Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

win32/conhook.d removal? [CLOSED]


  • This topic is locked This topic is locked

#16
renaldoaoa

renaldoaoa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Rebooted one time.

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Wed Apr 30 21:37:02 2008

21:36:20: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Service"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key deletion mode)
21:37:01: Error: Execution aborted by user!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\BM5fc9406b.xml" deleted successfully.
File "C:\WINDOWS\QTFont.qfn" deleted successfully.
File "C:\WINDOWS\QTFont.for" deleted successfully.

Error: file "C:\WINDOWS\service.exe" not found!
Deletion of file "C:\WINDOWS\service.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices | Service" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices | Service" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.
-----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:33:00 AM, on 5/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\MSI\LAN Utility\DiagAP8169.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DiagAP8169] C:\Program Files\MSI\LAN Utility\DiagAP8169 /hw
O4 - HKLM\..\Run: [Media Codec Update Service] "C:\Program Files\Essentials Codec Pack\update.exe" -silent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BDRegion] "C:\Program Files\Cyberlink\Shared Files\brs.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 7657 bytes
  • 0

Advertisements


#17
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Can you please run combofix again and post a log in a reply.
  • 0

#18
renaldoaoa

renaldoaoa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Macfee pop up showed elcor test blocked. Again after running combo I could only see the destkop (no icons) and could only use task manager and had to restart. Upon restart everything was back to normal.

ComboFix 08-04-24.1 - Owner 2008-05-02 5:39:45.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1007 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\inst.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-02 to 2008-05-02 )))))))))))))))))))))))))))))))
.

2008-04-30 09:19 . 2008-04-30 09:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sandlot Games
2008-04-30 09:19 . 2008-04-30 09:19 4,096 --a------ C:\WINDOWS\d3dx.dat
2008-04-30 09:18 . 2008-04-30 09:18 <DIR> d-------- C:\WINDOWS\Westward II Heroes of the Frontier [h33t] [oi812heet]
2008-04-30 09:18 . 2008-04-30 11:47 <DIR> d-------- C:\Program Files\Westward II Heroes of the Frontier [h33t] [oi812heet]
2008-04-29 22:43 . 2008-04-29 22:43 <DIR> d-------- C:\Program Files\Paradox Interactive
2008-04-29 18:37 . 2008-04-29 18:37 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-29 18:37 . 2008-04-29 18:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-29 16:46 . 2008-04-29 16:46 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-04-29 16:37 . 2008-04-29 16:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-04-29 16:37 . 2008-04-29 16:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-29 16:19 . 2008-04-29 16:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Touchstone
2008-04-29 15:47 . 2008-04-29 15:47 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Leadertech
2008-04-29 15:30 . 2008-04-29 15:30 <DIR> d-------- C:\Program Files\Touchstone
2008-04-29 15:28 . 2008-04-29 15:47 926 --a------ C:\WINDOWS\disney.ini
2008-04-27 15:46 . 2008-04-27 15:46 <DIR> d-------- C:\Program Files\Bethesda Softworks
2008-04-26 12:21 . 2008-04-26 12:22 <DIR> d-------- C:\Program Files\MagicISO
2008-04-26 08:15 . 2008-04-26 08:15 <DIR> d-------- C:\Program Files\2K Games
2008-04-25 13:40 . 2008-04-25 13:40 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-04-24 12:18 . 2008-04-24 12:18 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-24 12:17 . 2008-04-24 13:11 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-24 12:17 . 2008-04-24 12:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-24 12:14 . 2008-04-24 12:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-23 07:07 . 2008-04-23 07:07 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Webroot
2008-04-22 16:40 . 2008-04-22 16:40 <DIR> d-------- C:\Program Files\Kalypso
2008-04-21 16:34 . 2008-04-21 16:34 <DIR> d-------- C:\Documents and Settings\Owner\Logs
2008-04-21 16:27 . 2008-04-21 16:27 <DIR> d-------- C:\Logs
2008-04-21 13:13 . 2008-04-22 16:50 <DIR> d-------- C:\Program Files\World of Warcraft
2008-04-21 13:13 . 2008-04-21 13:13 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-04-16 17:53 . 2008-04-16 17:53 <DIR> d-------- C:\Program Files\Webroot
2008-04-16 17:53 . 2008-04-16 17:53 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-04-16 17:53 . 2008-04-16 17:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-04-16 17:53 . 2007-01-25 21:57 144,448 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-04-16 17:53 . 2007-01-25 21:57 22,080 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-04-16 17:53 . 2007-01-25 21:57 21,056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-04-16 17:53 . 2007-01-25 21:57 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2008-04-16 17:51 . 2008-04-16 17:51 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2008-04-16 16:23 . 2008-04-16 16:23 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\McAfee
2008-04-13 22:21 . 2008-04-14 13:54 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Petroglyph
2008-04-13 22:19 . 2008-04-13 22:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\LucasArts
2008-04-13 22:19 . 2008-04-13 22:19 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-04-13 22:12 . 2008-04-14 13:43 <DIR> d-------- C:\Program Files\LucasArts
2008-04-13 12:36 . 2008-04-13 12:40 <DIR> d-------- C:\Program Files\illusion
2008-04-13 10:49 . 2008-04-13 12:24 3,020 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-13 09:25 . 2008-04-13 09:25 49 --a------ C:\smp.bat
2008-04-13 02:35 . 2008-04-29 15:30 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-04-13 02:35 . 2008-04-29 15:30 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-04-13 02:29 . 2008-04-13 02:29 <DIR> d-------- C:\WINDOWS\Crusaders - Thy Kingdom Come
2008-04-13 02:29 . 2008-04-13 02:29 <DIR> d-------- C:\NeocoreGames
2008-04-09 04:30 . 2008-04-09 04:30 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\InstallShield
2008-04-09 04:13 . 2008-04-09 04:13 <DIR> d-------- C:\Program Files\Firaxis Games
2008-04-09 04:12 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-04-08 18:43 . 2008-05-02 05:38 <DIR> d-------- C:\Program Files\BOINC
2008-04-06 17:39 . 2008-04-06 17:39 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Hewlett-Packard
2008-04-06 17:37 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-04-06 17:37 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-04-06 17:37 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-06 17:37 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-04-06 17:37 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-04-06 17:37 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-04-06 17:35 . 2008-04-06 17:35 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-04-06 17:35 . 2008-04-06 17:35 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-04-06 17:34 . 2008-04-06 17:38 19,558 --a------ C:\WINDOWS\hpoins01.dat
2008-04-06 17:34 . 2003-04-22 10:24 16,606 --------- C:\WINDOWS\hpomdl01.dat
2008-04-05 17:22 . 2008-04-05 17:22 <DIR> d-------- C:\Program Files\TechSmith
2008-04-05 17:22 . 2008-04-05 17:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TechSmith
2008-04-05 17:21 . 2008-04-29 15:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-04 14:55 . 2008-04-04 14:55 <DIR> d-------- C:\Program Files\Common Files\ChessBase
2008-04-04 14:53 . 2008-04-04 14:55 <DIR> d-------- C:\Program Files\ChessBase
2008-04-03 20:37 . 2008-04-03 20:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Jane s Hotel Family Hero
2008-04-03 20:36 . 2008-04-03 20:36 <DIR> d-------- C:\WINDOWS\Jane's Hotel. Family Hero
2008-04-03 18:37 . 2008-04-03 18:37 <DIR> d-------- C:\Program Files\LG Drivers
2008-04-03 18:37 . 2005-06-24 18:36 39,036 --a------ C:\WINDOWS\system32\drivers\lgusbmodem.sys
2008-04-03 18:37 . 2005-05-26 11:01 38,144 --a------ C:\WINDOWS\system32\drivers\lgusbdiag.sys
2008-04-03 18:37 . 2005-05-26 11:01 21,344 --a------ C:\WINDOWS\system32\drivers\lgusbbus.sys
2008-04-03 18:15 . 2008-04-03 18:16 <DIR> d-------- C:\Program Files\BitPim
2008-04-03 15:45 . 2008-04-03 16:12 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\ChessBase

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-30 13:17 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-04-30 02:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-26 15:34 --------- d-----w C:\Program Files\eMule
2008-04-21 20:32 --------- d-----w C:\Program Files\McAfee
2008-04-21 16:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-17 21:39 --------- d-----w C:\Documents and Settings\Owner\Application Data\Vso
2008-04-16 20:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-11 18:46 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-03-28 17:25 --------- d-----w C:\Program Files\MySpace
2008-03-28 17:25 --------- d-----w C:\Documents and Settings\Owner\Application Data\MySpace
2008-03-28 16:57 --------- d-----w C:\Program Files\Game Elements
2008-03-27 20:58 --------- d-----w C:\Documents and Settings\Owner\Application Data\CyberLink
2008-03-27 20:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-03-27 20:55 --------- d-----w C:\Program Files\CyberLink
2008-03-27 20:53 505,392 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-03-27 20:23 --------- d-----w C:\Documents and Settings\Owner\Application Data\DivX
2008-03-26 05:46 --------- d--h--w C:\Documents and Settings\All Users\Application Data\{0E8E33D8-193A-414A-A909-0F101A142D26}
2008-03-26 05:44 --------- d-----w C:\Program Files\Stardock Games
2008-03-26 05:40 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-03-26 05:37 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-03-26 05:37 --------- d-----w C:\Documents and Settings\Owner\Application Data\DAEMON Tools
2008-03-26 05:33 --------- d-----w C:\Program Files\[bleep] NFO Viewer
2008-03-25 20:18 --------- d-----w C:\Program Files\Raxco
2008-03-25 20:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Raxco
2008-03-25 19:44 --------- d-----w C:\Program Files\Common Files\McAfee
2008-03-25 19:07 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-03-25 19:07 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2008-03-25 19:07 --------- d-----w C:\Program Files\VSO
2008-03-25 18:53 --------- d-----w C:\Program Files\uTorrent
2008-03-25 18:32 --------- d-----w C:\Program Files\VideoLAN
2008-03-25 18:32 --------- d-----w C:\Documents and Settings\Owner\Application Data\vlc
2008-03-25 17:58 --------- d-----w C:\Program Files\Windows Defender
2008-03-25 17:31 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-25 17:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-25 17:18 --------- d-----w C:\Program Files\McAfee.com
2008-03-25 17:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-25 17:03 --------- d-----w C:\Program Files\Java
2008-03-21 22:42 --------- d-----w C:\Program Files\Bonjour
2008-03-21 22:42 --------- d-----w C:\Program Files\Apple Software Update
2008-03-21 22:41 --------- d-----w C:\Program Files\Common Files\Apple
2008-03-21 22:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-03-21 22:40 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2008-03-21 22:39 --------- d-----w C:\Program Files\Common Files\Java
2008-03-21 22:38 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-21 22:38 --------- d-----w C:\Program Files\BurnAware Free Edition
2008-03-21 22:37 --------- d-----w C:\Program Files\7-Zip
2008-03-21 22:23 --------- d-----w C:\Program Files\PKWARE
2008-03-21 22:23 --------- d-----w C:\Program Files\Essentials Codec Pack
2008-03-21 22:23 --------- d-----w C:\Program Files\DivX
2008-03-21 22:23 --------- d-----w C:\Program Files\Common Files\PKWARE
2008-03-21 22:22 --------- d-----w C:\Program Files\Combined Community Codec Pack
2008-03-21 22:21 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-03-21 22:03 --------- d-----w C:\Program Files\VIA
2008-03-21 22:02 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-21 22:01 --------- d-----w C:\Program Files\MSI
2008-03-21 22:00 --------- d-----w C:\Program Files\Realtek Sound Manager
2008-03-21 22:00 --------- d-----w C:\Program Files\Realtek AC97
2008-03-21 22:00 --------- d-----w C:\Program Files\AvRack
2008-03-21 21:59 --------- d-----w C:\Program Files\MSBuild
2008-03-21 21:59 --------- d-----w C:\Program Files\AMD
2008-03-21 21:56 --------- d-----w C:\Program Files\Reference Assemblies
2008-03-21 21:54 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-21 21:17 --------- d-----w C:\Program Files\MSXML 6.0
2008-03-21 20:20 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-04 18:00 811,776 ----a-w C:\WINDOWS\boinc.scr
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((( snapshot_2008-04-26_11.05.52.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-26 12:15:26 53,248 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
+ 2008-04-30 02:45:44 53,248 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
- 2008-04-26 12:15:26 12,800 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
+ 2008-04-30 02:45:44 12,800 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
- 2008-04-26 12:15:27 473,600 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
+ 2008-04-30 02:45:45 473,600 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
- 2008-04-26 12:15:21 2,676,224 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-30 02:45:38 2,676,224 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-26 12:15:22 2,846,720 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-30 02:45:38 2,846,720 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-26 12:15:23 563,712 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-30 02:45:39 563,712 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-26 12:15:23 567,296 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-30 02:45:40 567,296 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-26 12:15:24 576,000 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-30 02:45:40 576,000 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-26 12:15:24 577,024 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-30 02:45:41 577,024 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-26 12:15:25 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-30 02:45:41 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-26 12:15:27 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-30 02:45:42 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-09 08:31:46 578,560 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-30 02:45:42 578,560 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-09 08:31:48 578,560 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-30 02:45:45 578,560 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-26 12:15:28 145,920 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
+ 2008-04-30 02:45:45 145,920 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
- 2008-04-26 12:15:28 159,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
+ 2008-04-30 02:45:46 159,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
- 2008-04-26 12:15:28 364,544 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
+ 2008-04-30 02:45:46 364,544 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
- 2008-04-26 12:15:29 178,176 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
+ 2008-04-30 02:45:46 178,176 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
- 2008-04-26 12:15:26 223,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
+ 2008-04-30 02:45:43 223,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
- 2008-04-26 11:29:49 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-01 09:29:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2007-01-06 02:23:02 58,920 ----a-w C:\WINDOWS\system32\AgCPanelFrench.dll
+ 2007-07-23 13:03:30 53,248 ----a-w C:\WINDOWS\system32\AgCPanelFrench.dll
- 2007-01-06 02:23:02 58,920 ----a-w C:\WINDOWS\system32\AgCPanelGerman.dll
+ 2007-07-23 13:03:30 53,248 ----a-w C:\WINDOWS\system32\AgCPanelGerman.dll
- 2007-01-06 02:23:02 58,920 ----a-w C:\WINDOWS\system32\AgCPanelJapanese.dll
+ 2007-07-23 13:03:30 53,248 ----a-w C:\WINDOWS\system32\AgCPanelJapanese.dll
- 2007-01-06 02:23:02 58,920 ----a-w C:\WINDOWS\system32\AgCPanelKorean.dll
+ 2007-07-23 13:03:30 53,248 ----a-w C:\WINDOWS\system32\AgCPanelKorean.dll
- 2007-01-06 02:23:02 58,920 ----a-w C:\WINDOWS\system32\AgCPanelPortugese.dll
+ 2007-07-23 13:03:30 53,248 ----a-w C:\WINDOWS\system32\AgCPanelPortugese.dll
- 2007-01-06 02:23:04 58,920 ----a-w C:\WINDOWS\system32\AgCPanelSimplifiedChinese.dll
+ 2007-07-23 13:03:30 53,248 ----a-w C:\WINDOWS\system32\AgCPanelSimplifiedChinese.dll
- 2007-01-06 02:23:04 58,920 ----a-w C:\WINDOWS\system32\AgCPanelSpanish.dll
+ 2007-07-23 13:03:32 53,248 ----a-w C:\WINDOWS\system32\AgCPanelSpanish.dll
- 2007-01-06 02:23:06 58,920 ----a-w C:\WINDOWS\system32\AgCPanelSwedish.dll
+ 2007-07-23 13:03:32 53,248 ----a-w C:\WINDOWS\system32\AgCPanelSwedish.dll
- 2007-01-06 02:23:06 58,920 ----a-w C:\WINDOWS\system32\AgCPanelTraditionalChinese.dll
+ 2007-07-23 13:03:32 53,248 ----a-w C:\WINDOWS\system32\AgCPanelTraditionalChinese.dll
+ 2007-10-15 13:40:08 207,405 ----a-w C:\WINDOWS\system32\AGEIA\AG1011\app.bin
+ 2007-10-15 13:40:10 122,249 ----a-w C:\WINDOWS\system32\AGEIA\AG1011\diag.bin
+ 2007-10-15 13:40:10 214,141 ----a-w C:\WINDOWS\system32\AGEIA\AG1021\app.bin
+ 2007-10-25 12:29:50 114,505 ----a-w C:\WINDOWS\system32\AGEIA\AG1021\diag.bin
+ 2007-05-16 20:45:16 1,124,720 ----a-w C:\WINDOWS\system32\D3DCompiler_34.dll
+ 2007-07-19 22:14:42 1,358,192 ----a-w C:\WINDOWS\system32\D3DCompiler_35.dll
+ 2007-10-12 19:14:00 1,374,232 ----a-w C:\WINDOWS\system32\D3DCompiler_36.dll
+ 2007-05-16 20:45:16 443,752 ----a-w C:\WINDOWS\system32\d3dx10_34.dll
+ 2007-07-19 22:14:42 444,776 ----a-w C:\WINDOWS\system32\d3dx10_35.dll
+ 2007-10-02 13:56:34 444,776 ----a-w C:\WINDOWS\system32\d3dx10_36.dll
+ 2007-05-16 20:45:16 3,497,832 ----a-w C:\WINDOWS\system32\d3dx9_34.dll
+ 2007-07-19 22:14:42 3,727,720 ----a-w C:\WINDOWS\system32\d3dx9_35.dll
+ 2007-10-12 19:14:00 3,734,536 ----a-w C:\WINDOWS\system32\d3dx9_36.dll
+ 2007-09-13 11:43:00 120,320 -c--a-w C:\WINDOWS\system32\DRVSTORE\PhysX32_FFB51AAB1A2BF852A002A5B1138133BBA89337D4\physX32.sys
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2007-01-12 20:48:16 71,208 ----a-w C:\WINDOWS\system32\PhysXLoader.dll
+ 2008-01-18 15:05:56 70,944 ----a-w C:\WINDOWS\system32\PhysXLoader.dll
+ 2007-10-22 07:37:16 17,928 ----a-w C:\WINDOWS\system32\X3DAudio1_2.dll
+ 2007-10-22 07:39:54 267,272 ----a-w C:\WINDOWS\system32\xactengine2_10.dll
+ 2007-06-21 00:46:04 266,088 ----a-w C:\WINDOWS\system32\xactengine2_8.dll
+ 2007-07-20 04:57:12 267,112 ----a-w C:\WINDOWS\system32\xactengine2_9.dll
+ 2008-04-30 13:18:41 451,072 ----a-w C:\WINDOWS\Westward II Heroes of the Frontier [h33t] [oi812heet]\uninstall.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2006-02-28 08:00 33280 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2006-02-28 08:00 33280 C:\WINDOWS\system32\rundll32.exe]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 05:42 577536 C:\WINDOWS\soundman.exe]
"DiagAP8169"="C:\Program Files\MSI\LAN Utility\DiagAP8169 /hw" [ ]
"Media Codec Update Service"="C:\Program Files\Essentials Codec Pack\update.exe" [2007-04-08 12:44 303104]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"BDRegion"="C:\Program Files\Cyberlink\Shared Files\brs.exe" [2008-02-21 10:24 91432]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2008-01-22 14:23 81920]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 12:06 62760]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-01-25 21:58 4865600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 16:32 8699904]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-09 18:21:38 147456]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 18:11:12 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\ff_vfw.dll
"vidc.wmv3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Empire at War Forces of Corruption\\swfoc.exe"=

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 20:22]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2008-01-18 23:01]
R2 LANPkt;Realtek LANPkt Protocol;C:\WINDOWS\system32\DRIVERS\LANPkt.sys [2003-09-17 15:57]
R2 PD91Agent;PD91Agent;"C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe" [2008-01-16 10:52]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-03 18:31]
R3 Diag69xp;Diag69xp;C:\WINDOWS\system32\Drivers\Diag69xp.sys [2003-09-02 11:25]
S3 PD91Engine;PD91Engine;"C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe" [2008-01-16 10:52]
S3 samhid;samhid;C:\WINDOWS\system32\drivers\samhid.sys [2006-01-07 12:09]
S3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\RTL8150.SYS [2006-05-10 16:22]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchEAW.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-28 13:24:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-06 21:39:32 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1207517937.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-05-02 04:00:11 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-02 05:42:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
Completion time: 2008-05-02 5:43:17
ComboFix-quarantined-files.txt 2008-05-02 09:43:07
ComboFix2.txt 2008-04-26 15:06:14
ComboFix3.txt 2008-04-25 17:47:17

Pre-Run: 236,029,276,160 bytes free
Post-Run: 236,047,736,832 bytes free

334 --- E O F --- 2008-05-02 09:26:44

Edited by renaldoaoa, 02 May 2008 - 03:53 AM.

  • 0

#19
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
1. Please download The Avenger by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\service.exe

Registry values to delete:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run  | Service
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices | Service
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices | Service

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .
  • 0

#20
renaldoaoa

renaldoaoa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
I get the same error as I did before.

New screen shot, but same error.
http://img187.images...logmay05tv8.jpg

Seems like we're stuck here? Would changing the prefetch settings cause a problem?
  • 0

#21
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Run it again, if that error comes up click OK.
  • 0

#22
renaldoaoa

renaldoaoa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Mon May 05 00:07:00 2008

00:06:56: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Service"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry value deletion mode)
00:07:00: Error: Execution aborted by user!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Thu May 08 21:44:38 2008

21:44:25: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Service"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry value deletion mode)
21:44:27: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|Service"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry value deletion mode)


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\WINDOWS\service.exe" not found!
Deletion of file "C:\WINDOWS\service.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not delete registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|Service"
Deletion of registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|Service" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:49:34 PM, on 5/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\MSI\LAN Utility\DiagAP8169.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DiagAP8169] C:\Program Files\MSI\LAN Utility\DiagAP8169 /hw
O4 - HKLM\..\Run: [Media Codec Update Service] "C:\Program Files\Essentials Codec Pack\update.exe" -silent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BDRegion] "C:\Program Files\Cyberlink\Shared Files\brs.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8029 bytes
  • 0

#23
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
The last time we ran combofix it didn't work because the filename was wrong.
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt.txt
It should be saved as CFScript.txt


1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\service.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1BA8C76D-27F5-4A5D-BC48-066AB64E0394}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Service"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Service"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"5cfa73f7"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Service"=-



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Edited by sarahw, 09 May 2008 - 04:38 AM.

  • 0

#24
renaldoaoa

renaldoaoa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Ok, I went step by step per your instructions.

Click Start , then Run
Type notepad.exe in the Run Box.

I copy and pasted.....
File::
C:\WINDOWS\service.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1BA8C76D-27F5-4A5D-BC48-066AB64E0394}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Service"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Service"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"5cfa73f7"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Service"=-

I then did a "save as" and copy and pasted CFScript.txt into the files name, save as type is default "text document .txt", and encoding is default ANSI.
A text document is now on my desktop named CFScript and looks exactly like the animation on step 4. I also dragged and drop the file exactly as shown in the animation.
I had to download a fresh copy of combofix cause I guess it was out of date.
When it ran mcafee found elcar test and removed it.
I saved the log to desktop but again I wasn't able to see or do anything in windows except pull up taskmanager to restart.

Few things to note.
I don't have a file in windows named service. The text document name is CFScript and is a .txt file that looks exactly like the animation, it's name is not CFScript.txt and is a txt file.

If I did something wrong before I hope I did it correctly this time.

Just for FYI purposes, I have a video camera that I can hold and video the screen as it goes through the process if it's needed.


ComboFix 08-05-07.1 - Owner 2008-05-09 9:23:13.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1042 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\service.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\smp.bat

.
((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
.

2008-05-07 12:53 . 2008-05-07 12:53 <DIR> d-------- C:\Program Files\Ventrilo
2008-05-07 12:53 . 2008-05-07 12:54 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Ventrilo
2008-05-05 03:13 . 2008-05-05 03:13 <DIR> d-------- C:\Program Files\City Interactive
2008-05-02 13:30 . 2008-05-02 13:30 <DIR> d-------- C:\Program Files\Sierra Online
2008-05-02 13:30 . 2008-05-02 13:30 <DIR> dr-h----- C:\Documents and Settings\Owner\Application Data\SecuROM
2008-04-30 09:19 . 2008-04-30 09:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sandlot Games
2008-04-30 09:19 . 2008-04-30 09:19 4,096 --a------ C:\WINDOWS\d3dx.dat
2008-04-30 09:18 . 2008-04-30 09:18 <DIR> d-------- C:\WINDOWS\Westward II Heroes of the Frontier [h33t] [oi812heet]
2008-04-30 09:18 . 2008-04-30 11:47 <DIR> d-------- C:\Program Files\Westward II Heroes of the Frontier [h33t] [oi812heet]
2008-04-29 22:43 . 2008-04-29 22:43 <DIR> d-------- C:\Program Files\Paradox Interactive
2008-04-29 18:37 . 2008-04-29 18:37 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-29 18:37 . 2008-04-29 18:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-29 16:46 . 2008-04-29 16:46 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-04-29 16:37 . 2008-04-29 16:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-04-29 16:37 . 2008-04-29 16:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-29 16:19 . 2008-05-02 13:02 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Touchstone
2008-04-29 15:47 . 2008-04-29 15:47 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Leadertech
2008-04-29 15:30 . 2008-04-29 15:30 <DIR> d-------- C:\Program Files\Touchstone
2008-04-29 15:28 . 2008-05-02 13:03 120 --a------ C:\WINDOWS\disney.ini
2008-04-27 15:46 . 2008-04-27 15:46 <DIR> d-------- C:\Program Files\Bethesda Softworks
2008-04-26 12:21 . 2008-04-26 12:22 <DIR> d-------- C:\Program Files\MagicISO
2008-04-26 08:15 . 2008-04-26 08:15 <DIR> d-------- C:\Program Files\2K Games
2008-04-25 13:40 . 2008-05-09 09:23 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-04-24 12:18 . 2008-04-24 12:18 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-24 12:17 . 2008-05-03 03:18 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-24 12:17 . 2008-04-24 12:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-24 12:14 . 2008-04-24 12:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-23 07:07 . 2008-04-23 07:07 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Webroot
2008-04-22 16:40 . 2008-04-22 16:40 <DIR> d-------- C:\Program Files\Kalypso
2008-04-21 16:34 . 2008-04-21 16:34 <DIR> d-------- C:\Documents and Settings\Owner\Logs
2008-04-21 16:27 . 2008-04-21 16:27 <DIR> d-------- C:\Logs
2008-04-21 13:13 . 2008-04-22 16:50 <DIR> d-------- C:\Program Files\World of Warcraft
2008-04-21 13:13 . 2008-04-21 13:13 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-04-16 17:53 . 2008-04-16 17:53 <DIR> d-------- C:\Program Files\Webroot
2008-04-16 17:53 . 2008-04-16 17:53 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-04-16 17:53 . 2008-04-16 17:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-04-16 17:53 . 2007-01-25 21:57 144,448 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-04-16 17:53 . 2007-01-25 21:57 22,080 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-04-16 17:53 . 2007-01-25 21:57 21,056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-04-16 17:53 . 2007-01-25 21:57 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2008-04-16 17:51 . 2008-04-16 17:51 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2008-04-16 16:23 . 2008-04-16 16:23 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\McAfee
2008-04-13 22:21 . 2008-04-14 13:54 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Petroglyph
2008-04-13 22:19 . 2008-04-13 22:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\LucasArts
2008-04-13 22:19 . 2008-05-02 13:30 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-04-13 22:12 . 2008-05-05 05:09 <DIR> d-------- C:\Program Files\LucasArts
2008-04-13 12:36 . 2008-04-13 12:40 <DIR> d-------- C:\Program Files\illusion
2008-04-13 10:49 . 2008-04-13 12:24 3,020 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-13 02:35 . 2008-04-29 15:30 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-04-13 02:35 . 2008-04-29 15:30 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-04-13 02:29 . 2008-04-13 02:29 <DIR> d-------- C:\WINDOWS\Crusaders - Thy Kingdom Come
2008-04-13 02:29 . 2008-04-13 02:29 <DIR> d-------- C:\NeocoreGames
2008-04-09 04:30 . 2008-04-09 04:30 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\InstallShield
2008-04-09 04:13 . 2008-04-09 04:13 <DIR> d-------- C:\Program Files\Firaxis Games
2008-04-09 04:12 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-09 01:42 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-05-08 13:06 --------- d-----w C:\Program Files\BOINC
2008-05-08 02:06 --------- d-----w C:\Documents and Settings\Owner\Application Data\Vso
2008-05-07 16:52 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-06 14:52 --------- d-----w C:\Program Files\eMule
2008-05-05 09:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-21 20:32 --------- d-----w C:\Program Files\McAfee
2008-04-21 16:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-16 20:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-11 18:46 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-04-06 21:39 --------- d-----w C:\Documents and Settings\Owner\Application Data\Hewlett-Packard
2008-04-06 21:35 --------- d-----w C:\Program Files\Hewlett-Packard
2008-04-06 21:35 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-04-05 21:22 --------- d-----w C:\Program Files\TechSmith
2008-04-05 21:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\TechSmith
2008-04-04 18:55 --------- d-----w C:\Program Files\Common Files\ChessBase
2008-04-04 18:55 --------- d-----w C:\Program Files\ChessBase
2008-04-04 00:37 --------- d-----w C:\Documents and Settings\Owner\Application Data\Jane s Hotel Family Hero
2008-04-03 22:37 --------- d-----w C:\Program Files\LG Drivers
2008-04-03 22:16 --------- d-----w C:\Program Files\BitPim
2008-04-03 20:12 --------- d-----w C:\Documents and Settings\Owner\Application Data\ChessBase
2008-03-28 17:25 --------- d-----w C:\Program Files\MySpace
2008-03-28 17:25 --------- d-----w C:\Documents and Settings\Owner\Application Data\MySpace
2008-03-28 16:57 --------- d-----w C:\Program Files\Game Elements
2008-03-27 20:58 --------- d-----w C:\Documents and Settings\Owner\Application Data\CyberLink
2008-03-27 20:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-03-27 20:55 --------- d-----w C:\Program Files\CyberLink
2008-03-27 20:53 505,392 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-03-27 20:23 --------- d-----w C:\Documents and Settings\Owner\Application Data\DivX
2008-03-26 05:46 --------- d--h--w C:\Documents and Settings\All Users\Application Data\{0E8E33D8-193A-414A-A909-0F101A142D26}
2008-03-26 05:44 --------- d-----w C:\Program Files\Stardock Games
2008-03-26 05:40 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-03-26 05:37 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-03-26 05:37 --------- d-----w C:\Documents and Settings\Owner\Application Data\DAEMON Tools
2008-03-26 05:33 --------- d-----w C:\Program Files\[bleep] NFO Viewer
2008-03-25 20:18 --------- d-----w C:\Program Files\Raxco
2008-03-25 20:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Raxco
2008-03-25 19:44 --------- d-----w C:\Program Files\Common Files\McAfee
2008-03-25 19:07 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-03-25 19:07 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2008-03-25 19:07 --------- d-----w C:\Program Files\VSO
2008-03-25 18:53 --------- d-----w C:\Program Files\uTorrent
2008-03-25 18:32 --------- d-----w C:\Program Files\VideoLAN
2008-03-25 18:32 --------- d-----w C:\Documents and Settings\Owner\Application Data\vlc
2008-03-25 17:58 --------- d-----w C:\Program Files\Windows Defender
2008-03-25 17:31 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-25 17:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-25 17:18 --------- d-----w C:\Program Files\McAfee.com
2008-03-25 17:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-25 17:03 --------- d-----w C:\Program Files\Java
2008-03-21 22:42 --------- d-----w C:\Program Files\Bonjour
2008-03-21 22:42 --------- d-----w C:\Program Files\Apple Software Update
2008-03-21 22:41 --------- d-----w C:\Program Files\Common Files\Apple
2008-03-21 22:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-03-21 22:40 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2008-03-21 22:39 --------- d-----w C:\Program Files\Common Files\Java
2008-03-21 22:38 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-21 22:38 --------- d-----w C:\Program Files\BurnAware Free Edition
2008-03-21 22:37 --------- d-----w C:\Program Files\7-Zip
2008-03-21 22:23 --------- d-----w C:\Program Files\PKWARE
2008-03-21 22:23 --------- d-----w C:\Program Files\Essentials Codec Pack
2008-03-21 22:23 --------- d-----w C:\Program Files\DivX
2008-03-21 22:23 --------- d-----w C:\Program Files\Common Files\PKWARE
2008-03-21 22:22 --------- d-----w C:\Program Files\Combined Community Codec Pack
2008-03-21 22:21 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-03-21 22:03 --------- d-----w C:\Program Files\VIA
2008-03-21 22:02 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-21 22:01 --------- d-----w C:\Program Files\MSI
2008-03-21 22:00 --------- d-----w C:\Program Files\Realtek Sound Manager
2008-03-21 22:00 --------- d-----w C:\Program Files\Realtek AC97
2008-03-21 22:00 --------- d-----w C:\Program Files\AvRack
2008-03-21 21:59 --------- d-----w C:\Program Files\MSBuild
2008-03-21 21:59 --------- d-----w C:\Program Files\AMD
2008-03-21 21:56 --------- d-----w C:\Program Files\Reference Assemblies
2008-03-21 21:54 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-21 21:17 --------- d-----w C:\Program Files\MSXML 6.0
2008-03-21 20:20 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-04 18:00 811,776 ----a-w C:\WINDOWS\boinc.scr
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((( snapshot_2008-05-02_ 5.42.53.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-30 02:45:44 53,248 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
+ 2008-05-05 09:13:40 53,248 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
- 2008-04-30 02:45:44 12,800 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
+ 2008-05-05 09:13:40 12,800 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
- 2008-04-30 02:45:45 473,600 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
+ 2008-05-05 09:13:40 473,600 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
- 2008-04-30 02:45:38 2,676,224 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-05-05 09:13:34 2,676,224 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-30 02:45:38 2,846,720 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-05-05 09:13:35 2,846,720 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-30 02:45:39 563,712 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-05-05 09:13:36 563,712 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-30 02:45:40 567,296 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-05-05 09:13:36 567,296 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-30 02:45:40 576,000 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-05-05 09:13:36 576,000 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-30 02:45:41 577,024 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-05-05 09:13:37 577,024 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-30 02:45:41 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-05-05 09:13:37 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-30 02:45:42 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-05-05 09:13:38 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-30 02:45:42 578,560 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-05-05 09:13:38 578,560 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-30 02:45:45 578,560 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-05-05 09:13:40 578,560 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-30 02:45:45 145,920 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
+ 2008-05-05 09:13:41 145,920 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
- 2008-04-30 02:45:46 159,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
+ 2008-05-05 09:13:41 159,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
- 2008-04-30 02:45:46 364,544 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
+ 2008-05-05 09:13:41 364,544 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
- 2008-04-30 02:45:46 178,176 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
+ 2008-05-05 09:13:42 178,176 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
- 2008-04-30 02:45:43 223,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
+ 2008-05-05 09:13:39 223,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
- 2008-05-01 09:29:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-09 13:08:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-05 09:10:50 2,686 ----a-r C:\WINDOWS\Installer\{4E074808-1B86-4230-A9EB-0904942EC4AE}\ARPPRODUCTICON.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-03-21 04:30 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2006-02-28 08:00 33280 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2006-02-28 08:00 33280 C:\WINDOWS\system32\rundll32.exe]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 05:42 577536 C:\WINDOWS\soundman.exe]
"DiagAP8169"="C:\Program Files\MSI\LAN Utility\DiagAP8169 /hw" [ ]
"Media Codec Update Service"="C:\Program Files\Essentials Codec Pack\update.exe" [2007-04-08 12:44 303104]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"BDRegion"="C:\Program Files\Cyberlink\Shared Files\brs.exe" [2008-02-21 10:24 91432]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2008-01-22 14:23 81920]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 12:06 62760]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-01-25 21:58 4865600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 16:32 8699904]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-09 18:21:38 147456]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 18:11:12 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\ff_vfw.dll
"vidc.wmv3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Empire at War Forces of Corruption\\swfoc.exe"=

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 20:22]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2008-01-18 23:01]
R2 LANPkt;Realtek LANPkt Protocol;C:\WINDOWS\system32\DRIVERS\LANPkt.sys [2003-09-17 15:57]
R2 PD91Agent;PD91Agent;"C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe" [2008-01-16 10:52]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-03 18:31]
R3 Diag69xp;Diag69xp;C:\WINDOWS\system32\Drivers\Diag69xp.sys [2003-09-02 11:25]
S3 PD91Engine;PD91Engine;"C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe" [2008-01-16 10:52]
S3 samhid;samhid;C:\WINDOWS\system32\drivers\samhid.sys [2006-01-07 12:09]
S3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\RTL8150.SYS [2006-05-10 16:22]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchEAW.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-05 13:24:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-06 21:39:29 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1207517937.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-05-09 13:11:47 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-09 09:24:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
Completion time: 2008-05-09 9:25:50
ComboFix-quarantined-files.txt 2008-05-09 13:25:45
ComboFix2.txt 2008-05-02 09:43:18
ComboFix3.txt 2008-04-26 15:06:14
ComboFix4.txt 2008-04-25 17:47:17

Pre-Run: 227,554,496,512 bytes free
Post-Run: 227,548,483,584 bytes free

292 --- E O F --- 2008-05-06 23:10:11

----------------------------------------------------------------- xd
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:58:20 AM, on 5/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\MSI\LAN Utility\DiagAP8169.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DiagAP8169] C:\Program Files\MSI\LAN Utility\DiagAP8169 /hw
O4 - HKLM\..\Run: [Media Codec Update Service] "C:\Program Files\Essentials Codec Pack\update.exe" -silent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BDRegion] "C:\Program Files\Cyberlink\Shared Files\brs.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 7786 bytes

Edited by renaldoaoa, 09 May 2008 - 08:06 AM.

  • 0

#25
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Hi,
That worked that time. :)
We'll run a few scans now to clean things up.

1.
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


2.
Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan (Full scan is optional. According to the program's creator Quick Scan will do just fine.).
Click Scan.
When the scan is complete, click OK, then Show Results to view the results.

If Malware is found...
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad.
Please save it to your desktop.

NOTE: Logs can be retrieved at a later date from the Malwarebytes' Anti-Malware main screen:

Launch Malwarebytes' Anti-Malware.
Click the Logs tab.
Double-click log-mm.dd.yyyy [xxxxxx].txt.

In your next reply post the Malwarebytes' Anti-Malware log.


3.
Click HERE and run an online scan with Kaspersky WebScanner
  • Click on Kaspersky Online Scanner
  • You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
  • Scan Options:
    Scan Archives
    Scan Mail Bases
[*]Click OK
[*]Now under select a target to scan:Select My Computer
[*]This will program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
[*]Save the file to your desktop.
[*]Copy and paste that information into your next post.
[/list]
  • 0

Advertisements


#26
renaldoaoa

renaldoaoa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Yay!! :)

I hope these are good to.

Malwarebytes' Anti-Malware 1.12
Database version: 742

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 146511
Time elapsed: 42 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\system32\jrhwucxu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ktvcptmn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\rqRIcYrR.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\wvUlijGV.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71666199-421D-4144-85D0-301A510D4919}\RP90\A0007647.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71666199-421D-4144-85D0-301A510D4919}\RP90\A0007648.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71666199-421D-4144-85D0-301A510D4919}\RP90\A0007649.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{71666199-421D-4144-85D0-301A510D4919}\RP90\A0007650.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, May 12, 2008 3:58:47 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/05/2008
Kaspersky Anti-Virus database records: 763380
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 111091
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 01:03:21

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\CyberLink\BDNAV\BRF.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\logout.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{2333541E-D7E6-410B-96C1-3A966EAA5EBF}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{9D600E0B-A059-46AB-A8AA-7F6D8654E57F}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{F656E8CE-19D8-4B3E-89C6-C340143F7F51}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-03252008-135809.log Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS033F0186-FAC5-4011-A06F-297D290C9582.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS088F9742-B440-46A7-A809-247620344567.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS0B2D1B35-5658-4987-950A-251686A72BED.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS0C611C46-AC0D-447E-AB77-A55EF00A84B4.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS0D6520CE-2913-4C1D-8404-9050E82F17D2.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS0D878F82-D350-4109-8140-F3532F5F760E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS0FBFA4EE-2341-49F3-B58E-39081B221CA2.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1007A196-921B-4A13-A722-942FC35DC1DB.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS184E1368-4BBB-4ABC-B6B9-84E7D1C534FB.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS192A6810-BB22-4CBF-ACBC-9CF3C509923C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1A6577D4-7586-4C23-BF76-1E572C905ECE.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1AF7D701-1EA4-4C37-B416-E5BFB8C70DB5.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1B010AE4-B54F-4925-B6AF-09DDA038872F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS205282F0-5622-435E-90DB-FF27338262F6.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS2B2CE889-E119-406F-9BE1-4C44E455C08C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS2C42C247-DB13-4365-998B-50993670FDA4.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS2C572A4A-BFC1-4F3E-A8F8-454A1E1CE355.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS2E8300BB-4C0B-4E70-BBE2-FEA6C68E7E80.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS2E926323-9317-4830-ADDF-81FE5469FE3F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS2F119D34-070C-4337-A09D-EDDBF850BC64.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS318F04FF-C2CB-4618-8A2A-4B1655093586.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS36567857-9343-45B9-8E94-12C5AE0B856B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3912C002-C288-400F-89A7-88376A1DB251.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3B5B4890-4F14-48AD-BA3B-D51DFE5828E2.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3CC3EE57-AD67-4B04-A954-8E61FA817755.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS405994C0-60C3-429B-BD00-0776FE54EC9E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS43141A3B-42AE-4AC6-9420-4EE28F9B3D4F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS43A5843C-62E8-43F8-B9CE-C529422014EB.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS44321146-FD0C-4CE5-B019-D79518CAA683.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4AAAEFA6-F336-46E4-99A9-420874D3C91C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4D6A3F16-88E9-43D0-9F61-A014AA548329.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS557CE0C8-6618-4D27-AC79-AD0374113697.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS562C7803-576C-4CD4-A3AE-2779DFCE8B2E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS59944638-1FC2-4C32-8E02-E0D840A0D38F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS5B34075A-93AF-4C8B-95A5-E9D07CFFF405.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS5C6F1D40-F97F-4B66-A172-FA2CBA6D00A7.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS5CA63A8F-994F-43EA-90B7-42636D687690.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS5E90DA05-A94E-4D0F-8237-A63283033ADA.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS5E9D8870-BB06-4A21-8E88-69A4B3DDBE26.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS61B53875-14AE-4481-B096-435B1ECDAD90.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS624E001E-2CE8-4F35-A9E6-4C6862C0F59D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS62F03162-FA14-46B5-B5CE-9FFC28CB8225.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS68B3164D-FE20-4F73-8C4B-FE65F60D0480.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6DD5079D-692C-428E-AF2F-C9303FF50A33.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS70DF2948-8B6D-4619-BBA3-33C28707A7BB.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS787F150B-6AD5-491D-B6EC-47DA0ECA32A0.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS7B51A667-C475-4094-B997-70568A4E962D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS7BC76A13-EF50-4CD4-88CD-16CBB79808C4.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS7DF166BE-132E-4DBA-88FC-8DE299FE8BAD.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS7E54CED3-D0C0-405C-9789-0621ED8BC8D3.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS830A1BCF-56FF-40AF-AA3A-94F7BE54BBBB.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS847FA74A-D6C5-4B29-9C7A-6D5CBFA8A057.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS84AE8997-D91F-4F0C-B9DF-134F20394B17.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS8C9D7343-6F45-4ACD-B93D-4E63CDB1D4BD.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS8CE07268-C754-41C4-B4DF-5475C17E872B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS8EE9D683-ED20-4964-9420-3126AA93838C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9AFC63DA-0EEF-4903-8294-AA458C0202AD.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9CFA7C0F-EBAC-4BD5-A2D3-6CA4E8DB3E02.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9FCB7CE8-808B-456E-BF2C-420FC747CAA1.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA1F99CBE-A994-4DA4-9006-62B4AA433F33.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA313930C-442A-42CB-B858-FAF3ADCFB165.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSAC080EF4-AA14-47F1-961F-09589755DE49.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSAC9678DA-2542-45A6-A0F9-3791CC00EC5C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSAD0E6D82-3D08-4C83-9A4E-A95090598703.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSAE89259C-A3A0-491A-9949-37320E138227.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSAF728F1E-7D22-4208-85A9-9C385CFD9634.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB11C95B0-61E8-47A4-89A5-4B8E1F32E5FA.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB48F9B33-355F-46D4-9FE5-4009D195D525.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB55A1718-EB96-4B71-BE68-6B4A3E74A17C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSBFBF9C71-A3B3-4692-9883-C718DC6BE1C3.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC1A21B28-9B08-4344-ABA4-3171029E97F1.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC227B7E9-028B-4878-9625-D183524162EF.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC3EB52EE-CAB7-44C2-B6AE-9FECE283F042.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC4DC90BD-74A2-4129-A5F8-CFA2ECD531B8.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC6867C17-F807-49ED-B127-F93240204856.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSCA81C919-5BC4-4D03-8469-9142115CF4AA.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSCCD0DE59-8A5B-451E-9FF7-B085C81AAEE0.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD24A7B59-7B0E-4D51-A057-228BCC3E0D62.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD749E4B4-B3C5-4B20-8764-6CC88A1906B1.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD9F1DFA1-C5F5-48CC-9289-08A425265F85.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSDAEBA8A6-9D85-4FB3-ACBD-07746C0F3C21.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSDCC012A4-A71C-4AAB-BCB6-186A5564309B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSDFEAC92A-6A49-48C0-88E0-DCFFA81D24A1.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE3BA27B2-9409-4697-8E00-C61A81DA705A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE63C1DDC-D01D-4255-8992-874DED3433AB.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSEB230AAB-622C-4F1C-8B34-24AD5B09D1A9.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSF12AF8F7-D2B8-4387-9FF5-787922A46A45.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSF5377975-AFA5-44B5-AB15-5BB329A87ACB.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSF6B5755D-4FAB-421B-84DC-321DDF24A912.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSFBA8BEE0-F8ED-4C89-AF36-767522293375.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSFDE06B57-F5BF-4925-9BA0-68062F0322DC.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\54ypyg94.default\cert8.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\54ypyg94.default\history.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\54ypyg94.default\key3.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\54ypyg94.default\parent.lock Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\54ypyg94.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\54ypyg94.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Webroot\Spy Sweeper\Logs\080509092927.ses Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{1532B728-2F54-4855-805F-26E359A40FDA} Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\54ypyg94.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\54ypyg94.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\54ypyg94.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\54ypyg94.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008051220080513\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.mst Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{71666199-421D-4144-85D0-301A510D4919}\RP120\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{FF27E1E6-604E-440F-A663-FA8B0AF56E96}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcafee_19D0AB3tf8Ebxk6 Object is locked skipped
C:\WINDOWS\Temp\mcafee_QqLxlHgkx70bTFC Object is locked skipped
C:\WINDOWS\Temp\mcafee_X00ndnjpHBhl0eF Object is locked skipped
C:\WINDOWS\Temp\mcmsc_65v4XvlrbQpMZlJ Object is locked skipped
C:\WINDOWS\Temp\mcmsc_6qIF6dIZn4L4Jhm Object is locked skipped
C:\WINDOWS\Temp\mcmsc_KT1g1TiaGgdPK4a Object is locked skipped
C:\WINDOWS\Temp\mcmsc_r1A09AUijNfMsBs Object is locked skipped
C:\WINDOWS\Temp\mcmsc_ugs0XNEVuyR6aVU Object is locked skipped
C:\WINDOWS\Temp\mcmsc_Y7mAoAEvxxMzDLh Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\7010d8308db009d033\common\spcustom.dll Object is locked skipped
F:\7010d8308db009d033\common\spmsg.dll Object is locked skipped
F:\7010d8308db009d033\common\spuninst.exe Object is locked skipped
F:\7010d8308db009d033\common\update.exe Object is locked skipped
F:\7010d8308db009d033\sp1\update\KB824141.cat Object is locked skipped
F:\7010d8308db009d033\sp1\update\update.inf Object is locked skipped
F:\7010d8308db009d033\sp1\update\update.ver Object is locked skipped
F:\7010d8308db009d033\sp1\user32.dll Object is locked skipped
F:\7010d8308db009d033\sp1\win32k.sys Object is locked skipped
F:\7010d8308db009d033\sp2\spmsg.dll Object is locked skipped
F:\7010d8308db009d033\sp2\spuninst.exe Object is locked skipped
F:\7010d8308db009d033\sp2\update\KB824141.cat Object is locked skipped
F:\7010d8308db009d033\sp2\update\spcustom.dll Object is locked skipped
F:\7010d8308db009d033\sp2\update\update.exe Object is locked skipped
F:\7010d8308db009d033\sp2\update\update.inf Object is locked skipped
F:\7010d8308db009d033\sp2\update\update.ver Object is locked skipped
F:\7010d8308db009d033\sp2\user32.dll Object is locked skipped
F:\7010d8308db009d033\sp2\win32k.sys Object is locked skipped
F:\System Volume Information\_restore{71666199-421D-4144-85D0-301A510D4919}\RP120\change.log Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\html32.cnv Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\locator.exe Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\magnify.exe Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\migwiz.exe Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\mrxsmb.sys Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\msconv97.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\narrator.exe Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\newdev.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\ntdll.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\ntkrnlpa.exe Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\ntoskrnl.exe Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\osk.exe Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\pchshell.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\raspptp.sys Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\shmedia.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\srrstr.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\srv.sys Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\sysmain.sdb Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\user32.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\win32k.sys Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\winsrv.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB826939$\zipfldr.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB837001$\msjet40.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB837001$\msjint40.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB837001$\msjter40.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB837001$\msltus40.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB837001$\mspbde40.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB837001$\msrd2x40.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB837001$\msrd3x40.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB837001$\msrepl40.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB837001$\mstext40.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB837001$\mswdat10.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB837001$\mswstr10.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB837001$\msxbde40.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB837001$\vbajet32.dll Object is locked skipped

Scan process completed.
  • 0

#27
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Hi,
These files are located in the Windows folder. Did you put them there?
C:\WINDOWS\Westward II Heroes of the Frontier [h33t] [oi812heet]
C:\WINDOWS\disney.ini

How is your computer running?

Edited by sarahw, 16 May 2008 - 12:22 PM.

  • 0

#28
renaldoaoa

renaldoaoa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
The Westward is a game i downloaded, so I assume it put the file there when It was installed.
The Disney however I have no idea. Both I have no problem deleting if ya advise me to.

After this last run I've noticed I haven't had much get up and go as I use to, mostly in the internet department. 8(
It's not a big problem, but enough for me to start doing bandwidth tests and the thought of possibly reinstalling firefox.

Edited by renaldoaoa, 16 May 2008 - 10:40 PM.

  • 0

#29
renaldoaoa

renaldoaoa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Also lately the computer have been freezing up. So far 2x's but it's never done that before.

No clue if it has anything to do with what we did, but i figured I'd mention it.
  • 0

#30
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Hi,
Please go into the Event Viewer and see what errors occurred at the time your computer freezes.

Click START-->RUN and type EVENTVWR.MSC and hit ENTER.

Look under SYSTEMS AND APPLICATIONS for items with RED X's that happened at the SAME time as your problem...List them here.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP