[ZZ Zimm]

Hi fellow geeks,

My wife and I left last week for separate business trips leaving a 20 year old and 15 year old at home by themselves (with the internet). We arrived home to find "Risky Business 2008."

No mangled house from excessive partying but computer is doing crazy things like my desktop is showing a background image that tells me I have spyware and need to install a spyware remover- this is a new one for me.

Please help, hijackthis log follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:17:06 PM, on 8/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [\Win8.exe] C:\Windows\system32\Win8.exe
O4 - HKLM\..\Run: [\WinB.exe] C:\Windows\system32\WinB.exe
O4 - HKLM\..\Run: [\WinC.exe] C:\Windows\system32\WinC.exe
O4 - HKLM\..\Run: [\WinD.exe] C:\Windows\system32\WinD.exe
O4 - HKLM\..\Run: [\WinF.exe] C:\Windows\system32\WinF.exe
O4 - HKLM\..\Run: [lphc5d9j0eeod] C:\WINDOWS\system32\lphc5d9j0eeod.exe
O4 - HKLM\..\Run: [SMrhc1d9j0eeod] C:\Program Files\rhc1d9j0eeod\rhc1d9j0eeod.exe
O4 - HKLM\..\Run: [Antivirus] C:\Program Files\VAV\vav.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [\Win8.exe] C:\Windows\system32\Win8.exe
O4 - HKCU\..\Run: [\WinB.exe] C:\Windows\system32\WinB.exe
O4 - HKCU\..\Run: [\WinC.exe] C:\Windows\system32\WinC.exe
O4 - HKCU\..\Run: [\WinD.exe] C:\Windows\system32\WinD.exe
O4 - HKCU\..\Run: [\WinF.exe] C:\Windows\system32\WinF.exe
O4 - HKCU\..\Run: [Antivirus] C:\Program Files\VAV\vav.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c3.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca....r/axscanner.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1189466180346
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1189466167778
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.aka...vex-2.2.1.6.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: NSsbdPDcr - {5B7790D4-F1DD-3A7E-476E-75E87751CB3C} - C:\WINDOWS\system32\mhgcb.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

--
End of file - 6417 bytes

[Advertisements]

Hi ZZ Zimm

welcome to geekstogo

i can see several infections in your log. lets get started right away.


====STEP 1====
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

====STEP 2====
if you have already downloaded combofix then could you delete the current version of combofix you have and then follow these instructions:

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet. (All the instructions for installing the Recovery Console are in the above link, but for more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.)

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**



In your next reply could i see:
1. the SDFix Report.txt log
2. the combofix log
3. a new hijackthis log

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk

[andrewuk]

Hi ZZ Zimm

welcome to geekstogo

i can see several infections in your log. lets get started right away.


====STEP 1====
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

====STEP 2====
if you have already downloaded combofix then could you delete the current version of combofix you have and then follow these instructions:

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet. (All the instructions for installing the Recovery Console are in the above link, but for more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.)

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**



In your next reply could i see:
1. the SDFix Report.txt log
2. the combofix log
3. a new hijackthis log

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk

[ZZ Zimm]

Thanks so much for your reply,

As I was going through the process I was not able to find my Windows XP disk to install WinXP Recovery Console. Is there a link or workaround for it as I cannot locate my CD anywhere.

Please Advise and Thanks again for your help,

ZZ

[andrewuk]

yes, if you follow the link provided to the combofix instructions (http://www.bleepingc...to-use-combofix) about a third of the way down the page is a section started in bold If you use Windows XP and do not have the Windows CD which guides you through downloading a file form microsoft.

andrewuk

[ZZ Zimm]

Thanks again for your help. BTW I did what the instructions said but Recovery Console did not install- hope this did not mess anything up. Logs following:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:29:34 AM, on 8/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca....r/axscanner.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1189466180346
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1189466167778
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.aka...vex-2.2.1.6.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: NSsbdPDcr - {5B7790D4-F1DD-3A7E-476E-75E87751CB3C} - C:\WINDOWS\system32\mhgcb.dll
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

--
End of file - 5182 bytes

[ZZ Zimm]

SD Fix Log:


SDFix: Version 1.216
Run by ronnie bradford on Mon 08/18/2008 at 12:43 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File
Restoring Default Desktop Wallpaper
Restoring Default ScreenSaver value

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\pphc5d9j0eeod.exe - Deleted
C:\WINDOWS\SYSTEM32\PPHC5D~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\PHC5D9~1.BMP - Deleted
C:\WINDOWS\system32\blphc5d9j0eeod.scr - Deleted
C:\Documents and Settings\ronnie bradford\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.redtube.com\settings.sol - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\ac8zt2\install.bat - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\ac8zt2\wnlmdakqqas.dll - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt1.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt10.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt11.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt12.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt13.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt14.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt15.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt16.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt17.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt18.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt19.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt1A.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt1B.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt1C.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt1D.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt1E.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt1F.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt2.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt20.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt21.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt22.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt23.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt24.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt25.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt26.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt27.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt28.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt29.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt2A.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt2B.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt2C.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt2D.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt2E.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt2F.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt3.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt31.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt35.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt39.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt3C.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt4.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt40.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt42.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt46.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt47.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt48.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt4B.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt4C.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt4D.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt4E.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt5.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt50.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt52.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt54.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt55.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt56.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt58.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt5A.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt5C.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt5E.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt6.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt60.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt62.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt64.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt66.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt69.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt6B.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt6D.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt6F.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt7.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt71.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt73.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt75.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt77.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt79.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt7B.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt7D.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt7F.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt8.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt81.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt83.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt85.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt87.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt89.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt8B.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt8D.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt8F.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt9.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.ttA.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.ttB.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.ttC.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.ttD.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.ttE.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.ttF.tmp - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt2.tmp.vbs - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt20.tmp.vbs - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\.tt2F.tmp.vbs - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\sfsrv.exe.bat - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\vistasp1.exe.bat - Deleted
C:\WINDOWS\system32\2.tmp - Deleted
C:\WINDOWS\system32\20.tmp - Deleted
C:\WINDOWS\system32\21.tmp - Deleted
C:\WINDOWS\system32\22.tmp - Deleted
C:\WINDOWS\system32\23.tmp - Deleted
C:\WINDOWS\system32\24.tmp - Deleted
C:\WINDOWS\system32\25.tmp - Deleted
C:\WINDOWS\system32\26.tmp - Deleted
C:\WINDOWS\system32\27.tmp - Deleted
C:\WINDOWS\system32\28.tmp - Deleted
C:\WINDOWS\system32\29.tmp - Deleted
C:\WINDOWS\system32\2A.tmp - Deleted
C:\WINDOWS\system32\2B.tmp - Deleted
C:\WINDOWS\system32\2C.tmp - Deleted
C:\WINDOWS\system32\2D.tmp - Deleted
C:\WINDOWS\system32\2E.tmp - Deleted
C:\WINDOWS\system32\2F.tmp - Deleted
C:\WINDOWS\system32\1.tmp - Deleted
C:\WINDOWS\system32\10.tmp - Deleted
C:\WINDOWS\system32\11.tmp - Deleted
C:\WINDOWS\system32\12.tmp - Deleted
C:\WINDOWS\system32\13.tmp - Deleted
C:\WINDOWS\system32\14.tmp - Deleted
C:\WINDOWS\system32\15.tmp - Deleted
C:\WINDOWS\system32\16.tmp - Deleted
C:\WINDOWS\system32\17.tmp - Deleted
C:\WINDOWS\system32\18.tmp - Deleted
C:\WINDOWS\system32\19.tmp - Deleted
C:\WINDOWS\system32\1A.tmp - Deleted
C:\WINDOWS\system32\1B.tmp - Deleted
C:\WINDOWS\system32\1C.tmp - Deleted
C:\WINDOWS\system32\1D.tmp - Deleted
C:\WINDOWS\system32\1E.tmp - Deleted
C:\WINDOWS\system32\1F.tmp - Deleted
C:\WINDOWS\system32\sex2.ico - Deleted
C:\WINDOWS\wnlmdakqqas.dll - Deleted
C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\s1265.php - Deleted
C:\DOCUME~1\RONNIE~1\LOCALS~1\Temp\s1265.php.bat - Deleted
C:\WINDOWS\smdat32a.sys - Deleted
C:\WINDOWS\system32\vav.cpl - Deleted



Folder C:\Documents and Settings\ronnie bradford\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.redtube.com - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-18 01:23:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Ares Ultra\\Ares Ultra.exe"="C:\\Program Files\\Ares Ultra\\Ares Ultra.exe:*:Disabled:Ares Ultra p2p for windows"
"C:\\Program Files\\Bit Lord 1.1\\BitLord.exe"="C:\\Program Files\\Bit Lord 1.1\\BitLord.exe:*:Enabled:BitLord"
"C:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"="C:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe:*:Enabled:Dreamweaver MX"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Disabled:LEXPPS.EXE"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Disabled:Internet Explorer"
"C:\\Program Files\\Opera\\Opera.exe"="C:\\Program Files\\Opera\\Opera.exe:*:Enabled:Opera Internet Browser"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Disabled:Bonjour"
"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Antivirus\\caav.exe"="C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Antivirus\\caav.exe:*:Enabled:CA Anti-Virus"
"C:\\Program Files\\CA\\CA Internet Security Suite\\casecuritycenter.exe"="C:\\Program Files\\CA\\CA Internet Security Suite\\casecuritycenter.exe:*:Enabled:CA Security Center"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 13 Aug 2007 622,080 A.SH. --- "C:\Program Files\Internet Explorer\iexplore.exe"
Wed 4 Aug 2004 1,667,584 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Mon 21 Jun 2004 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 14 Aug 2005 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv17.bak"
Mon 26 Nov 2007 90,112 A..H. --- "C:\WINDOWS\system32\P2P Networking\MARSHAL14.DLL"
Sun 14 Oct 2007 90,112 A..H. --- "C:\WINDOWS\system32\P2P Networking\MARSHAL.DLL"
Mon 15 Oct 2007 90,112 A..H. --- "C:\WINDOWS\system32\P2P Networking\MARSHAL2.DLL"
Mon 15 Oct 2007 90,112 A..H. --- "C:\WINDOWS\system32\P2P Networking\MARSHAL3.DLL"
Sun 18 Nov 2007 90,112 A..H. --- "C:\WINDOWS\system32\P2P Networking\MARSHAL4.DLL"
Sun 18 Nov 2007 90,112 A..H. --- "C:\WINDOWS\system32\P2P Networking\MARSHAL5.DLL"
Wed 21 Nov 2007 90,112 A..H. --- "C:\WINDOWS\system32\P2P Networking\MARSHAL6.DLL"
Thu 22 Nov 2007 90,112 A..H. --- "C:\WINDOWS\system32\P2P Networking\MARSHAL7.DLL"
Thu 22 Nov 2007 90,112 A..H. --- "C:\WINDOWS\system32\P2P Networking\MARSHAL8.DLL"
Thu 22 Nov 2007 90,112 A..H. --- "C:\WINDOWS\system32\P2P Networking\MARSHAL9.DLL"
Sat 24 Nov 2007 90,112 A..H. --- "C:\WINDOWS\system32\P2P Networking\MARSHAL10.DLL"
Sat 24 Nov 2007 90,112 A..H. --- "C:\WINDOWS\system32\P2P Networking\MARSHAL11.DLL"
Sat 24 Nov 2007 90,112 A..H. --- "C:\WINDOWS\system32\P2P Networking\MARSHAL12.DLL"
Mon 26 Nov 2007 90,112 A..H. --- "C:\WINDOWS\system32\P2P Networking\MARSHAL13.DLL"
Wed 2 Jan 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Mon 21 Jun 2004 4,348 ...H. --- "C:\Documents and Settings\Dante\My Documents\My Music\License Backup\drmv1key.bak"
Sun 14 Aug 2005 401 A..H. --- "C:\Documents and Settings\Dante\My Documents\My Music\License Backup\drmv1lic.bak"
Wed 6 Oct 2004 400 A.SH. --- "C:\Documents and Settings\Dante\My Documents\My Music\License Backup\drmv2key.bak"
Sat 28 Jan 2006 19,968 ...H. --- "C:\Documents and Settings\Debracca\Application Data\Microsoft\Word\~WRL0003.tmp"
Tue 28 Feb 2006 19,456 ...H. --- "C:\Documents and Settings\Debracca\Application Data\Microsoft\Word\~WRL0004.tmp"
Sat 28 Jan 2006 22,016 ...H. --- "C:\Documents and Settings\Debracca\Application Data\Microsoft\Word\~WRL1268.tmp"
Sat 28 Jan 2006 21,504 ...H. --- "C:\Documents and Settings\Debracca\Application Data\Microsoft\Word\~WRL1818.tmp"
Sun 7 May 2006 20,992 ...H. --- "C:\Documents and Settings\Debracca\Application Data\Microsoft\Word\~WRL2277.tmp"
Sat 28 Jan 2006 20,992 ...H. --- "C:\Documents and Settings\Debracca\Application Data\Microsoft\Word\~WRL2579.tmp"
Tue 28 Feb 2006 19,968 ...H. --- "C:\Documents and Settings\Debracca\Application Data\Microsoft\Word\~WRL3029.tmp"
Tue 28 Feb 2006 19,968 ...H. --- "C:\Documents and Settings\Debracca\Application Data\Microsoft\Word\~WRL3444.tmp"
Tue 28 Feb 2006 19,968 ...H. --- "C:\Documents and Settings\Debracca\Application Data\Microsoft\Word\~WRL3952.tmp"
Fri 24 Aug 2007 19,456 ...H. --- "C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Word\~WRL0004.tmp"
Tue 25 Sep 2007 20,480 ...H. --- "C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Word\~WRL0005.tmp"
Tue 8 Apr 2008 20,992 ...H. --- "C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Word\~WRL0171.tmp"
Tue 25 Sep 2007 19,968 ...H. --- "C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Word\~WRL0175.tmp"
Sat 10 May 2008 54,784 ...H. --- "C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Word\~WRL0801.tmp"
Sun 3 Feb 2008 22,016 ...H. --- "C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Word\~WRL0984.tmp"
Tue 8 Apr 2008 23,552 ...H. --- "C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Word\~WRL1025.tmp"
Sat 10 May 2008 19,968 ...H. --- "C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Word\~WRL1378.tmp"
Tue 20 May 2008 20,480 ...H. --- "C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Word\~WRL2082.tmp"
Tue 8 Apr 2008 20,480 ...H. --- "C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Word\~WRL2165.tmp"
Sun 3 Feb 2008 22,528 ...H. --- "C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Word\~WRL2295.tmp"
Sun 3 Feb 2008 19,968 ...H. --- "C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Word\~WRL2385.tmp"
Tue 8 Apr 2008 24,064 ...H. --- "C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Word\~WRL2889.tmp"
Tue 10 Jun 2008 43,520 ...H. --- "C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Word\~WRL3057.tmp"
Tue 8 Apr 2008 22,016 ...H. --- "C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Word\~WRL3058.tmp"
Tue 25 Sep 2007 21,504 ...H. --- "C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Word\~WRL3134.tmp"
Tue 10 Jun 2008 45,056 ...H. --- "C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Word\~WRL3135.tmp"
Sat 10 May 2008 54,784 ...H. --- "C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Word\~WRL3623.tmp"
Fri 24 Aug 2007 20,992 ...H. --- "C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Word\~WRL3688.tmp"
Tue 10 Jun 2008 43,520 ...H. --- "C:\Documents and Settings\ronnie bradford\Application Data\Microsoft\Word\~WRL3762.tmp"

Finished!

[ZZ Zimm]

ComboFix 08-08-17.03 - ronnie bradford 2008-08-18 1:51:56.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.415 [GMT -5:00]
Running from: C:\Documents and Settings\ronnie bradford\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Adsl Software Limited
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080616174645791.log
C:\Documents and Settings\Dante\Application Data\macromedia\Flash Player\#SharedObjects\CUUE5RVF\interclick.com
C:\Documents and Settings\Dante\Application Data\macromedia\Flash Player\#SharedObjects\CUUE5RVF\interclick.com\ud.sol
C:\Documents and Settings\Dante\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Dante\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Dante\Application Data\rhc1d9j0eeod
C:\Documents and Settings\Dante\Cookies\dante@adtrgt[2].txt
C:\Documents and Settings\Dante\Cookies\dante@imlive[1].txt
C:\Documents and Settings\Dante\Cookies\dante@myspace[1].txt
C:\Documents and Settings\Dante\Cookies\dante@turn[2].txt
C:\Documents and Settings\Dante\Desktop\IE Defender 2.4.lnk
C:\Documents and Settings\Dante\Start Menu\Programs\Antivirus 2008 PRO
C:\Documents and Settings\Dante\UserData
C:\Documents and Settings\Dante\UserData\GDOPODSN\YL[1].xml
C:\Documents and Settings\Dante\UserData\GDOPODSN\YL[2].xml
C:\Documents and Settings\Dante\UserData\index.dat
C:\Documents and Settings\Dante\UserData\OL2ZKHYV\dhtml[1].xml
C:\Documents and Settings\Debracca\Application Data\rhc1d9j0eeod
C:\Documents and Settings\Debracca\Cookies\[email protected][1].txt
C:\Documents and Settings\Debracca\UserData
C:\Documents and Settings\Debracca\UserData\index.dat
C:\Documents and Settings\ronnie bradford\Application Data\macromedia\Flash Player\#SharedObjects\CNVFP3FM\interclick.com
C:\Documents and Settings\ronnie bradford\Application Data\macromedia\Flash Player\#SharedObjects\CNVFP3FM\interclick.com\ud.sol
C:\Documents and Settings\ronnie bradford\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\ronnie bradford\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\ronnie bradford\Application Data\rhc1d9j0eeod
C:\Documents and Settings\ronnie bradford\Cookies\[email protected][2].txt
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@about[1].txt
C:\Documents and Settings\ronnie bradford\Cookies\[email protected][1].txt
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@addlvr[2].txt
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@adtrgt[2].txt
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@afy11[1].txt
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@badongo[1].txt
C:\Documents and Settings\ronnie bradford\Cookies\[email protected][2].txt
C:\Documents and Settings\ronnie bradford\Cookies\[email protected][2].txt
C:\Documents and Settings\ronnie bradford\Cookies\[email protected][1].txt
C:\Documents and Settings\ronnie bradford\Cookies\[email protected][2].txt
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@gamespot[2].txt
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@go[2].txt
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@harddrivefilter[2].txt
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@hoverspot[1].txt
C:\Documents and Settings\ronnie bradford\Cookies\[email protected][2].txt
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@mapquest[2].txt
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@myspace[1].txt
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@nytimes[1].txt
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@revsci[1].txt
C:\Documents and Settings\ronnie bradford\Cookies\[email protected][1].txt
C:\Documents and Settings\ronnie bradford\Cookies\[email protected][1].txt
C:\Documents and Settings\ronnie bradford\Cookies\ronnie____bradford@turn[1].txt
C:\Documents and Settings\ronnie bradford\Cookies\[email protected][2].txt
C:\Documents and Settings\ronnie bradford\Cookies\[email protected][3].txt
C:\Documents and Settings\ronnie bradford\Cookies\[email protected][1].txt
C:\Documents and Settings\ronnie bradford\Cookies\[email protected][2].txt
C:\Documents and Settings\ronnie bradford\Cookies\[email protected][1].txt
C:\Documents and Settings\ronnie bradford\UserData
C:\Documents and Settings\ronnie bradford\UserData\A7EHA3I9\mnpFrames[1].xml
C:\Documents and Settings\ronnie bradford\UserData\index.dat
C:\Documents and Settings\ronnie bradford\UserData\QFARQNCN\YL[1].xml
C:\Documents and Settings\Zachary\Application Data\macromedia\Flash Player\#SharedObjects\AYB7TMFW\interclick.com
C:\Documents and Settings\Zachary\Application Data\macromedia\Flash Player\#SharedObjects\AYB7TMFW\interclick.com\ud.sol
C:\Documents and Settings\Zachary\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Zachary\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Zachary\Application Data\rhc1d9j0eeod
C:\Documents and Settings\Zachary\Cookies\[email protected][1].txt
C:\Documents and Settings\Zachary\Cookies\zachary@about[2].txt
C:\Documents and Settings\Zachary\Cookies\zachary@ad[2].txt
C:\Documents and Settings\Zachary\Cookies\[email protected][2].txt
C:\Documents and Settings\Zachary\Cookies\zachary@adrevolver[1].txt
C:\Documents and Settings\Zachary\Cookies\[email protected][1].txt
C:\Documents and Settings\Zachary\Cookies\[email protected][1].txt
C:\Documents and Settings\Zachary\Cookies\zachary@adtrgt[2].txt
C:\Documents and Settings\Zachary\Cookies\zachary@avsystemcare[1].txt
C:\Documents and Settings\Zachary\Cookies\zachary@buzznet[1].txt
C:\Documents and Settings\Zachary\Cookies\zachary@casalemedia[1].txt
C:\Documents and Settings\Zachary\Cookies\[email protected][1].txt
C:\Documents and Settings\Zachary\Cookies\[email protected][2].txt
C:\Documents and Settings\Zachary\Cookies\[email protected][2].txt
C:\Documents and Settings\Zachary\Cookies\zachary@findarticles[2].txt
C:\Documents and Settings\Zachary\Cookies\zachary@gamespot[1].txt
C:\Documents and Settings\Zachary\Cookies\zachary@go[2].txt
C:\Documents and Settings\Zachary\Cookies\[email protected][1].txt
C:\Documents and Settings\Zachary\Cookies\zachary@insightexpressai[2].txt
C:\Documents and Settings\Zachary\Cookies\zachary@metacafe[1].txt
C:\Documents and Settings\Zachary\Cookies\[email protected][1].txt
C:\Documents and Settings\Zachary\Cookies\zachary@myspace[1].txt
C:\Documents and Settings\Zachary\Cookies\zachary@myspace[3].txt
C:\Documents and Settings\Zachary\Cookies\zachary@myspace[4].txt
C:\Documents and Settings\Zachary\Cookies\zachary@myspace[5].txt
C:\Documents and Settings\Zachary\Cookies\zachary@myspace[6].txt
C:\Documents and Settings\Zachary\Cookies\zachary@myspace[7].txt
C:\Documents and Settings\Zachary\Cookies\zachary@revsci[2].txt
C:\Documents and Settings\Zachary\Cookies\zachary@specificclick[2].txt
C:\Documents and Settings\Zachary\Cookies\[email protected][2].txt
C:\Documents and Settings\Zachary\Cookies\zachary@sweetim[2].txt
C:\Documents and Settings\Zachary\Cookies\zachary@trafficmp[2].txt
C:\Documents and Settings\Zachary\UserData
C:\Documents and Settings\Zachary\UserData\7HP7GCNC\oWindowsUpdate[1].xml
C:\Documents and Settings\Zachary\UserData\EOVXOUVY\globals[1].xml
C:\Documents and Settings\Zachary\UserData\index.dat
C:\Documents and Settings\Zachary\UserData\OWJM55T5\sn[1].xml
C:\Documents and Settings\Zachary\UserData\UC24IUZ0\sn[1].xml
C:\Documents and Settings\Zachary\UserData\UC24IUZ0\YL[1].xml
C:\Program Files\rhc1d9j0eeod
C:\WINDOWS\cdmxtras
C:\WINDOWS\cdmxtras\uninst.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\3.tmp
C:\WINDOWS\system32\4.tmp
C:\WINDOWS\system32\5.tmp
C:\WINDOWS\system32\6.tmp
C:\WINDOWS\system32\7.tmp
C:\WINDOWS\system32\8.tmp
C:\WINDOWS\system32\9.tmp
C:\WINDOWS\system32\A.tmp
C:\WINDOWS\system32\adlgiwvo.ini
C:\WINDOWS\system32\B.tmp
C:\WINDOWS\system32\babsarbj.ini
C:\WINDOWS\system32\bwfjmlfo.dll
C:\WINDOWS\system32\C.tmp
C:\WINDOWS\system32\cache329
C:\WINDOWS\system32\D.tmp
C:\WINDOWS\system32\desioyjf.ini
C:\WINDOWS\system32\E.tmp
C:\WINDOWS\system32\edareoyi.dll
C:\WINDOWS\system32\eggiibic.ini
C:\WINDOWS\system32\F.tmp
C:\WINDOWS\system32\fjyoised.dll
C:\WINDOWS\system32\hmtqxugt.ini
C:\WINDOWS\system32\ierucuon.ini
C:\WINDOWS\system32\iyoerade.ini
C:\WINDOWS\system32\jhqhcjap.ini
C:\WINDOWS\system32\kblxcown.dll
C:\WINDOWS\system32\kpemtlit.ini
C:\WINDOWS\system32\kwcwwqsg.ini
C:\WINDOWS\system32\kyscmryq.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\noucurei.dll
C:\WINDOWS\system32\ntjsfckv.ini
C:\WINDOWS\system32\nwocxlbk.ini
C:\WINDOWS\system32\oflmjfwb.ini
C:\WINDOWS\system32\ovwiglda.dll
C:\WINDOWS\system32\P2P Networking
C:\WINDOWS\system32\P2P Networking\MARSHAL.DLL
C:\WINDOWS\system32\P2P Networking\MARSHAL10.DLL
C:\WINDOWS\system32\P2P Networking\MARSHAL11.DLL
C:\WINDOWS\system32\P2P Networking\MARSHAL12.DLL
C:\WINDOWS\system32\P2P Networking\MARSHAL13.DLL
C:\WINDOWS\system32\P2P Networking\MARSHAL14.DLL
C:\WINDOWS\system32\P2P Networking\MARSHAL2.DLL
C:\WINDOWS\system32\P2P Networking\MARSHAL3.DLL
C:\WINDOWS\system32\P2P Networking\MARSHAL4.DLL
C:\WINDOWS\system32\P2P Networking\MARSHAL5.DLL
C:\WINDOWS\system32\P2P Networking\MARSHAL6.DLL
C:\WINDOWS\system32\P2P Networking\MARSHAL7.DLL
C:\WINDOWS\system32\P2P Networking\MARSHAL8.DLL
C:\WINDOWS\system32\P2P Networking\MARSHAL9.DLL
C:\WINDOWS\system32\P2P Networking\P2P Networking.eng
C:\WINDOWS\system32\P2P Networking\P2P Networking10.ENG
C:\WINDOWS\system32\P2P Networking\P2P Networking11.ENG
C:\WINDOWS\system32\P2P Networking\P2P Networking12.ENG
C:\WINDOWS\system32\P2P Networking\P2P Networking13.ENG
C:\WINDOWS\system32\P2P Networking\P2P Networking14.ENG
C:\WINDOWS\system32\P2P Networking\P2P Networking2.ENG
C:\WINDOWS\system32\P2P Networking\P2P Networking3.ENG
C:\WINDOWS\system32\P2P Networking\P2P Networking4.ENG
C:\WINDOWS\system32\P2P Networking\P2P Networking5.ENG
C:\WINDOWS\system32\P2P Networking\P2P Networking6.ENG
C:\WINDOWS\system32\P2P Networking\P2P Networking7.ENG
C:\WINDOWS\system32\P2P Networking\P2P Networking8.ENG
C:\WINDOWS\system32\P2P Networking\P2P Networking9.ENG
C:\WINDOWS\system32\qyufdgir.ini
C:\WINDOWS\system32\rigdfuyq.dll
C:\WINDOWS\system32\ssquklfo.ini
C:\WINDOWS\system32\tiltmepk.dll
C:\WINDOWS\system32\vodfyscx.ini
C:\WINDOWS\system32\xcsyfdov.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-18 to 2008-08-18 )))))))))))))))))))))))))))))))
.

2008-08-18 00:31 . 2008-08-18 00:31 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-18 00:25 . 2008-08-18 01:36 <DIR> d-------- C:\SDFix
2008-08-14 16:18 . 2008-08-14 16:18 0 --a------ C:\WINDOWS\system32\4F.tmp
2008-08-09 11:09 . 2008-08-09 11:09 0 --a------ C:\WINDOWS\system32\45.tmp
2008-08-09 00:47 . 2008-08-09 00:47 0 --a------ C:\WINDOWS\system32\37.tmp
2008-08-06 07:48 . 2008-08-06 07:48 <DIR> d-------- C:\Documents and Settings\Debracca\Application Data\MySpace
2008-08-04 14:58 . 2008-08-04 14:58 <DIR> d-------- C:\Documents and Settings\Zachary\Application Data\MySpace
2008-07-31 22:14 . 2008-08-17 18:56 <DIR> d-------- C:\Program Files\MySpace
2008-07-31 22:14 . 2008-07-31 22:14 <DIR> d-------- C:\Documents and Settings\ronnie bradford\Application Data\MySpace

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-18 01:08 94,208 ----a-w C:\WINDOWS\system32\67.tmp
2008-08-18 00:56 94,208 ----a-w C:\WINDOWS\system32\66.tmp
2008-08-18 00:56 94,208 ----a-w C:\WINDOWS\system32\65.tmp
2008-08-18 00:56 94,208 ----a-w C:\WINDOWS\system32\64.tmp
2008-08-18 00:55 94,208 ----a-w C:\WINDOWS\system32\63.tmp
2008-08-18 00:55 94,208 ----a-w C:\WINDOWS\system32\62.tmp
2008-08-18 00:55 94,208 ----a-w C:\WINDOWS\system32\61.tmp
2008-08-18 00:55 94,208 ----a-w C:\WINDOWS\system32\60.tmp
2008-08-18 00:55 94,208 ----a-w C:\WINDOWS\system32\5F.tmp
2008-08-18 00:54 94,208 ----a-w C:\WINDOWS\system32\5E.tmp
2008-08-18 00:54 94,208 ----a-w C:\WINDOWS\system32\5D.tmp
2008-08-18 00:54 94,208 ----a-w C:\WINDOWS\system32\5C.tmp
2008-08-18 00:54 94,208 ----a-w C:\WINDOWS\system32\5B.tmp
2008-08-18 00:01 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-08-18 00:00 --------- d-----w C:\Program Files\AVS4YOU
2008-08-17 23:59 --------- d-----w C:\Program Files\Google
2008-08-17 23:50 94,208 ----a-w C:\WINDOWS\system32\5A.tmp
2008-08-14 23:01 94,208 ----a-w C:\WINDOWS\system32\59.tmp
2008-08-14 23:00 94,208 ----a-w C:\WINDOWS\system32\58.tmp
2008-08-14 23:00 94,208 ----a-w C:\WINDOWS\system32\57.tmp
2008-08-14 23:00 94,208 ----a-w C:\WINDOWS\system32\56.tmp
2008-08-14 23:00 94,208 ----a-w C:\WINDOWS\system32\55.tmp
2008-08-14 23:00 94,208 ----a-w C:\WINDOWS\system32\54.tmp
2008-08-14 23:00 94,208 ----a-w C:\WINDOWS\system32\53.tmp
2008-08-14 22:59 94,208 ----a-w C:\WINDOWS\system32\52.tmp
2008-08-14 22:54 94,208 ----a-w C:\WINDOWS\system32\51.tmp
2008-08-14 22:54 94,208 ----a-w C:\WINDOWS\system32\50.tmp
2008-08-14 21:18 94,208 ----a-w C:\WINDOWS\system32\4E.tmp
2008-08-14 21:18 94,208 ----a-w C:\WINDOWS\system32\4D.tmp
2008-08-14 16:11 94,208 ----a-w C:\WINDOWS\system32\4C.tmp
2008-08-14 16:11 94,208 ----a-w C:\WINDOWS\system32\4B.tmp
2008-08-13 13:39 94,208 ----a-w C:\WINDOWS\system32\4A.tmp
2008-08-13 13:38 94,208 ----a-w C:\WINDOWS\system32\49.tmp
2008-08-13 13:38 94,208 ----a-w C:\WINDOWS\system32\48.tmp
2008-08-12 01:51 94,208 ----a-w C:\WINDOWS\system32\47.tmp
2008-08-11 13:59 94,208 ----a-w C:\WINDOWS\system32\46.tmp
2008-08-09 16:09 94,208 ----a-w C:\WINDOWS\system32\44.tmp
2008-08-09 16:08 94,208 ----a-w C:\WINDOWS\system32\43.tmp
2008-08-09 16:08 94,208 ----a-w C:\WINDOWS\system32\42.tmp
2008-08-09 16:08 94,208 ----a-w C:\WINDOWS\system32\41.tmp
2008-08-09 16:07 94,208 ----a-w C:\WINDOWS\system32\40.tmp
2008-08-09 16:07 94,208 ----a-w C:\WINDOWS\system32\3F.tmp
2008-08-09 16:07 94,208 ----a-w C:\WINDOWS\system32\3E.tmp
2008-08-09 16:07 94,208 ----a-w C:\WINDOWS\system32\3D.tmp
2008-08-09 16:07 94,208 ----a-w C:\WINDOWS\system32\3C.tmp
2008-08-09 16:07 94,208 ----a-w C:\WINDOWS\system32\3B.tmp
2008-08-09 16:01 94,208 ----a-w C:\WINDOWS\system32\3A.tmp
2008-08-09 16:00 94,208 ----a-w C:\WINDOWS\system32\39.tmp
2008-08-09 16:00 94,208 ----a-w C:\WINDOWS\system32\38.tmp
2008-08-09 16:00 94,208 ----a-w C:\WINDOWS\system32\34.tmp
2008-08-09 05:47 94,208 ----a-w C:\WINDOWS\system32\36.tmp
2008-08-09 05:47 94,208 ----a-w C:\WINDOWS\system32\35.tmp
2008-08-09 05:46 94,208 ----a-w C:\WINDOWS\system32\33.tmp
2008-08-09 05:46 94,208 ----a-w C:\WINDOWS\system32\32.tmp
2008-08-09 05:46 94,208 ----a-w C:\WINDOWS\system32\31.tmp
2008-08-09 05:46 94,208 ----a-w C:\WINDOWS\system32\30.tmp
2008-07-11 07:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-11 07:09 --------- d-----w C:\Program Files\WMA-MP3.com
2008-07-11 07:04 --------- d-----w C:\Documents and Settings\ronnie bradford\Application Data\AVS4YOU
2008-07-11 07:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-07-11 05:02 --------- d-----w C:\Documents and Settings\ronnie bradford\Application Data\ImgBurn
2008-07-11 04:51 --------- d-----w C:\Program Files\ImgBurn
2008-06-30 02:37 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-06-28 22:02 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-21 20:26 --------- d-----w C:\Documents and Settings\ronnie bradford\Application Data\Blackberry Desktop
2008-06-21 20:17 --------- d-----w C:\Documents and Settings\ronnie bradford\Application Data\Research In Motion
2008-06-21 19:24 --------- d-----w C:\Program Files\Common Files\Research In Motion
2008-06-21 19:23 --------- d-----w C:\Program Files\Research In Motion
2008-06-13 20:15 91,376 ----a-w C:\WINDOWS\system32\isafprod.dll
2005-05-15 02:10 0 ---ha-w C:\Documents and Settings\Zachary\hpothb07.dat
2004-05-03 14:32 0 ---ha-w C:\Documents and Settings\ronnie bradford\hpothb07.dat
.

------- Sigcheck -------

2004-08-04 01:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
md5deep: C:\WINDOWS\system32\svchost.exe: error at offset 0: Permission denied

2004-08-04 01:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
md5deep: C:\WINDOWS\system32\winlogon.exe: error at offset 0: Permission denied

md5deep: C:\WINDOWS\explorer.exe: error at offset 0: Permission denied
2004-08-04 01:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\ServicePackFiles\i386\explorer.exe

2004-08-04 01:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\ServicePackFiles\i386\services.exe
md5deep: C:\WINDOWS\system32\services.exe: error at offset 0: Permission denied

2004-08-04 01:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\ServicePackFiles\i386\lsass.exe
md5deep: C:\WINDOWS\system32\lsass.exe: error at offset 0: Permission denied

2004-08-04 01:56 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe
md5deep: C:\WINDOWS\system32\spoolsv.exe: error at offset 0: Permission denied
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-06-29 21:37 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-07-30 17:29 181488]
"CAVRID"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [2008-06-13 15:15 234736]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-01-31 20:39:12 110592]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-06-29 21:37 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"NSsbdPDcr"= {5B7790D4-F1DD-3A7E-476E-75E87751CB3C} - C:\WINDOWS\system32\mhgcb.dll [2004-08-04 01:56 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.MI-SC4"= MI-SC4.acm
"SENTINEL"= snti386.dll
"msacm.avis"= ff_acm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^ronnie bradford^Start Menu^Programs^Startup^TA_Start.lnk]
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^ronnie bradford^Start Menu^Programs^Startup^Think-Adz.lnk]
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadStudio
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2008-01-05 14:46 29744 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]
--a------ 2007-01-24 16:05 5237248 C:\Program Files\Kazaa\kazaa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-16 10:54 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 05:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-06-29 21:37 1506544 C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tweak UI]
-ra------ 1998-05-11 20:01 159744 C:\WINDOWS\system32\TWEAKUI.CPL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mnmsrvc"=3 (0x3)
"Messenger"=2 (0x2)
"AOL ACS"=3 (0x3)
"Psnsoa1c0r"=3 (0x3)
"svcWRSSSDK"=2 (0x2)
"CaCCProvSP"=3 (0x3)
"gusvc"=3 (0x3)
"CAISafe"=2 (0x2)
"AresChatServer"=3 (0x3)
"LightScribeService"=2 (0x2)
"GoogleDesktopManager-121807-210419"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Adobe LM Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Bit Lord 1.1\\BitLord.exe"=
"C:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Opera\\Opera.exe"=
"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Antivirus\\caav.exe"=
"C:\\Program Files\\CA\\CA Internet Security Suite\\casecuritycenter.exe"=

R3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;C:\WINDOWS\system32\drivers\caliaud.sys [2002-11-05 10:04]
R3 CALIHALA;CALIHALA;C:\WINDOWS\system32\drivers\calihal.sys [2002-11-05 10:04]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;C:\WINDOWS\system32\DRIVERS\DP83815.SYS [2003-07-16 20:01]
S3 ALiIRDA;ALi Infrared Device Driver;C:\WINDOWS\system32\DRIVERS\aliirda.sys [2003-07-10 06:16]
S3 IR500;IR500;C:\WINDOWS\system32\DRIVERS\IR500.sys [2002-02-23 15:31]
S3 lgatbus;LG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\lgatbus.sys [2002-10-15 16:03]
S3 lgatmdm;LG CDMA USB Modem Drivers;C:\WINDOWS\system32\DRIVERS\lgatmdm.sys [2002-10-15 16:05]
S3 lgatserd;LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM);C:\WINDOWS\system32\DRIVERS\lgatserd.sys [2002-10-15 16:07]
S3 MPD16USB;AKAIpro MPD16 Driver;C:\WINDOWS\system32\Drivers\MPD16USB.sys [2006-07-12 17:30]
S3 PortRst;PortRst;C:\WINDOWS\system32\DRIVERS\PortRst.sys [2002-01-29 17:33]
S4 gearsec;gearsec;C:\WINDOWS\System32\gearsec.exe [2001-09-12 08:59]
S4 GoogleDesktopManager-121807-210419;Google Desktop Manager 5.7.712.18632;C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-01-05 14:46]
.
Contents of the 'Scheduled Tasks' folder

2008-08-17 C:\WINDOWS\Tasks\User_Feed_Synchronization-{EFB8FE23-B3D4-4251-9B70-D6E498940C9D}.job
- C:\WINDOWS\system32\msfeedssync.exe [2007-08-13 19:36]

2008-08-02 C:\WINDOWS\Tasks\WebReg 20040411005753.job
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe [2002-12-10 17:09]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-ares ultra - C:\Program Files\Ares Ultra\Ares Ultra.exe
MSConfigStartUp-NeroFilterCheck - C:\WINDOWS\system32\NeroCheck.exe
MSConfigStartUp-SMrhc1d9j0eeod - C:\Program Files\rhc1d9j0eeod\rhc1d9j0eeod.exe
MSConfigStartUp-SpySweeper - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
MSConfigStartUp-swg - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\ronnie bradford\Application Data\Mozilla\Firefox\Profiles\2gybjj84.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-18 02:13:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-08-18 2:23:54 - machine was rebooted [ronnie bradford]
ComboFix-quarantined-files.txt 2008-08-18 07:23:25

Pre-Run: 4,621,512,704 bytes free
Post-Run: 5,984,620,544 bytes free

412

[andrewuk]

and i will need to see a new hijackthis log.

i wont be able to do much on this until i get home from work this evening.

andrewuk

[ZZ Zimm]

I posted new HiJack log above. See BTW...

Tx,
ZZ

[andrewuk]

I posted new HiJack log above

oops, my mistake, completely missed it.

in this post we will clear the malware i can see and do a couple of scans (which should clear the other malware i can see in your logs and some more) to see what else slipped onto your machine.

we will also update your out of date java which can be exploited by one of the infections you had.


====STEP 1====
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis



====STEP 2====
Please download ATF Cleaner by Atribune.

Caution: This program is for Windows 2000, XP and Vista only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


====STEP 3====
Updating your java:

Please download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.
• Open JavaRa.exe again and select Search For Updates.
• Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

====STEP 4====
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


====STEP 5====
Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure the following is checked.
  
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
• Please post this log in your next reply.

In your next reply could i see:
1. the malwarebytes log
2. the kaspersky log
3. a new hijackthis log

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk

Edited by andrewuk, 19 August 2008 - 01:25 AM.

[andrewuk]

still with us?

[ZZ Zimm]

Thanks for your patience. I have been without my internet connection since Wednesday. I am actually working with Comcast to fix my PC connection now. I am typing this on my Blackberry. Hopefully I'll be back up by tomorrow so we can get this going again. .

Thanks again so much for your help. You are a lifesaver. I will try to make a donation so you guys can keep helping us noobs.

Thanks again for everything.

ZZ

[andrewuk]

no problem, i will await your replies

[andrewuk]

im guessing no luck?

[ZZ Zimm]

I'm Back. Thanks for your patience. Problems with Comcast again. Attached are the logs for HiJack this and Malwarebytes' Anti-Malware 1.28. I couldn't get Kasperky ONlinse to work, it kept saying I need to get online but, for a change, I actually was online. Is there a workaround. My CA ANti-Virus expires on 9-26 and I am not going to renew. Should I purchase Kaspersky or another Anti-Virus program? Thanks agan.

Logs following:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:37:47 PM, on 9/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca....r/axscanner.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1189466180346
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1189466167778
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.aka...vex-2.2.1.6.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: NSsbdPDcr - {5B7790D4-F1DD-3A7E-476E-75E87751CB3C} - C:\WINDOWS\system32\mhgcb.dll (file missing)
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

--
End of file - 5631 bytes