Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Spyware or Malware problem. [CLOSED]


  • This topic is locked This topic is locked

#1
DemolishedBySpyware

DemolishedBySpyware

    Member

  • Member
  • PipPip
  • 10 posts
Hello. First I will start off telling you how I recieved the infection. ** I downloaded a file off of a website for a computer game I play and when I installed the files it turned out to be the problem I have now.

Here is what the infection does to my computer and what I have discovered so far. ** The infection is re-creating itself when I reboot. When I look into my C:/ the program files delextra.exe, starts.exe, and sometimes some others are there even after I delete them before reboot. The creation date on the files are always when I turn my computer back on or it boots back up. If I delete the files while my computer is on they still reappear eventually. The infection so far does the following that I've noticed. When I log in my desktop is blank and I have to use taskmanager to open anything and I can see taska being ran that are named things like 903sdbsbxc380 etc... and I cannot switch to them, but only end them. When I open a .exe file through Tskmanager it does "Loading Personalized Settings" then shows my desktop, start menu, etc... and I can go about things the normal way. It still does not allow me to see images on the internet, I cannot turn my FIREWALL on, when I click links I get the not connected to internet message alot, and it also gives me system messages saying buy this anti-spyware, your systems infected with blah blah, etc...

I have followed the directions on http://www.geekstogo...-Log-t2852.html. I was unable to do the following:

1-Panda Activescan
2-and I did not download the AVG yet, was going to wait until my system was clean to DL it.

Here are my logs:

1) Malware Log File

Malwarebytes' Anti-Malware 1.11
Database version: 694

Scan type: Quick Scan
Objects scanned: 35311
Time elapsed: 7 minute(s), 20 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 5
Registry Keys Infected: 35
Registry Values Infected: 8
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 18

Memory Processes Infected:
c:\Documents and Settings\Owner\Local Settings\Temp\csrssc.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
c:\WINDOWS\system32\WLCtrl32.dll (Trojan.DownLoader) -> Unloaded module successfully.
c:\WINDOWS\system32\jfiehayd.dll (Trojan.DownLoader) -> Unloaded module successfully.
C:\WINDOWS\system32\awtqoLBT.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\wvUoOHbA.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\winhdn32.dll (Dialer) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlctrl32 (Trojan.DownLoader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c5af49a2-94f3-42bd-f434-2604812c897d} (Trojan.DownLoader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5af49a2-94f3-42bd-f434-2604812c897d} (Trojan.DownLoader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d611188-5205-4077-9922-bb58c2387832} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d611188-5205-4077-9922-bb58c2387832} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28abc5c0-4fcb-11cf-aax5-81cx1c635612} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\e404.e404mgr (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\e404.e404mgr.1 (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c03fd59d-9104-44b7-929a-9eaa0ba05211} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7c109800-a5d5-438f-9640-18d17e168b88} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{aaa7fb6f-1b1c-4425-8303-05ec68f250ba} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0bb6ef78-ffc8-4f7a-bd2c-09da1169a4b5} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0bb6ef78-ffc8-4f7a-bd2c-09da1169a4b5} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wvuoohba (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winhdn32 (Dialer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\NetProject (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Service (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Secure Browsing (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\E404.e404mgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\multimediaControls.chl (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c5af49a2-94f3-42bd-f434-2604812c897d} (Trojan.DownLoader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jnskdfmf9eldfd (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload (Worm.Socks) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{0bb6ef78-ffc8-4f7a-bd2c-09da1169a4b5} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM47bb20eb (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runner1 (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\some (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\start (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\awtqolbt -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\awtqolbt -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\WLCtrl32.dll (Trojan.DownLoader) -> Delete on reboot.
c:\WINDOWS\system32\jfiehayd.dll (Trojan.DownLoader) -> Delete on reboot.
c:\Documents and Settings\Owner\Local Settings\Temp\csrssc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\awtqoLBT.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\TBLoqtwa.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TBLoqtwa.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ddfrseuy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yuesrfdd.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\cftmon.exe (Worm.Socks) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wvUoOHbA.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Owner\Local Settings\Temp\2877899108.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\3917899108.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\453745766.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phveaqlj.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hqiopa.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winzlo32.dll (Dialer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winhdn32.dll (Dialer) -> Delete on reboot.
C:\WINDOWS\system32\WLCtrl32.dl_ (Trojan.Downloader) -> Quarantined and deleted successfully.



2) SuperAntiSpyware Scan Log


SUPERAntiSpyware Scan Log
Generated 04/28/2008 at 06:56 PM

Application Version : 3.6.1000

Core Rules Database Version : 3449
Trace Rules Database Version: 1441

Scan type : Complete Scan
Total Scan Time : 00:45:04

Memory items scanned : 297
Memory threats detected : 2
Registry items scanned : 4754
Registry threats detected : 10
File items scanned : 52145
File threats detected : 142

Trojan.Unknown Origin/System
C:\WINDOWS\SYSTEM32\WINHDN32.DLL
C:\WINDOWS\SYSTEM32\WINHDN32.DLL

Rootkit.Runtime3/Mutant-A
C:\WINDOWS\SYSTEM32\WLCTRL32.DLL
C:\WINDOWS\SYSTEM32\WLCTRL32.DLL

Rootkit.Runtime3/Mutant
HKLM\System\ControlSet001\Services\iyr03
C:\WINDOWS\SYSTEM32\DRIVERS\IYR03.SYS
HKLM\System\controlset002\Services\iyr03
HKLM\System\ControlSet003\Services\iyr03
HKLM\System\CurrentControlSet\Services\iyr03
C:\SYSTEM VOLUME INFORMATION\_RESTORE{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP475\A0167231.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP475\A0167239.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP477\A0167263.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP477\A0167288.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP477\A0167299.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP478\A0167393.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP478\A0167405.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP478\A0167414.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167475.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167794.SYS

Adware.Tracking Cookie
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected]ealmedia[1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt

Trojan.Unknown Origin
HKLM\SOFTWARE\Microsoft\MSSMGR
HKLM\SOFTWARE\Microsoft\MSSMGR#Brnd
HKLM\SOFTWARE\Microsoft\MSSMGR#PSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#SSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#SCLIST
HKLM\SOFTWARE\Microsoft\MSSMGR#SSLIST
C:\SYSTEM VOLUME INFORMATION\_RESTORE{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167503.EXE

Rogue.NetProject-Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP476\A0167250.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP478\A0167419.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP478\A0167433.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167746.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167747.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167748.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167750.EXE

Adware.E404 Helper/Variant-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167753.DLL

Trojan.WinBo32
C:\WINDOWS\SYSTEM32\COMBOPLUSCTL.OCX



3) HiJackThis Log File

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:45 PM, on 4/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\lcss.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Owner\Application Data\U3\000015A08A602DAC\LaunchPad.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\delextra.exe
c:\delextra.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink...ton/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = htpp://wpad.wildblue.com/wpad.dat
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Owner\cftmon.exe
O4 - HKLM\..\Run: [jdgf894jrghoiiskd] C:\DOCUME~1\Owner\LOCALS~1\Temp\winlogan.exe
O4 - HKLM\..\Run: [16E5] C:\DOCUME~1\Owner\LOCALS~1\Temp\16E5.exe
O4 - HKLM\..\Run: [Winjava vil] sys32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Owner\cftmon.exe
O4 - HKCU\..\Run: [jdgf894jrghoiiskd] C:\DOCUME~1\Owner\LOCALS~1\Temp\winlogan.exe
O4 - HKCU\..\Run: [WintelUpdate] C:\DOCUME~1\Owner\LOCALS~1\Temp\3C46.tmp.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.fileplanet.com
O15 - Trusted Zone: http://*.runuo.com
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/c.../cpcScanner.cab
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: jqvm465hmygebkpp6 - Unknown owner - C:\WINDOWS\system32\lcss.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe (file missing)

--
End of file - 6948 bytes




I believe thats all of the log files from following the instructions given in the post mentioned above. I really hate that this is happening to my computer. I did start to just restore it. I have the CD, but I can't find the XP authentication number so, I just have to fix it this way. Thanks for being here to help!
  • 0

Advertisements


#2
Lusitano

Lusitano

    Trusted Helper

  • Retired Staff
  • 508 posts
Hello,

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.


Go to Start » Run » type: Notepad » OK.
Copy (Ctrl+C) and paste (Ctrl+V) the following text inside the code box below to Notepad. (Be sure to use Notepad, not Wordpad, otherwise it won't work).
@ECHO OFF
sc stop "jqvm465hmygebkpp6"
sc stop "Schedule"
sc config "jqvm465hmygebkpp6" start= disabled
sc config "Schedule" start= disabled
sc delete "jqvm465hmygebkpp6"
sc delete "Schedule"
delete fixsvc.bat
exit
  • Click File at the top and then choose Save As.
  • Change Save As Type to All Files.
  • Name it fixsvc.bat and save it on your desktop.
  • It should look like this: Posted Image
  • Double click fixsvc.bat. A window will open and close. This is normal.


Please download SDFix by AndyManchesta and save it to your desktop.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Double click SDFix.exe and it will extract the files to %systemdrive%
  • (this is the drive that contains the Windows Directory, typically C:\SDFix).
  • DO NOT use it just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Copy and paste the contents of the results file Report.txt in your next replyalong with a new HijackThis log.
-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe



Download ComboFix from Here or Here to your Desktop.
Read first: "How to download and use ComboFix"
If you downloaded ComboFix previously, delete that version and download it again as the tool is frequently updated!
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
  • Be sure to re-enable your anti-virus and other security programs, after ComboFix finished.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist. Please read Combofix's Disclaimer

In your next reply, please post:
- The results from SDFix.
- The results from ComboFix.
- A new HijackThis log.
  • 0

#3
DemolishedBySpyware

DemolishedBySpyware

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Well while Im in safe mode I can see all the pictures on the internet now, but when Im logging onto my computer it does not want to load my desktop automatically. Good news I can now activate my firewall and I havented revieved any adware yet.

Results:


SDfix Results-

SDFix: Version 1.177
Run by Owner on Tue 04/29/2008 at 03:52 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
hqiopa

Path :

hqiopa - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\delextra.exe - Deleted
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\sys32.exe - Deleted
C:\WINDOWS\system32\lcss.exe - Deleted


Combofix Results Log -


ComboFix 08-04-29.3 - Owner 2008-04-29 16:14:00.1 - NTFSx86 DSREPAIR
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.931 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\TBLoqtwa.ini
C:\WINDOWS\system32\TBLoqtwa.ini2

.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-29 )))))))))))))))))))))))))))))))
.

2008-04-29 15:44 . 2008-04-29 15:44 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-29 15:41 . 2005-07-21 16:10 211 --ah----- C:\boot.ini.SAB
2008-04-29 15:29 . 2008-04-29 16:13 <DIR> d-------- C:\SDFix
2008-04-28 22:26 . 2008-04-29 15:02 17,772 --a------ C:\starts.exe
2008-04-28 22:05 . 2008-04-28 22:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-28 18:11 . 2008-04-28 18:11 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2008-04-28 18:11 . 2008-04-28 18:11 <DIR> d-------- C:\WINDOWS\system32\CatRoot
2008-04-28 17:49 . 2008-04-28 23:03 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-28 17:49 . 2008-04-28 17:49 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-04-28 17:49 . 2008-04-28 17:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-28 17:48 . 2008-04-28 17:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-28 17:09 . 2008-04-28 17:09 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-28 17:09 . 2008-04-28 17:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-28 17:09 . 2008-04-28 17:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-28 17:07 . 2008-04-28 17:07 <DIR> d-------- C:\Program Files\Common Files\Download Manager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-28 02:11 --------- d-----w C:\Program Files\PlayersOnly Poker
2008-04-27 07:53 --------- d-----w C:\Program Files\World of Warcraft
2008-04-27 05:39 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-03 00:56 --------- d-----w C:\Program Files\UOAM
2008-04-03 00:56 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-03 00:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-03 00:53 --------- d-----w C:\Documents and Settings\Owner\Application Data\IGN_DLM
2008-03-26 13:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2008-03-19 22:39 --------- d-----w C:\Program Files\Java
2008-03-01 20:25 --------- d-----w C:\Program Files\Razor
2004-07-22 16:51 3,432,656 -c--a-w C:\Program Files\ManagedDX.CAB
2004-07-20 04:58 1,156,363 -c--a-w C:\Program Files\BDANT.cab
2004-07-20 04:53 976,020 -c--a-w C:\Program Files\BDAXP.cab
2004-07-09 20:17 13,265,040 -c--a-w C:\Program Files\dxnt.cab
2004-07-09 15:13 703,080 -c--a-w C:\Program Files\BDA.cab
2004-07-09 15:13 15,493,481 -c--a-w C:\Program Files\DirectX.cab
2004-07-09 10:08 472,576 -c--a-w C:\Program Files\dxsetup.exe
2004-07-09 10:08 2,242,560 -c--a-w C:\Program Files\dsetup32.dll
2004-07-09 09:03 62,976 -c--a-w C:\Program Files\DSETUP.dll
.

------- Sigcheck -------

2004-08-04 07:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe
2004-08-04 07:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\dllcache\svchost.exe

2005-03-02 13:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 10:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2004-08-04 07:00 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
2005-03-02 13:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
2007-03-08 10:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\user32.dll
2007-03-08 10:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\dllcache\user32.dll

2004-08-04 07:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll
2004-08-04 07:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\dllcache\ws2_32.dll

2004-09-29 13:27 656896 2c07195588d69a067c2afdaa31759295 C:\WINDOWS\$hf_mig$\KB834707\SP2QFE\wininet.dll
2005-01-27 12:08 657920 a8eac5330876548e9966a7d13025d196 C:\WINDOWS\$hf_mig
  • 0

#4
DemolishedBySpyware

DemolishedBySpyware

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Sorry, I didn't mean to double post

Well, my desktop does not want to load automatically when I log on to my computer still (havent tried in normal mode yet) But I can see all the pics on the internet now and It allowed me to turn my firewall on again!

Also, when I did what you suggested it removed the delextra file that continued recreating in C:/ everytime log in. Well the application that was with delextra named "starts" is still there. It could possibly be the one making my desktop not load up instantly.

*Removed the Logs posted in message above*

Edited by DemolishedBySpyware, 29 April 2008 - 07:54 PM.

  • 0

#5
Lusitano

Lusitano

    Trusted Helper

  • Retired Staff
  • 508 posts
Hello

The ComboFix log its incomplete! Please post all the contents from ComboFix.

Thanks
  • 0

#6
DemolishedBySpyware

DemolishedBySpyware

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Sorry, I didn't see that it was incomplete. :)

Here ya go:

ComboFix 08-04-29.3 - Owner 2008-04-30 7:16:42.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.891 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-30 )))))))))))))))))))))))))))))))
.

2008-04-29 23:00 . 2008-04-29 23:00 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2008-04-29 23:00 . 2008-04-29 23:00 <DIR> d-------- C:\WINDOWS\system32\CatRoot
2008-04-29 21:15 . 2008-04-29 21:15 <DIR> d-------- C:\Program Files\Microsoft Games
2008-04-29 15:44 . 2008-04-29 15:44 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-29 15:41 . 2005-07-21 16:10 211 --ah----- C:\boot.ini.SAB
2008-04-29 15:29 . 2008-04-29 16:13 <DIR> d-------- C:\SDFix
2008-04-28 22:05 . 2008-04-28 22:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-28 17:49 . 2008-04-28 23:03 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-28 17:49 . 2008-04-28 17:49 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-04-28 17:49 . 2008-04-28 17:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-28 17:48 . 2008-04-28 17:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-28 17:09 . 2008-04-28 17:09 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-28 17:09 . 2008-04-28 17:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-28 17:09 . 2008-04-28 17:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-28 17:07 . 2008-04-28 17:07 <DIR> d-------- C:\Program Files\Common Files\Download Manager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-29 21:49 --------- d-----w C:\Program Files\Razor
2008-04-29 21:46 --------- d-----w C:\Program Files\America's Army
2008-04-28 02:11 --------- d-----w C:\Program Files\PlayersOnly Poker
2008-04-27 15:58 24,576 ----a-w C:\WINDOWS\system32\userinit.exe
2008-04-27 07:53 --------- d-----w C:\Program Files\World of Warcraft
2008-04-27 05:39 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-27 05:39 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-04-03 00:56 --------- d-----w C:\Program Files\UOAM
2008-04-03 00:56 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-03 00:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-03 00:53 --------- d-----w C:\Documents and Settings\Owner\Application Data\IGN_DLM
2008-03-26 13:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2008-03-19 22:39 --------- d-----w C:\Program Files\Java
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2004-07-22 16:51 3,432,656 -c--a-w C:\Program Files\ManagedDX.CAB
2004-07-20 04:58 1,156,363 -c--a-w C:\Program Files\BDANT.cab
2004-07-20 04:53 976,020 -c--a-w C:\Program Files\BDAXP.cab
2004-07-09 20:17 13,265,040 -c--a-w C:\Program Files\dxnt.cab
2004-07-09 15:13 703,080 -c--a-w C:\Program Files\BDA.cab
2004-07-09 15:13 15,493,481 -c--a-w C:\Program Files\DirectX.cab
2004-07-09 10:08 472,576 -c--a-w C:\Program Files\dxsetup.exe
2004-07-09 10:08 2,242,560 -c--a-w C:\Program Files\dsetup32.dll
2004-07-09 09:03 62,976 -c--a-w C:\Program Files\DSETUP.dll
.

------- Sigcheck -------

2004-08-04 07:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe
2004-08-04 07:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\dllcache\svchost.exe

2005-03-02 13:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 10:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2004-08-04 07:00 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
2005-03-02 13:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
2007-03-08 10:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\user32.dll
2007-03-08 10:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\dllcache\user32.dll

2004-08-04 07:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll
2004-08-04 07:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\dllcache\ws2_32.dll

2004-09-29 13:27 656896 2c07195588d69a067c2afdaa31759295 C:\WINDOWS\$hf_mig$\KB834707\SP2QFE\wininet.dll
2005-01-27 12:08 657920 a8eac5330876548e9966a7d13025d196 C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\wininet.dll
2005-05-02 15:57 658944 e1e18136f9dd3df1ad9c82193a5898a6 C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\wininet.dll
2005-09-02 18:53 660480 97a6fd7cafd688cf2c78939ebaf0cd0c C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\wininet.dll
2005-07-02 21:09 659456 6e533d155b259eb2363d3e04b5be309f C:\WINDOWS\$hf_mig$\KB896727\SP2QFE\wininet.dll
2005-10-20 22:38 661504 af785c4947676a7fc1673fdc5c8d0b5b C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\wininet.dll
2006-03-03 22:58 663552 c0845ecbf4f9164e618ee381b79c9032 C:\WINDOWS\$hf_mig$\KB912812\SP2QFE\wininet.dll
2006-05-10 00:25 663552 d94cffdb53e7ac867438e2dfd50e7cbc C:\WINDOWS\$hf_mig$\KB916281\SP2QFE\wininet.dll
2006-06-23 06:25 664576 64ce26db72810b30f7855ea51e1df836 C:\WINDOWS\$hf_mig$\KB918899\SP2QFE\wininet.dll
2006-09-14 03:31 664576 d207370287cf769aebebf03837784963 C:\WINDOWS\$hf_mig$\KB922760\SP2QFE\wininet.dll
2007-03-07 12:40 823296 b8f4db39ca7353752f245379d285c80e C:\WINDOWS\$hf_mig$\KB931768-IE7\SP2QFE\wininet.dll
2007-04-25 04:08 823808 431defbb4a3d7b0dc062c1b064623a2f C:\WINDOWS\$hf_mig$\KB933566-IE7\SP2QFE\wininet.dll
2007-06-27 09:40 824320 d6ed5e042c5207553e7f5e842918137f C:\WINDOWS\$hf_mig$\KB937143-IE7\SP2QFE\wininet.dll
2007-08-20 05:02 825344 357d54bf94fe9d6d8505a96b5c2a3bca C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\wininet.dll
2007-10-10 18:47 825344 0e5d918f87efa7d2424d66b499c7eb04 C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
2007-12-06 21:01 825344 b5b411bb229ae6ead7652a32ed47bfb9 C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
2008-03-01 08:03 827392 6316c2f0c61271c8abdff7429174879e C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
2005-01-27 12:13 656896 b5e043e440b210014e021b24cf0a72e3 C:\WINDOWS\$NtUninstallKB883939$\wininet.dll
2005-07-02 21:11 658432 5b5ff992c0fa762ccf8655fc290e6e52 C:\WINDOWS\$NtUninstallKB896688$\wininet.dll
2005-05-02 15:52 657920 1a078af3f85d10ba56444c23b3a18e74 C:\WINDOWS\$NtUninstallKB896727$\wininet.dll
2005-09-02 18:52 658432 af61ebb1f550175eff406d545d6ab086 C:\WINDOWS\$NtUninstallKB905915$\wininet.dll
2005-10-20 22:39 658432 e7b27b6b6e06ce34ea019fd8b858c613 C:\WINDOWS\$NtUninstallKB912812$\wininet.dll
2006-03-03 22:33 658432 1c0979c7a489bee573cd0bf4ad94bb06 C:\WINDOWS\$NtUninstallKB916281$\wininet.dll
2006-05-10 00:23 658432 38ab7a56f566d9aaad31812494944824 C:\WINDOWS\$NtUninstallKB918899$\wininet.dll
2006-06-23 06:02 658944 2b4db890936430c71419037039502752 C:\WINDOWS\$NtUninstallKB922760$\wininet.dll
2006-09-14 03:39 658944 621af3f6174a3f60677f5230e28bcc07 C:\WINDOWS\ie7\wininet.dll
2006-11-07 22:03 818688 92995334f993e6e49c25c6d02ec04401 C:\WINDOWS\ie7updates\KB928090-IE7\wininet.dll
2007-01-12 10:27 822784 be43d00d802c92f01c8cc952c6f483f8 C:\WINDOWS\ie7updates\KB931768-IE7\wininet.dll
2007-03-07 12:45 822784 5b35dae6e4886f64d1da58c4e3e01eb9 C:\WINDOWS\ie7updates\KB933566-IE7\wininet.dll
2007-04-25 03:41 822784 0586a7f0b2fdb94d624f399d4728e7c8 C:\WINDOWS\ie7updates\KB937143-IE7\wininet.dll
2007-06-27 09:34 823808 8068cbb58fe60cc95aeb2cff70178208 C:\WINDOWS\ie7updates\KB939653-IE7\wininet.dll
2007-08-20 05:04 824832 774435e499d8e9643ec961a6103c361f C:\WINDOWS\ie7updates\KB942615-IE7\wininet.dll
2007-10-10 18:56 824832 30c1e0f34ad2972c72a01db5c74ab065 C:\WINDOWS\ie7updates\KB944533-IE7\wininet.dll
2007-12-06 21:21 824832 806d274c9a6c3aaea5eae8e4af841e04 C:\WINDOWS\ie7updates\KB947864-IE7\wininet.dll
2008-03-01 08:06 826368 ad21461aef8244edec2ef18e55e1dcf3 C:\WINDOWS\system32\wininet.dll
2008-03-01 08:06 826368 ad21461aef8244edec2ef18e55e1dcf3 C:\WINDOWS\system32\dllcache\wininet.dll

2005-05-25 14:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 12:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-04 07:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-05-25 14:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-01-12 21:28 359808 583e063fdc888ca30d05c2724b0d7ef4 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 06:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-30 12:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 12:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\drivers\tcpip.sys

2004-08-04 07:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe
2004-08-04 07:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\dllcache\winlogon.exe

2004-08-04 07:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\dllcache\ndis.sys
2004-08-04 07:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys

2004-08-04 07:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\dllcache\ip6fw.sys
2004-08-04 07:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys

2005-03-01 19:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2006-12-19 11:12 2059392 ba4b97c00a437c1cc3da365d93ee1e9d C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe
2007-02-28 04:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2004-08-04 07:00 2015232 fb142b7007ca2eea76966c6c5cc12150 C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-01 19:34 2015232 3cd941e472ddf3534e53038535719771 C:\WINDOWS\$NtUninstallKB929338$\ntkrnlpa.exe
2006-12-19 07:55 2015744 bbb2322eb14ad9ad55b1024ffd4d88bf C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
2007-02-28 03:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2007-02-28 03:38 2015744 a58ac1c6199ef34228abee7fc057ae09 C:\WINDOWS\system32\ntkrnlpa.exe
2007-02-28 03:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\system32\dllcache\ntkrnlpa.exe

2005-03-01 20:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2006-12-19 11:51 2182016 cef243f6defd20be4adde26c7ecacb54 C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
2007-02-28 04:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2004-08-04 07:00 2148352 626309040459c3915997ef98ec1c8d40 C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-01 19:57 2135552 48b3e89af7074cee0314a3e0c7faffdb C:\WINDOWS\$NtUninstallKB929338$\ntoskrnl.exe
2006-12-19 09:15 2136064 8318ed54797f3e513fd5817a1d4bbd18 C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
2007-02-28 04:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2007-02-28 04:08 2136064 1220faf071dea8653ee21de7dcda8bfd C:\WINDOWS\system32\ntoskrnl.exe
2007-02-28 04:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\system32\dllcache\ntoskrnl.exe

2007-06-13 05:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\explorer.exe
2007-06-13 06:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-04 07:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2007-06-13 05:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\system32\dllcache\explorer.exe

2004-08-04 07:00 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\ctfmon.exe
2004-08-04 07:00 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\dllcache\ctfmon.exe
.
((((((((((((((((((((((((((((( [email protected]_16.18.54.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-02-17 17:19:58 53,248 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
+ 2008-04-30 04:00:30 53,248 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
- 2008-02-17 17:19:58 12,800 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
+ 2008-04-30 04:00:30 12,800 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
- 2008-02-17 17:19:58 473,600 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
+ 2008-04-30 04:00:30 473,600 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
- 2008-02-17 17:19:55 567,296 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-30 04:00:27 567,296 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-02-17 17:19:56 576,000 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-30 04:00:30 576,000 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-02-17 17:19:59 145,920 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
+ 2008-04-30 04:00:31 145,920 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
- 2008-02-17 17:19:59 159,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
+ 2008-04-30 04:00:31 159,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
- 2008-02-17 17:19:59 364,544 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
+ 2008-04-30 04:00:31 364,544 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
- 2008-02-17 17:20:00 178,176 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
+ 2008-04-30 04:00:31 178,176 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
- 2008-02-17 17:19:58 223,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
+ 2008-04-30 04:00:29 223,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
+ 2008-04-30 03:58:50 61,440 ----a-r C:\WINDOWS\Installer\{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}\ARPPRODUCTICON.exe
+ 2008-04-30 02:34:03 1,230,336 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.1.0.0_x-ww_b319d8da\msxml4.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-06-06 10:45 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-06-06 10:41 118784]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 17:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-07-01 13:58 73728 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-05 20:05 2550272 C:\WINDOWS\ALCWZRD.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-12 02:17 282624]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]
"Winjava vil"="sys32.exe" []

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\AlienGUIse\fastload.dll 2001-12-21 00:34 24576 C:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\iyr03.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\winver.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:*:Disabled:EarthLink UHP Modem Support
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:*:Disabled:Blizzard Downloader
"6112:TCP"= 6112:TCP:*:Disabled:Blizzard Downloader
"8086:TCP"= 8086:TCP:*:Disabled:WoW
"8087:TCP"= 8087:TCP:*:Disabled:wow 2
"9081:TCP"= 9081:TCP:*:Disabled:wow 3
"9090:TCP"= 9090:TCP:*:Disabled:wow 4
"9097:TCP"= 9097:TCP:*:Disabled:wow 5
"9100:TCP"= 9100:TCP:*:Disabled:wow 6

S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4c1c9aec-6009-11dc-ac8a-0011d8edfd91}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{abb44144-bb82-11d9-a5d3-806d6172696f}]
\Shell\AutoRun\command - E:\Bin\Assetup.exe

*Newly Created Service* - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}]
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\sys32.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 07:17:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-30 7:18:16
ComboFix-quarantined-files.txt 2008-04-30 12:18:14
ComboFix2.txt 2008-04-29 21:19:07

Pre-Run: 69,008,719,872 bytes free
Post-Run: 69,008,695,296 bytes free

237 --- E O F --- 2008-04-14 23:40:43
  • 0

#7
Lusitano

Lusitano

    Trusted Helper

  • Retired Staff
  • 508 posts
Hello

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System


Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Posted Image


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Please do an online scan with Kaspersky WebScanner

Click on Posted Image

You will be prompted to install an ActiveX component from Kaspersky, Click Posted Image
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on Posted Image
  • Now click on Posted Image
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click Posted Image
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post, along whit a new HijackThis log. Also let me know how i your computer its running.

  • 0

#8
DemolishedBySpyware

DemolishedBySpyware

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Log from ComboFix

ComboFix 08-04-29.3 - Owner 2008-04-30 13:44:53.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.878 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-30 )))))))))))))))))))))))))))))))
.

2008-04-30 11:35 . 2008-04-30 11:35 <DIR> d-------- C:\Program Files\LimeWire
2008-04-30 11:35 . 2008-04-30 12:11 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2008-04-30 07:35 . 2008-04-30 07:35 <DIR> d-------- C:\Program Files\DNA
2008-04-30 07:35 . 2008-04-30 07:35 <DIR> d-------- C:\Program Files\BitTorrent
2008-04-30 07:35 . 2008-04-30 13:45 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\DNA
2008-04-29 23:00 . 2008-04-30 07:17 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2008-04-29 23:00 . 2008-04-29 23:00 <DIR> d-------- C:\WINDOWS\system32\CatRoot
2008-04-29 21:15 . 2008-04-29 21:15 <DIR> d-------- C:\Program Files\Microsoft Games
2008-04-29 15:44 . 2008-04-29 15:44 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-29 15:41 . 2005-07-21 16:10 211 --ah----- C:\boot.ini.SAB
2008-04-29 15:29 . 2008-04-29 16:13 <DIR> d-------- C:\SDFix
2008-04-28 22:05 . 2008-04-28 22:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-28 17:49 . 2008-04-28 23:03 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-28 17:49 . 2008-04-28 17:49 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-04-28 17:49 . 2008-04-28 17:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-28 17:48 . 2008-04-28 17:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-28 17:09 . 2008-04-28 17:09 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-28 17:09 . 2008-04-28 17:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-28 17:09 . 2008-04-28 17:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-28 17:07 . 2008-04-28 17:07 <DIR> d-------- C:\Program Files\Common Files\Download Manager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-30 13:10 --------- d-----w C:\Documents and Settings\Owner\Application Data\BitTorrent
2008-04-29 21:49 --------- d-----w C:\Program Files\Razor
2008-04-29 21:46 --------- d-----w C:\Program Files\America's Army
2008-04-28 02:11 --------- d-----w C:\Program Files\PlayersOnly Poker
2008-04-27 15:58 24,576 ----a-w C:\WINDOWS\system32\userinit.exe
2008-04-27 07:53 --------- d-----w C:\Program Files\World of Warcraft
2008-04-27 05:39 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-27 05:39 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-04-03 00:56 --------- d-----w C:\Program Files\UOAM
2008-04-03 00:56 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-03 00:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-03 00:53 --------- d-----w C:\Documents and Settings\Owner\Application Data\IGN_DLM
2008-03-26 13:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2008-03-19 22:39 --------- d-----w C:\Program Files\Java
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2004-07-22 16:51 3,432,656 -c--a-w C:\Program Files\ManagedDX.CAB
2004-07-20 04:58 1,156,363 -c--a-w C:\Program Files\BDANT.cab
2004-07-20 04:53 976,020 -c--a-w C:\Program Files\BDAXP.cab
2004-07-09 20:17 13,265,040 -c--a-w C:\Program Files\dxnt.cab
2004-07-09 15:13 703,080 -c--a-w C:\Program Files\BDA.cab
2004-07-09 15:13 15,493,481 -c--a-w C:\Program Files\DirectX.cab
2004-07-09 10:08 472,576 -c--a-w C:\Program Files\dxsetup.exe
2004-07-09 10:08 2,242,560 -c--a-w C:\Program Files\dsetup32.dll
2004-07-09 09:03 62,976 -c--a-w C:\Program Files\DSETUP.dll
.

------- Sigcheck -------

2004-08-04 07:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe
2004-08-04 07:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\dllcache\svchost.exe

2005-03-02 13:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 10:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2004-08-04 07:00 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
2005-03-02 13:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
2007-03-08 10:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\user32.dll
2007-03-08 10:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\dllcache\user32.dll

2004-08-04 07:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll
2004-08-04 07:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\dllcache\ws2_32.dll

2004-09-29 13:27 656896 2c07195588d69a067c2afdaa31759295 C:\WINDOWS\$hf_mig$\KB834707\SP2QFE\wininet.dll
2005-01-27 12:08 657920 a8eac5330876548e9966a7d13025d196 C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\wininet.dll
2005-05-02 15:57 658944 e1e18136f9dd3df1ad9c82193a5898a6 C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\wininet.dll
2005-09-02 18:53 660480 97a6fd7cafd688cf2c78939ebaf0cd0c C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\wininet.dll
2005-07-02 21:09 659456 6e533d155b259eb2363d3e04b5be309f C:\WINDOWS\$hf_mig$\KB896727\SP2QFE\wininet.dll
2005-10-20 22:38 661504 af785c4947676a7fc1673fdc5c8d0b5b C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\wininet.dll
2006-03-03 22:58 663552 c0845ecbf4f9164e618ee381b79c9032 C:\WINDOWS\$hf_mig$\KB912812\SP2QFE\wininet.dll
2006-05-10 00:25 663552 d94cffdb53e7ac867438e2dfd50e7cbc C:\WINDOWS\$hf_mig$\KB916281\SP2QFE\wininet.dll
2006-06-23 06:25 664576 64ce26db72810b30f7855ea51e1df836 C:\WINDOWS\$hf_mig$\KB918899\SP2QFE\wininet.dll
2006-09-14 03:31 664576 d207370287cf769aebebf03837784963 C:\WINDOWS\$hf_mig$\KB922760\SP2QFE\wininet.dll
2007-03-07 12:40 823296 b8f4db39ca7353752f245379d285c80e C:\WINDOWS\$hf_mig$\KB931768-IE7\SP2QFE\wininet.dll
2007-04-25 04:08 823808 431defbb4a3d7b0dc062c1b064623a2f C:\WINDOWS\$hf_mig$\KB933566-IE7\SP2QFE\wininet.dll
2007-06-27 09:40 824320 d6ed5e042c5207553e7f5e842918137f C:\WINDOWS\$hf_mig$\KB937143-IE7\SP2QFE\wininet.dll
2007-08-20 05:02 825344 357d54bf94fe9d6d8505a96b5c2a3bca C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\wininet.dll
2007-10-10 18:47 825344 0e5d918f87efa7d2424d66b499c7eb04 C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
2007-12-06 21:01 825344 b5b411bb229ae6ead7652a32ed47bfb9 C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
2008-03-01 08:03 827392 6316c2f0c61271c8abdff7429174879e C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
2005-01-27 12:13 656896 b5e043e440b210014e021b24cf0a72e3 C:\WINDOWS\$NtUninstallKB883939$\wininet.dll
2005-07-02 21:11 658432 5b5ff992c0fa762ccf8655fc290e6e52 C:\WINDOWS\$NtUninstallKB896688$\wininet.dll
2005-05-02 15:52 657920 1a078af3f85d10ba56444c23b3a18e74 C:\WINDOWS\$NtUninstallKB896727$\wininet.dll
2005-09-02 18:52 658432 af61ebb1f550175eff406d545d6ab086 C:\WINDOWS\$NtUninstallKB905915$\wininet.dll
2005-10-20 22:39 658432 e7b27b6b6e06ce34ea019fd8b858c613 C:\WINDOWS\$NtUninstallKB912812$\wininet.dll
2006-03-03 22:33 658432 1c0979c7a489bee573cd0bf4ad94bb06 C:\WINDOWS\$NtUninstallKB916281$\wininet.dll
2006-05-10 00:23 658432 38ab7a56f566d9aaad31812494944824 C:\WINDOWS\$NtUninstallKB918899$\wininet.dll
2006-06-23 06:02 658944 2b4db890936430c71419037039502752 C:\WINDOWS\$NtUninstallKB922760$\wininet.dll
2006-09-14 03:39 658944 621af3f6174a3f60677f5230e28bcc07 C:\WINDOWS\ie7\wininet.dll
2006-11-07 22:03 818688 92995334f993e6e49c25c6d02ec04401 C:\WINDOWS\ie7updates\KB928090-IE7\wininet.dll
2007-01-12 10:27 822784 be43d00d802c92f01c8cc952c6f483f8 C:\WINDOWS\ie7updates\KB931768-IE7\wininet.dll
2007-03-07 12:45 822784 5b35dae6e4886f64d1da58c4e3e01eb9 C:\WINDOWS\ie7updates\KB933566-IE7\wininet.dll
2007-04-25 03:41 822784 0586a7f0b2fdb94d624f399d4728e7c8 C:\WINDOWS\ie7updates\KB937143-IE7\wininet.dll
2007-06-27 09:34 823808 8068cbb58fe60cc95aeb2cff70178208 C:\WINDOWS\ie7updates\KB939653-IE7\wininet.dll
2007-08-20 05:04 824832 774435e499d8e9643ec961a6103c361f C:\WINDOWS\ie7updates\KB942615-IE7\wininet.dll
2007-10-10 18:56 824832 30c1e0f34ad2972c72a01db5c74ab065 C:\WINDOWS\ie7updates\KB944533-IE7\wininet.dll
2007-12-06 21:21 824832 806d274c9a6c3aaea5eae8e4af841e04 C:\WINDOWS\ie7updates\KB947864-IE7\wininet.dll
2008-03-01 08:06 826368 ad21461aef8244edec2ef18e55e1dcf3 C:\WINDOWS\system32\wininet.dll
2008-03-01 08:06 826368 ad21461aef8244edec2ef18e55e1dcf3 C:\WINDOWS\system32\dllcache\wininet.dll

2005-05-25 14:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 12:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-04 07:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-05-25 14:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-01-12 21:28 359808 583e063fdc888ca30d05c2724b0d7ef4 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 06:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-30 12:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 12:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\drivers\tcpip.sys

2004-08-04 07:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe
2004-08-04 07:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\dllcache\winlogon.exe

2004-08-04 07:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\dllcache\ndis.sys
2004-08-04 07:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys

2004-08-04 07:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\dllcache\ip6fw.sys
2004-08-04 07:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys

2005-03-01 19:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2006-12-19 11:12 2059392 ba4b97c00a437c1cc3da365d93ee1e9d C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe
2007-02-28 04:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2004-08-04 07:00 2015232 fb142b7007ca2eea76966c6c5cc12150 C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-01 19:34 2015232 3cd941e472ddf3534e53038535719771 C:\WINDOWS\$NtUninstallKB929338$\ntkrnlpa.exe
2006-12-19 07:55 2015744 bbb2322eb14ad9ad55b1024ffd4d88bf C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
2007-02-28 03:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2007-02-28 03:38 2015744 a58ac1c6199ef34228abee7fc057ae09 C:\WINDOWS\system32\ntkrnlpa.exe
2007-02-28 03:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\system32\dllcache\ntkrnlpa.exe

2005-03-01 20:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2006-12-19 11:51 2182016 cef243f6defd20be4adde26c7ecacb54 C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
2007-02-28 04:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2004-08-04 07:00 2148352 626309040459c3915997ef98ec1c8d40 C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-01 19:57 2135552 48b3e89af7074cee0314a3e0c7faffdb C:\WINDOWS\$NtUninstallKB929338$\ntoskrnl.exe
2006-12-19 09:15 2136064 8318ed54797f3e513fd5817a1d4bbd18 C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
2007-02-28 04:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2007-02-28 04:08 2136064 1220faf071dea8653ee21de7dcda8bfd C:\WINDOWS\system32\ntoskrnl.exe
2007-02-28 04:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\system32\dllcache\ntoskrnl.exe

2007-06-13 05:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\explorer.exe
2007-06-13 06:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-04 07:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2007-06-13 05:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\system32\dllcache\explorer.exe

2004-08-04 07:00 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\ctfmon.exe
2004-08-04 07:00 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\dllcache\ctfmon.exe
.
((((((((((((((((((((((((((((( [email protected]_16.18.54.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-02-17 17:19:58 53,248 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
+ 2008-04-30 04:00:30 53,248 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
- 2008-02-17 17:19:58 12,800 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
+ 2008-04-30 04:00:30 12,800 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
- 2008-02-17 17:19:58 473,600 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
+ 2008-04-30 04:00:30 473,600 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
- 2008-02-17 17:19:55 567,296 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-30 04:00:27 567,296 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-02-17 17:19:56 576,000 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-30 04:00:30 576,000 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-02-17 17:19:59 145,920 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
+ 2008-04-30 04:00:31 145,920 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
- 2008-02-17 17:19:59 159,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
+ 2008-04-30 04:00:31 159,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
- 2008-02-17 17:19:59 364,544 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
+ 2008-04-30 04:00:31 364,544 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
- 2008-02-17 17:20:00 178,176 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
+ 2008-04-30 04:00:31 178,176 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
- 2008-02-17 17:19:58 223,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
+ 2008-04-30 04:00:29 223,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
+ 2008-04-30 03:58:50 61,440 ----a-r C:\WINDOWS\Installer\{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}\ARPPRODUCTICON.exe
+ 2008-03-25 02:32:44 218,496 ----a-r C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe
+ 2008-04-30 12:35:13 74,137 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
+ 2008-04-30 02:34:03 1,230,336 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.1.0.0_x-ww_b319d8da\msxml4.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-04-30 07:35 289088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-06-06 10:45 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-06-06 10:41 118784]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 17:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-07-01 13:58 73728 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-05 20:05 2550272 C:\WINDOWS\ALCWZRD.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-12 02:17 282624]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]
"Winjava vil"="sys32.exe" []

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-04-18 14:21:09 147456]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\AlienGUIse\fastload.dll 2001-12-21 00:34 24576 C:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\iyr03.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\winver.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:*:Disabled:EarthLink UHP Modem Support
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:*:Disabled:Blizzard Downloader
"6112:TCP"= 6112:TCP:*:Disabled:Blizzard Downloader
"8086:TCP"= 8086:TCP:*:Disabled:WoW
"8087:TCP"= 8087:TCP:*:Disabled:wow 2
"9081:TCP"= 9081:TCP:*:Disabled:wow 3
"9090:TCP"= 9090:TCP:*:Disabled:wow 4
"9097:TCP"= 9097:TCP:*:Disabled:wow 5
"9100:TCP"= 9100:TCP:*:Disabled:wow 6

S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4c1c9aec-6009-11dc-ac8a-0011d8edfd91}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{abb44144-bb82-11d9-a5d3-806d6172696f}]
\Shell\AutoRun\command - E:\Bin\Assetup.exe

*Newly Created Service* - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}]
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\sys32.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 13:45:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-30 13:46:31
ComboFix-quarantined-files.txt 2008-04-30 18:46:29
ComboFix2.txt 2008-04-30 12:18:17
ComboFix3.txt 2008-04-29 21:19:07

Pre-Run: 68,885,274,624 bytes free
Post-Run: 68,873,621,504 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

258 --- E O F --- 2008-04-14 23:40:43


Log from Online Scan

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 30, 2008 8:10:43 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 30/04/2008
Kaspersky Anti-Virus database records: 733590
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 52246
Number of viruses found: 24
Number of infected objects: 101
Number of suspicious objects: 19
Duration of the scan process: 00:36:19

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.16336 Infected: Trojan-Downloader.Win32.Agent.lfo skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\53\1bea8ef5-219fccc9/Counter.class Infected: Trojan.Java.Femad skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\53\1bea8ef5-219fccc9/VerifierBug.class Infected: Trojan.Java.Femad skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\53\1bea8ef5-219fccc9/web.exe Infected: Trojan.Win32.LowZones.dn skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\53\1bea8ef5-219fccc9/Worker.class Infected: Trojan.Java.Femad skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\53\1bea8ef5-219fccc9/Xeyond.class Infected: Trojan.Java.Femad skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\53\1bea8ef5-219fccc9 ZIP: infected - 5 skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_219.wmdb Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_4ac.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_ca8.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_cb4.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF8340.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DFA615.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DFA620.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT.LOG Object is locked skipped
C:\SDFix\backups_old\delextra.exe Infected: Trojan-Clicker.Win32.VB.amx skipped
C:\SDFix\backups_old\lcss.exe Infected: Backdoor.Win32.DsBot.ox skipped
C:\SDFix\backups_old\sys32.exe Suspicious: Type_Win32 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP439\A0165339.dll Infected: Sniffer.Win32.WpePro.a skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP475\A0167155.exe Infected: Trojan-Downloader.Win32.Homles.bj skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP475\A0167176.exe/data.rar/keygen.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qqz skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP475\A0167176.exe/data.rar/patch.exe Infected: Trojan.Win32.Obfuscated.abi skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP475\A0167176.exe/data.rar/crack.exe Infected: Trojan-Downloader.Win32.Cryptic.ju skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP475\A0167176.exe/data.rar/install.exe Infected: Trojan-Downloader.Win32.Small.uuw skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP475\A0167176.exe/data.rar Infected: Trojan-Downloader.Win32.Small.uuw skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP475\A0167176.exe RarSFX: infected - 5 skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP475\A0167177.exe Infected: Trojan-Downloader.Win32.Cryptic.ju skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP475\A0167222.dll Infected: Trojan-Downloader.Win32.Small.uvt skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP475\A0167228.exe Infected: Worm.Win32.AutoRun.dmh skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP475\A0167229.exe Infected: Trojan-Clicker.Win32.VB.amx skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP475\A0167234.dll Infected: Trojan-Downloader.Win32.Small.uvt skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP475\A0167242.exe Infected: Worm.Win32.AutoRun.dmh skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP476\A0167248.exe Infected: Trojan-Downloader.Win32.Zlob.lps skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP476\A0167252.exe Infected: Trojan-Clicker.Win32.VB.amx skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP476\snapshot\MFEX-1.DAT Infected: Trojan-Downloader.Win32.Small.uvt skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP477\A0167257.dll Infected: Trojan-Downloader.Win32.Small.uvt skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP477\A0167258.exe Infected: Trojan-Clicker.Win32.VB.amx skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP477\A0167266.exe Infected: Trojan-Downloader.Win32.Homles.bj skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP477\A0167275.dll Infected: Trojan-Downloader.Win32.Small.uvt skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP477\A0167280.exe Infected: Trojan-Clicker.Win32.VB.amx skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP477\A0167281.dll Infected: Trojan-Downloader.Win32.Small.uvt skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP477\A0167284.dll Infected: Trojan-Downloader.Win32.Small.uvt skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP477\A0167290.exe Infected: Worm.Win32.AutoRun.dmh skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP477\A0167291.exe Infected: Trojan-Clicker.Win32.VB.amx skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP477\A0167293.dll Infected: Trojan-Downloader.Win32.Small.uvt skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP477\A0167298.exe Infected: Worm.Win32.AutoRun.dmh skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP477\A0167300.exe Infected: Trojan-Clicker.Win32.VB.amx skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP477\snapshot\MFEX-1.DAT Infected: Trojan-Downloader.Win32.Small.uvt skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP478\A0167302.exe Infected: Trojan-Clicker.Win32.VB.amx skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP478\A0167303.exe Infected: Worm.Win32.AutoRun.dmh skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP478\A0167304.exe Suspicious: Type_Win32 skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP478\A0167306.exe Infected: Worm.Win32.AutoRun.dmh skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP478\A0167334.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qqz skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP478\A0167338.exe Infected: Trojan-Downloader.Win32.Homles.bj skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP478\A0167339.exe Infected: Trojan-Clicker.Win32.VB.amx skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP478\A0167344.exe Infected: Worm.Win32.AutoRun.dmh skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP478\A0167388.exe Infected: Trojan-Clicker.Win32.VB.amx skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP478\A0167389.dll Infected: Trojan-Downloader.Win32.Small.uvt skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP478\A0167395.exe Infected: Worm.Win32.AutoRun.dmh skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP478\A0167396.exe Suspicious: Type_Win32 skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP478\A0167397.exe Infected: Trojan-Clicker.Win32.VB.amx skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP478\A0167399.dll Infected: Trojan-Downloader.Win32.Small.uvt skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP478\A0167403.exe Suspicious: Type_Win32 skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP478\A0167407.dll Infected: Trojan-Downloader.Win32.Small.uvt skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP478\A0167412.exe Suspicious: Type_Win32 skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP478\A0167413.exe Infected: Trojan-Clicker.Win32.VB.amx skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP478\A0167418.exe Infected: Trojan-Downloader.Win32.Zlob.lps skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP478\A0167423.dll Infected: Trojan-Downloader.Win32.Small.uvt skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP478\A0167430.exe Infected: Trojan-Downloader.Win32.Zlob.lps skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP478\snapshot\MFEX-1.DAT Infected: Trojan-Downloader.Win32.Small.uvt skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167479.exe Infected: Trojan.Win32.Qhost.aly skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167480.exe Infected: Worm.Win32.AutoRun.dmh skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167481.exe Infected: Trojan.Win32.Qhost.aly skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167482.exe Infected: Trojan-Clicker.Win32.VB.amx skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167483.exe Infected: Trojan-Downloader.Win32.Homles.bj skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167484.exe Infected: Worm.Win32.AutoRun.dmh skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167485.exe Infected: Worm.Win32.Socks.fg skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167486.exe Infected: Trojan-Clicker.Win32.VB.amx skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167487.exe Suspicious: Type_Win32 skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167488.exe Suspicious: Type_Win32 skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167489.exe Infected: Worm.Win32.AutoRun.dmh skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167490.exe Infected: Trojan-Clicker.Win32.VB.amx skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167492.exe Infected: Trojan-Clicker.Win32.VB.amx skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167493.exe Infected: Trojan.Win32.Pakes.ctm skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167495.exe Suspicious: Type_Win32 skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167496.exe Infected: Trojan.Win32.Qhost.aly skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167499.exe Infected: Trojan.Win32.Qhost.aly skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167500.exe Suspicious: Type_Win32 skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167501.exe Infected: Worm.Win32.AutoRun.dmh skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167502.exe Infected: Trojan-Downloader.Win32.Agent.ncd skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167749.exe Infected: Trojan-Downloader.Win32.Zlob.lps skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167755.exe Infected: Trojan.Win32.Qhost.aly skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167756.exe Infected: Worm.Win32.Socks.fg skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167757.exe Infected: Trojan-Clicker.Win32.VB.amx skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167758.exe Suspicious: Type_Win32 skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167759.exe Infected: not-virus:Hoax.Win32.Gavec.bn skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167760.exe Infected: Trojan.Win32.Obfuscated.abi skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167761.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qqz skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167771.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mcg skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167772.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mcg skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167773.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mcg skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167774.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qqz skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167775.exe Infected: Worm.Win32.Socks.fg skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167776.exe Infected: Backdoor.Win32.SpyBoter.gy skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167781.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qqz skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167783.dll Infected: Trojan-Downloader.Win32.Small.uvt skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167789.dll Infected: Trojan-Downloader.Win32.Small.uvt skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167797.exe Suspicious: Type_Win32 skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167799.exe Suspicious: Type_Win32 skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP479\A0167800.exe Infected: Trojan-Clicker.Win32.VB.amx skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP480\A0167811.exe Infected: Trojan-Clicker.Win32.VB.amx skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP480\A0167812.exe Infected: Trojan-Clicker.Win32.VB.amx skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP480\A0167815.exe Infected: Worm.Win32.AutoRun.dmh skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP480\snapshot\MFEX-1.DAT Infected: Trojan-Downloader.Win32.Small.uvt skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP481\A0167817.exe Infected: Trojan-Clicker.Win32.VB.amx skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP481\A0167819.sys Infected: Trojan-Downloader.Win32.Agent.lxa skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP481\A0167831.exe Suspicious: Type_Win32 skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP481\A0167832.exe Infected: Trojan-Clicker.Win32.VB.amx skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP481\A0167839.exe Suspicious: Type_Win32 skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP481\A0167846.exe Suspicious: Type_Win32 skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP481\A0167854.exe Infected: Trojan-Clicker.Win32.VB.amx skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP481\A0167878.exe Infected: Trojan-Clicker.Win32.VB.amx skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP481\A0167879.exe Suspicious: Type_Win32 skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP481\A0167880.exe Infected: Backdoor.Win32.DsBot.ox skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP483\A0168311.exe Infected: not-a-virus:Downloader.Win32.WinFixer.fs skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP483\A0168324.exe Suspicious: Type_Win32 skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP483\A0168328.exe Suspicious: Type_Win32 skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP485\A0168469.exe Suspicious: Type_Win32 skipped
C:\System Volume Information\_restore{13CFB6F5-7827-4484-960D-A3C791EACE36}\RP485\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{0A9FCAE5-54B9-447D-8FF2-F2B3ED5CD6D9}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Log from HiJackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:13:17 PM, on 4/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = htpp://wpad.wildblue.com/wpad.dat
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Winjava vil] sys32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.fileplanet.com
O15 - Trusted Zone: http://*.runuo.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/c.../cpcScanner.cab
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 5189 bytes


My computer is still not loading my personalized settings\desktop up automatically. I have to open Task Manager and select new task and open something like explorer.exe for example and then it pops a box up saying "loading personalized settings" and then the desktop appears.
  • 0

#9
Lusitano

Lusitano

    Trusted Helper

  • Retired Staff
  • 508 posts
Hi,

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.


Now, close any open browsers.
  • Open notepad and copy/paste the text in the quotebox below into it:
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Winjava vil"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4c1c9aec-6009-11dc-ac8a-0011d8edfd91}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{abb44144-bb82-11d9-a5d3-806d6172696f}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}]
File::
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\sys32.exe
IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Save this as CFScript.txt, in the same location as ComboFix.exe
    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Post them along with a new HijackThis log.
Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Do you have a valid XP CD?

If so, place it in your CD ROM drive and follow the instructions below:
  • Click on START-->RUN and type sfc /scannow (note the space) (Let this run undisturbed until the window with the blue progress bar goes away)

SFC
- Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.

If you want to see what was replaced, right-click My Computer and click on Manage. In the new window that appears, expand the Event Viewer (by clicking on the + symbol next to it) and then click on System.


Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "English".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.

Post the results from ComboFix and let me know how your computer its running.

Edited by Lusitano, 02 May 2008 - 03:36 AM.

  • 0

#10
DemolishedBySpyware

DemolishedBySpyware

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
The only XP CD I have is the Alienware Microsoft Windows XP Professional >> Recovry CD-ROM Intel ICH5R/ICH6R r.1.4 and I can't get it to load in my DvD rom correctly to boot up. So, I was unable to do the sfc /scannow like you told me to do.

Heres the Combofix Log
ComboFix 08-04-29.3 - Owner 2008-05-02 15:09:57.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.922 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\sys32.exe
.

((((((((((((((((((((((((( Files Created from 2008-04-02 to 2008-05-02 )))))))))))))))))))))))))))))))
.

2008-04-30 13:59 . 2008-04-30 13:59 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-30 13:59 . 2008-04-30 13:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-30 11:35 . 2008-04-30 11:35 <DIR> d-------- C:\Program Files\LimeWire
2008-04-30 11:35 . 2008-05-02 14:57 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2008-04-30 07:35 . 2008-04-30 07:35 <DIR> d-------- C:\Program Files\DNA
2008-04-30 07:35 . 2008-04-30 07:35 <DIR> d-------- C:\Program Files\BitTorrent
2008-04-30 07:35 . 2008-05-02 15:06 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\DNA
2008-04-29 23:00 . 2008-04-30 22:20 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2008-04-29 23:00 . 2008-04-29 23:00 <DIR> d-------- C:\WINDOWS\system32\CatRoot
2008-04-29 21:15 . 2008-04-29 21:15 <DIR> d-------- C:\Program Files\Microsoft Games
2008-04-29 15:44 . 2008-04-29 15:44 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-29 15:41 . 2005-07-21 16:10 211 --ah----- C:\boot.ini.SAB
2008-04-29 15:29 . 2008-05-02 15:07 <DIR> d-------- C:\SDFix
2008-04-28 22:05 . 2008-04-28 22:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-28 17:49 . 2008-05-02 15:00 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-28 17:49 . 2008-04-28 17:49 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-04-28 17:49 . 2008-04-28 17:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-28 17:48 . 2008-04-28 17:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-28 17:09 . 2008-04-28 17:09 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-28 17:09 . 2008-04-28 17:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-28 17:09 . 2008-04-28 17:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-28 17:07 . 2008-04-28 17:07 <DIR> d-------- C:\Program Files\Common Files\Download Manager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-30 13:10 --------- d-----w C:\Documents and Settings\Owner\Application Data\BitTorrent
2008-04-29 21:49 --------- d-----w C:\Program Files\Razor
2008-04-29 21:46 --------- d-----w C:\Program Files\America's Army
2008-04-28 02:11 --------- d-----w C:\Program Files\PlayersOnly Poker
2008-04-27 15:58 24,576 ----a-w C:\WINDOWS\system32\userinit.exe
2008-04-27 07:53 --------- d-----w C:\Program Files\World of Warcraft
2008-04-27 05:39 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-27 05:39 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-04-03 00:56 --------- d-----w C:\Program Files\UOAM
2008-04-03 00:56 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-03 00:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-03 00:53 --------- d-----w C:\Documents and Settings\Owner\Application Data\IGN_DLM
2008-03-26 13:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2008-03-19 22:39 --------- d-----w C:\Program Files\Java
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2004-07-22 16:51 3,432,656 -c--a-w C:\Program Files\ManagedDX.CAB
2004-07-20 04:58 1,156,363 -c--a-w C:\Program Files\BDANT.cab
2004-07-20 04:53 976,020 -c--a-w C:\Program Files\BDAXP.cab
2004-07-09 20:17 13,265,040 -c--a-w C:\Program Files\dxnt.cab
2004-07-09 15:13 703,080 -c--a-w C:\Program Files\BDA.cab
2004-07-09 15:13 15,493,481 -c--a-w C:\Program Files\DirectX.cab
2004-07-09 10:08 472,576 -c--a-w C:\Program Files\dxsetup.exe
2004-07-09 10:08 2,242,560 -c--a-w C:\Program Files\dsetup32.dll
2004-07-09 09:03 62,976 -c--a-w C:\Program Files\DSETUP.dll
.

------- Sigcheck -------

2004-08-04 07:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe
2004-08-04 07:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\dllcache\svchost.exe

2005-03-02 13:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 10:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2004-08-04 07:00 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
2005-03-02 13:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
2007-03-08 10:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\user32.dll
2007-03-08 10:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\dllcache\user32.dll

2004-08-04 07:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll
2004-08-04 07:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\dllcache\ws2_32.dll

2004-09-29 13:27 656896 2c07195588d69a067c2afdaa31759295 C:\WINDOWS\$hf_mig$\KB834707\SP2QFE\wininet.dll
2005-01-27 12:08 657920 a8eac5330876548e9966a7d13025d196 C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\wininet.dll
2005-05-02 15:57 658944 e1e18136f9dd3df1ad9c82193a5898a6 C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\wininet.dll
2005-09-02 18:53 660480 97a6fd7cafd688cf2c78939ebaf0cd0c C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\wininet.dll
2005-07-02 21:09 659456 6e533d155b259eb2363d3e04b5be309f C:\WINDOWS\$hf_mig$\KB896727\SP2QFE\wininet.dll
2005-10-20 22:38 661504 af785c4947676a7fc1673fdc5c8d0b5b C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\wininet.dll
2006-03-03 22:58 663552 c0845ecbf4f9164e618ee381b79c9032 C:\WINDOWS\$hf_mig$\KB912812\SP2QFE\wininet.dll
2006-05-10 00:25 663552 d94cffdb53e7ac867438e2dfd50e7cbc C:\WINDOWS\$hf_mig$\KB916281\SP2QFE\wininet.dll
2006-06-23 06:25 664576 64ce26db72810b30f7855ea51e1df836 C:\WINDOWS\$hf_mig$\KB918899\SP2QFE\wininet.dll
2006-09-14 03:31 664576 d207370287cf769aebebf03837784963 C:\WINDOWS\$hf_mig$\KB922760\SP2QFE\wininet.dll
2007-03-07 12:40 823296 b8f4db39ca7353752f245379d285c80e C:\WINDOWS\$hf_mig$\KB931768-IE7\SP2QFE\wininet.dll
2007-04-25 04:08 823808 431defbb4a3d7b0dc062c1b064623a2f C:\WINDOWS\$hf_mig$\KB933566-IE7\SP2QFE\wininet.dll
2007-06-27 09:40 824320 d6ed5e042c5207553e7f5e842918137f C:\WINDOWS\$hf_mig$\KB937143-IE7\SP2QFE\wininet.dll
2007-08-20 05:02 825344 357d54bf94fe9d6d8505a96b5c2a3bca C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\wininet.dll
2007-10-10 18:47 825344 0e5d918f87efa7d2424d66b499c7eb04 C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
2007-12-06 21:01 825344 b5b411bb229ae6ead7652a32ed47bfb9 C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
2008-03-01 08:03 827392 6316c2f0c61271c8abdff7429174879e C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
2005-01-27 12:13 656896 b5e043e440b210014e021b24cf0a72e3 C:\WINDOWS\$NtUninstallKB883939$\wininet.dll
2005-07-02 21:11 658432 5b5ff992c0fa762ccf8655fc290e6e52 C:\WINDOWS\$NtUninstallKB896688$\wininet.dll
2005-05-02 15:52 657920 1a078af3f85d10ba56444c23b3a18e74 C:\WINDOWS\$NtUninstallKB896727$\wininet.dll
2005-09-02 18:52 658432 af61ebb1f550175eff406d545d6ab086 C:\WINDOWS\$NtUninstallKB905915$\wininet.dll
2005-10-20 22:39 658432 e7b27b6b6e06ce34ea019fd8b858c613 C:\WINDOWS\$NtUninstallKB912812$\wininet.dll
2006-03-03 22:33 658432 1c0979c7a489bee573cd0bf4ad94bb06 C:\WINDOWS\$NtUninstallKB916281$\wininet.dll
2006-05-10 00:23 658432 38ab7a56f566d9aaad31812494944824 C:\WINDOWS\$NtUninstallKB918899$\wininet.dll
2006-06-23 06:02 658944 2b4db890936430c71419037039502752 C:\WINDOWS\$NtUninstallKB922760$\wininet.dll
2006-09-14 03:39 658944 621af3f6174a3f60677f5230e28bcc07 C:\WINDOWS\ie7\wininet.dll
2006-11-07 22:03 818688 92995334f993e6e49c25c6d02ec04401 C:\WINDOWS\ie7updates\KB928090-IE7\wininet.dll
2007-01-12 10:27 822784 be43d00d802c92f01c8cc952c6f483f8 C:\WINDOWS\ie7updates\KB931768-IE7\wininet.dll
2007-03-07 12:45 822784 5b35dae6e4886f64d1da58c4e3e01eb9 C:\WINDOWS\ie7updates\KB933566-IE7\wininet.dll
2007-04-25 03:41 822784 0586a7f0b2fdb94d624f399d4728e7c8 C:\WINDOWS\ie7updates\KB937143-IE7\wininet.dll
2007-06-27 09:34 823808 8068cbb58fe60cc95aeb2cff70178208 C:\WINDOWS\ie7updates\KB939653-IE7\wininet.dll
2007-08-20 05:04 824832 774435e499d8e9643ec961a6103c361f C:\WINDOWS\ie7updates\KB942615-IE7\wininet.dll
2007-10-10 18:56 824832 30c1e0f34ad2972c72a01db5c74ab065 C:\WINDOWS\ie7updates\KB944533-IE7\wininet.dll
2007-12-06 21:21 824832 806d274c9a6c3aaea5eae8e4af841e04 C:\WINDOWS\ie7updates\KB947864-IE7\wininet.dll
2008-03-01 08:06 826368 ad21461aef8244edec2ef18e55e1dcf3 C:\WINDOWS\system32\wininet.dll
2008-03-01 08:06 826368 ad21461aef8244edec2ef18e55e1dcf3 C:\WINDOWS\system32\dllcache\wininet.dll

2005-05-25 14:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 12:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-04 07:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-05-25 14:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-01-12 21:28 359808 583e063fdc888ca30d05c2724b0d7ef4 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 06:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-30 12:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 12:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\drivers\tcpip.sys

2004-08-04 07:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe
2004-08-04 07:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\dllcache\winlogon.exe

2004-08-04 07:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\dllcache\ndis.sys
2004-08-04 07:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys

2004-08-04 07:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\dllcache\ip6fw.sys
2004-08-04 07:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys

2005-03-01 19:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2006-12-19 11:12 2059392 ba4b97c00a437c1cc3da365d93ee1e9d C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe
2007-02-28 04:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2004-08-04 07:00 2015232 fb142b7007ca2eea76966c6c5cc12150 C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-01 19:34 2015232 3cd941e472ddf3534e53038535719771 C:\WINDOWS\$NtUninstallKB929338$\ntkrnlpa.exe
2006-12-19 07:55 2015744 bbb2322eb14ad9ad55b1024ffd4d88bf C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
2007-02-28 03:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2007-02-28 03:38 2015744 a58ac1c6199ef34228abee7fc057ae09 C:\WINDOWS\system32\ntkrnlpa.exe
2007-02-28 03:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\system32\dllcache\ntkrnlpa.exe

2005-03-01 20:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2006-12-19 11:51 2182016 cef243f6defd20be4adde26c7ecacb54 C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
2007-02-28 04:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2004-08-04 07:00 2148352 626309040459c3915997ef98ec1c8d40 C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-01 19:57 2135552 48b3e89af7074cee0314a3e0c7faffdb C:\WINDOWS\$NtUninstallKB929338$\ntoskrnl.exe
2006-12-19 09:15 2136064 8318ed54797f3e513fd5817a1d4bbd18 C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
2007-02-28 04:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2007-02-28 04:08 2136064 1220faf071dea8653ee21de7dcda8bfd C:\WINDOWS\system32\ntoskrnl.exe
2007-02-28 04:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\system32\dllcache\ntoskrnl.exe

2007-06-13 05:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\explorer.exe
2007-06-13 06:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-04 07:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2007-06-13 05:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\system32\dllcache\explorer.exe

2004-08-04 07:00 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\ctfmon.exe
2004-08-04 07:00 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\dllcache\ctfmon.exe
.
((((((((((((((((((((((((((((( [email protected]_16.18.54.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-02-17 17:19:58 53,248 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
+ 2008-04-30 04:00:30 53,248 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
- 2008-02-17 17:19:58 12,800 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
+ 2008-04-30 04:00:30 12,800 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
- 2008-02-17 17:19:58 473,600 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
+ 2008-04-30 04:00:30 473,600 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
- 2008-02-17 17:19:55 567,296 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-30 04:00:27 567,296 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-02-17 17:19:56 576,000 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-04-30 04:00:30 576,000 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-02-17 17:19:59 145,920 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
+ 2008-04-30 04:00:31 145,920 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
- 2008-02-17 17:19:59 159,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
+ 2008-04-30 04:00:31 159,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
- 2008-02-17 17:19:59 364,544 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
+ 2008-04-30 04:00:31 364,544 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
- 2008-02-17 17:20:00 178,176 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
+ 2008-04-30 04:00:31 178,176 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
- 2008-02-17 17:19:58 223,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
+ 2008-04-30 04:00:29 223,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
+ 2008-04-30 03:58:50 61,440 ----a-r C:\WINDOWS\Installer\{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}\ARPPRODUCTICON.exe
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2008-03-25 02:32:44 218,496 ----a-r C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe
+ 2008-04-30 12:35:13 74,137 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
+ 2008-04-30 02:34:03 1,230,336 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.1.0.0_x-ww_b319d8da\msxml4.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-04-30 07:35 289088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-06-06 10:45 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-06-06 10:41 118784]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 17:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-07-01 13:58 73728 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-05 20:05 2550272 C:\WINDOWS\ALCWZRD.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-12 02:17 282624]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-04-18 14:21:09 147456]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\AlienGUIse\fastload.dll 2001-12-21 00:34 24576 C:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\iyr03.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\winver.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:*:Disabled:EarthLink UHP Modem Support
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:*:Disabled:Blizzard Downloader
"6112:TCP"= 6112:TCP:*:Disabled:Blizzard Downloader
"8086:TCP"= 8086:TCP:*:Disabled:WoW
"8087:TCP"= 8087:TCP:*:Disabled:wow 2
"9081:TCP"= 9081:TCP:*:Disabled:wow 3
"9090:TCP"= 9090:TCP:*:Disabled:wow 4
"9097:TCP"= 9097:TCP:*:Disabled:wow 5
"9100:TCP"= 9100:TCP:*:Disabled:wow 6

S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys []

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-02 15:11:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-02 15:12:08
ComboFix-quarantined-files.txt 2008-05-02 20:12:06
ComboFix2.txt 2008-04-30 12:18:17
ComboFix3.txt 2008-04-29 21:19:07

Pre-Run: 68,781,797,376 bytes free
Post-Run: 68,794,994,688 bytes free

249 --- E O F --- 2008-04-14 23:40:43


Here is the HiJackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:12:52 PM, on 5/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = htpp://wpad.wildblue.com/wpad.dat
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.fileplanet.com
O15 - Trusted Zone: http://*.runuo.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/c.../cpcScanner.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 4898 bytes


Computer is still not loading automatically when I log on. I did update Java and thanks for the tip on keeping things like that updated. I didn't know they could use old versions of things against me.
  • 0

Advertisements


#11
Lusitano

Lusitano

    Trusted Helper

  • Retired Staff
  • 508 posts
Hi, We need a new online scan.

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction Here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply, along with a new HijackThis log.

  • 0

#12
DemolishedBySpyware

DemolishedBySpyware

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Sorry that I haven't been on in a little while. Work got really busy, but I'm back again :) Thank you for all the help you're giving me. My computer is still having some problems, but it's getting better as we go. Heres the two logs:

F-Secure Online Scanner Log

Scanning Report
Wednesday, May 07, 2008 23:03:59 - 07:30:11
Computer name: OWNER-EC61DD448
Scanning type: Scan system for malware, rootkits
Target: C:\


--------------------------------------------------------------------------------

Result: 17 malware found
Backdoor.Win32.DsBot (virus)
System
Backdoor.Win32.DsBot.ox (virus)
C:\RASE.EXE
C:\WINDOWS\SYSTEM32\LCSS.EXE
C:\SDFIX\BACKUPS_OLD\LCSS.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\YZ66R6YJ\RASER[1].EXE (Renamed)
Redirected hosts file (spyware)
System
Tracking Cookie (spyware)
System
Trojan-Clicker.Win32.VB (virus)
System
Trojan-Clicker.Win32.VB.amx (virus)
C:\DELEXTRA.EXE
C:\SDFIX\BACKUPS_OLD\DELEXTRA.EXE (Renamed)
Trojan.Win32.Qhost (virus)
System
Trojan.Win32.Qhost.aei (virus)
C:\WINDOWS\HOSTS
C:\WINDOWS\SYSTEM32\DRIVERS\HOSTS (Renamed)
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS
Worm.Win32.AutoRun (virus)
System
Worm.Win32.AutoRun.dor (virus)
C:\SDFIX\BACKUPS_OLD\SYS32.EXE (Renamed & Submitted)
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\SYS32.EXE (Renamed & Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 34497
System: 3266
Not scanned: 6
Actions:
Disinfected: 0
Renamed: 6
Deleted: 0
None: 11
Submitted: 3
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.30.0
F-Secure Blacklight: 1.0.68
F-Secure Hydra: 2.8.8110, 2008-05-08
F-Secure Pegasus: 1.20.0, 2008-02-28
F-Secure AVP: 7.0.171, 2008-05-08
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics


HiJackThis Log File


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:32:17 AM, on 5/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = htpp://wpad.wildblue.com/wpad.dat
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.fileplanet.com
O15 - Trusted Zone: http://*.runuo.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/c.../cpcScanner.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 5236 bytes
  • 0

#13
Lusitano

Lusitano

    Trusted Helper

  • Retired Staff
  • 508 posts
Good job, yours logs are clean :)

Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
    Posted Image



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Reenable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Read the TonyKlein's good advice: So how did I get infected in the first place?

  • Also visit the Secunia Software Inspector

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software

Glad i was able to help and please let me know if you still need assistence.Posted Image
  • 0

#14
DemolishedBySpyware

DemolishedBySpyware

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
My computer is still not loading automatically after I submit my password to log in and it's not letting me turn my firewall on.
  • 0

#15
Lusitano

Lusitano

    Trusted Helper

  • Retired Staff
  • 508 posts
Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP