skipped
C:\WINDOWS\Temp\mcafee_4PGXRvcD8aUBXk9 Object is locked skipped
C:\WINDOWS\Temp\mcmsc_2s7i9udtxoncRcr Object is locked skipped
C:\WINDOWS\Temp\mcmsc_IlXhx3B5HdbejoU Object is locked skipped
C:\WINDOWS\Temp\mcmsc_InUeGt62ze1U1NU Object is locked skipped
C:\WINDOWS\Temp\mcmsc_lTMhztyDGjbxsEP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\7010d8308db009d033\common\spcustom.dll Object is locked skipped
F:\7010d8308db009d033\common\spmsg.dll Object is locked skipped
F:\7010d8308db009d033\common\spuninst.exe Object is locked skipped
F:\7010d8308db009d033\common\update.exe Object is locked skipped
F:\7010d8308db009d033\sp1\update\KB824141.cat Object is locked skipped
F:\7010d8308db009d033\sp1\update\update.inf Object is locked skipped
F:\7010d8308db009d033\sp1\update\update.ver Object is locked skipped
F:\7010d8308db009d033\sp1\user32.dll Object is locked skipped
F:\7010d8308db009d033\sp1\win32k.sys Object is locked skipped
F:\7010d8308db009d033\sp2\spmsg.dll Object is locked skipped
F:\7010d8308db009d033\sp2\spuninst.exe Object is locked skipped
F:\7010d8308db009d033\sp2\update\KB824141.cat Object is locked skipped
F:\7010d8308db009d033\sp2\update\spcustom.dll Object is locked skipped
F:\7010d8308db009d033\sp2\update\update.exe Object is locked skipped
F:\7010d8308db009d033\sp2\update\update.inf Object is locked skipped
F:\7010d8308db009d033\sp2\update\update.ver Object is locked skipped
F:\7010d8308db009d033\sp2\user32.dll Object is locked skipped
F:\7010d8308db009d033\sp2\win32k.sys Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\html32.cnv Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\locator.exe Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\magnify.exe Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\migwiz.exe Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\mrxsmb.sys Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\msconv97.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\narrator.exe Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\newdev.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\ntdll.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\ntkrnlpa.exe Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\ntoskrnl.exe Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\osk.exe Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\pchshell.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\raspptp.sys Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\shmedia.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\srrstr.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\srv.sys Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\sysmain.sdb Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\user32.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\win32k.sys Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\winsrv.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\zipfldr.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB837001$\msjet40.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB837001$\msjint40.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB837001$\msjter40.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB837001$\msltus40.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB837001$\mspbde40.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB837001$\msrd2x40.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB837001$\msrd3x40.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB837001$\msrepl40.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB837001$\mstext40.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB837001$\mswdat10.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB837001$\mswstr10.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB837001$\msxbde40.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB837001$\vbajet32.dll Object is locked skipped

Scan process completed.

#13
sarahw

Posted 30 April 2008 - 12:57 AM

Malware Staff

Member
2,781 posts

1. Please download The Avenger by Swandog46 to your Desktop.

Right click on the Avenger.zip folder and select "Extract All..."
Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\BM5fc9406b.xml
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\QTFont.for
C:\WINDOWS\service.exe

Registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices | Service

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

Right click on the window under Input script here:, and select Paste.
You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
Click on Execute
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .

Edited by sarahw, 30 April 2008 - 08:50 PM.

#14
renaldoaoa

Posted 30 April 2008 - 07:42 PM

Member

Topic Starter
Member
35 posts

I had an error after I hit execute, when this happened I had the option to continue or cancel, so I just canceled it.

http://img253.images...error1stty9.jpg