Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Trojan (Backdoor, ZXW, ZYE, ZUY, ZXK, etc. [RESOLVED]

Started by CindyKay , Aug 18 2008 05:02 PM

This topic is locked

#1
CindyKay

Posted 18 August 2008 - 05:02 PM

Member

Member
12 posts

I've never been on this site before to post a problem but I'm very desperate.
My laptop started having strange sounds coming from it a couple of weeks ago. I researched this and found that some malware or virus called Nob..something would cause this. I also have Trojan warnings popup everytime I turn on the laptop. I've run AVG, Hijack This, Malware bytes Anti-malware, ATF cleaner and I've followed the steps required on the page that tells you what to do before posting a log. I restarted my laptop and still have the Trojan warnings popup. I've been on for about 30 min. now and haven't heard the strange advertisement/news sounds coming out of it yet.
If anyone can help me Please contact me back. I teach school and am not w/ this laptop during the day.

Thanks, Cindy

Below are the logs. The first log is the one from the Hijack This done a few minutes ago. The second log is from Malware done last night.

Log from Hijack This:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:34:26 PM, on 8/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\VPro520.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O1 - Hosts: 72.232.133.244 airticketscheap.net
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Gateway Extended Warranty] "C:\Program Files\Gateway\GWCares\GWCares.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [ProfileWatcher] C:\Program Files\ProfileWatcher\profilewatcher.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [LexPPS.exe] C:\WINDOWS\system32\lexpps.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: VPro520.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 8495 bytes

Log from Malware:

Malwarebytes' Anti-Malware 1.25
Database version: 1062
Windows 5.1.2600 Service Pack 2

9:56:54 PM 8/17/2008
mbam-log-08-17-2008 (21-56-54).txt

Scan type: Quick Scan
Objects scanned: 71193
Time elapsed: 4 hour(s), 5 minute(s), 7 second(s)

Memory Processes Infected: 5
Memory Modules Infected: 3
Registry Keys Infected: 19
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 31
Files Infected: 50

Memory Processes Infected:
C:\Program Files\AdwareAlert\AdwareAlert.exe (Rogue.AdwareAlert) -> Unloaded process successfully.
C:\WINDOWS\system32\afinding.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\wserving.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\routing.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\perfs.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
C:\Program Files\AdwareAlert\SpyCleaner.dll (Rogue.AdwareAlert) -> Delete on reboot.
C:\Program Files\AdwareAlert\TCL.dll (Rogue.AdwareAlert) -> Delete on reboot.
C:\Program Files\AdwareAlert\zlib.dll (Rogue.AdwareAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\Installer\UpgradeCodes\7c673a5b871b8cd419f47dd0de5a6d18 (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\7c673a5b871b8cd419f47dd0de5a6d18 (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFinding (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Routing (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WServing (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\afinding (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\afinding (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wserving (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wserving (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\macidwe (Backdoor.Bot) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nobicyt (Backdoor.Bot) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sobicyt (Backdoor.Bot) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdxdowkc (Backdoor.Bot) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\routing (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\routing (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\perfmons (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\perfmons (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\perfmons (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\program files\adwarealert\ (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\program files\adwarealert\filterdrv\ (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\documents and settings\all users\start menu\programs\adwarealert\ (Rogue.AdwareAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\FilterDrv (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert (Rogue.AdwareAlert) -> Delete on reboot.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine (Rogue.AdwareAlert) -> Delete on reboot.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\16-08-2008-18-29-11 (Rogue.AdwareAlert) -> Delete on reboot.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\16-08-2008-18-29-11 (Rogue.AdwareAlert) -> Files: 526 -> Delete on reboot.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\16-08-2008-18-29-11\0.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\16-08-2008-18-29-11\21.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\16-08-2008-18-29-11\211.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\16-08-2008-18-29-11\215.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\16-08-2008-18-29-11\217.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\16-08-2008-18-29-11\219.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\16-08-2008-18-29-11\221.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\16-08-2008-18-29-11\222.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\16-08-2008-18-29-11\223.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\16-08-2008-18-29-11\40.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\16-08-2008-18-29-11\56.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\16-08-2008-18-29-11\73.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\16-08-2008-18-29-11\75.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\16-08-2008-18-29-11\76.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\16-08-2008-18-29-11\77.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\16-08-2008-18-29-11\79.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\16-08-2008-18-29-11\81.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\16-08-2008-18-29-11\82.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\16-08-2008-18-29-11\83.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\16-08-2008-18-29-11\84.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\16-08-2008-18-50-39 (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\17-08-2008-10-49-18 (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Settings (Rogue.AdwareAlert) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\AdwareAlert\AdwareAlert on the Web.lnk (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\AdwareAlert\AdwareAlert.lnk (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\AdwareAlert.exe (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\AdwareAlert.url (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\DataBase.ref (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\Difxapi.dll (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\SpyCleaner.dll (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\TCL.dll (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\vistaCPtasks.xml (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\zlib.dll (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\FilterDrv\AdwareAlert.amd64.sys (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\FilterDrv\AdwareAlert.cat (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\FilterDrv\AdwareAlert.inf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\FilterDrv\AdwareAlert.x86.sys (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\rs.dat (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Log\2008 Aug 17 - 02_40_30 PM_671.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Log\2008 Aug 17 - 10_20_21 AM_984.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\16-08-2008-18-50-39\0.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\16-08-2008-18-50-39\0.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\16-08-2008-18-50-39\1.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\16-08-2008-18-50-39\1.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\16-08-2008-18-50-39\2.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\16-08-2008-18-50-39\2.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\17-08-2008-10-49-18\0.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\17-08-2008-10-49-18\0.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\17-08-2008-10-49-18\1.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\17-08-2008-10-49-18\1.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\17-08-2008-10-49-18\2.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\17-08-2008-10-49-18\2.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\17-08-2008-10-49-18\3.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\17-08-2008-10-49-18\3.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\17-08-2008-10-49-18\4.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\17-08-2008-10-49-18\4.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\17-08-2008-10-49-18\5.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\17-08-2008-10-49-18\5.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\17-08-2008-10-49-18\6.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\17-08-2008-10-49-18\6.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\17-08-2008-10-49-18\7.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\17-08-2008-10-49-18\7.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\17-08-2008-10-49-18\8.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\17-08-2008-10-49-18\8.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\17-08-2008-10-49-18\9.qit (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareAlert\Quarantine\17-08-2008-10-49-18\9.qnf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\afinding.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wserving.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\routing.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\AdwareAlert.lnk (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\perfs.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

#2
emeraldnzl

Posted 19 August 2008 - 01:23 AM

GeekU Instructor

GeekU Moderator
20,051 posts

Hello CindyKay,

Welcome to Geekstogo.

I am having a look at your logs and will get back to you in a bit.

regards,
emeraldnzl

#3
emeraldnzl

Posted 19 August 2008 - 01:57 PM

GeekU Instructor

GeekU Moderator
20,051 posts

Hello again CindyKay,

We need to have a better look at things going on in your computer.

In this post I am asking for an in depth scan. It will be very helpful in analysing your machine.

It is a bit complicated but if you take time, read the instructions carefully and do it step by step I am sure it will be okay.

If you have any questions though don't hesitate to ask.

Download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
Under Additional Scans check the boxes beside Reg - App Paths, Reg - Bot Check, Reg - Desktop Components, Reg - Disabled MS Config Items, Reg Mountpoints2, File - Additional Folder Scans, and File - Purity Scan.
Under Drivers change it to Non-Microsoft.
Under Files Created Within and Files Modified Within change it to 90 days.
Under Rootkit Search change it to Yes
Check the box at the top-left beside Scan All Users
Now click the Run Scan button on the toolbar.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and post the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.

Make sure you attach the report in your reply. If it is too big to upload, then zip the text file and upload it that way

PS: To attach a file, do the following:

* Click Add Reply
* Under the reply panel is the Attachments Panel
* Browse to find the attachment file you want to upload, highlight the file by clicking once on it, then click the green Upload button
* Once it has uploaded, click the Manage Current Attachments drop down box
* Click again on the icon that then shows to insert the attachment into your post.

#4
CindyKay

Posted 19 August 2008 - 03:10 PM

Member

Topic Starter
Member
12 posts

Hi,
Thanks for your response.
When I attempt to open the OTScanIt.exe from the folder, a warning of a "Trojan Horse Generic 11.OW" comes up and then the OTScanIt.exe disappears and the "Catch It" is left in the folder and that is all.
I tried several times and the same thing kept happening.
Is there another way to open the OTScanIt.exe successfully?
Sorry,
Cindy

#5
emeraldnzl

Posted 19 August 2008 - 08:32 PM

GeekU Instructor

GeekU Moderator
20,051 posts

Hello CindyKay,

No problem.

Some of the tools we use are identified by anti-malware programs as viruses.

My guess in your case is that AVG8's resident shield is getting in the way.

We need to disable it.

How to disable AVG's Resident Shield.

Right click the AVG icon and click Open.

In the Overview panel click on Resident Sheild > Uncheck the Resident Sheild Active box > Save Changes.

Try that and tell me how you get on.

regards
emeraldnzl

#6
CindyKay

Posted 20 August 2008 - 05:16 PM

Member

Topic Starter
Member
12 posts

That worked and I was able to run the OTScanIt. I noticed on the log that a lot of the files are "Ashley" files. She no longer uses this computer so I can delete all of her files if that is a problem.
Attached is the log.
Thanks so much for your help.
Cindy

OTScanIt_Log_ZIP.zip 450.31KB 151 downloads

#7
emeraldnzl

Posted 21 August 2008 - 02:04 PM

GeekU Instructor

GeekU Moderator
20,051 posts

Hi CindyKay,

Next move.

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix.

Included in the tutorial are instructions for the installation of a recovery program if you don't already have it - Windows XP Recovery Console.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

When you reboot your computer after installation, you will see the additional option for the Recovery Console present. Don't select Recovery Console as we don't need it. It is only there for emergency recovery use. By default, your main OS is selected here. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Once you have completed installation of the the Recovery Console.

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

When finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a new HijackThis log for further review.

#8
CindyKay

Posted 22 August 2008 - 06:36 PM

Member

Topic Starter
Member
12 posts

Below is the ComboFix log first. Following that is the new Hijackthis log.
I never saw the place to install the recovery console so I didn't get to do that.

ComboFix 08-08-21.02 - Owner 2008-08-22 19:51:14.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.191 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Application Data\macromedia\Flash Player\#SharedObjects\8XGC45LS\interclick.com
C:\Documents and Settings\LocalService\Application Data\macromedia\Flash Player\#SharedObjects\8XGC45LS\interclick.com\ud.sol
C:\Documents and Settings\LocalService\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\LocalService\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\system32\atsxyzd.sys
C:\WINDOWS\system32\macidwe.exe
C:\WINDOWS\system32\REGOBJ.DLL
C:\WINDOWS\system32\sobicyt.exe
C:\WINDOWS\system32\tdxdowkc.exe
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFINDING
-------\Legacy_MACIDWE
-------\Legacy_PERFMONS
-------\Legacy_ROUTING
-------\Legacy_SOBICYT
-------\Legacy_TDXDOWKC
-------\Legacy_WSERVING

((((((((((((((((((((((((( Files Created from 2008-07-23 to 2008-08-23 )))))))))))))))))))))))))))))))
.

2008-08-17 20:18 . 2008-08-17 20:18 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\HorizonWimba
2008-08-17 17:47 . 2008-08-17 17:47 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-17 17:47 . 2008-08-17 17:47 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-08-17 17:47 . 2008-08-17 17:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-17 17:47 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-17 17:47 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-17 17:45 . 2008-08-17 17:45 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-08-17 17:23 . 2008-08-17 17:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-17 14:28 . 2008-08-17 14:38 <DIR> d-------- C:\Program Files\Security Task Manager
2008-08-17 14:28 . 2008-08-17 14:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-08-16 18:22 . 2008-08-14 13:46 22,512 --a------ C:\WINDOWS\system32\drivers\adwarealert.sys
2008-08-16 17:21 . 2008-08-17 16:58 1,917 --a------ C:\WINDOWS\imsins.BAK
2008-08-16 17:09 . 2008-08-16 17:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Symantec
2008-08-12 20:02 . 2008-08-12 20:02 <DIR> d-------- C:\Program Files\Ofoto
2008-08-12 20:02 . 2002-10-14 09:56 3,007,488 --------- C:\WINDOWS\system32\OfotoNow.scr
2008-08-12 20:02 . 2002-08-28 10:20 18,102 --------- C:\WINDOWS\system32\OfotoNow.res
2008-07-29 22:07 . 2008-07-29 22:07 <DIR> d-------- C:\Program Files\PassAlong
2008-07-29 22:07 . 2007-10-11 17:41 111,944 --a------ C:\WINDOWS\system32\TPActiveX.dll
2008-07-29 14:28 . 2008-07-29 14:28 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-28 19:18 . 2008-07-28 19:18 <DIR> d---s---- C:\Documents and Settings\LocalService\UserData
2008-07-27 14:50 . 2008-08-22 20:03 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-27 14:50 . 2008-07-27 14:50 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-27 14:50 . 2008-07-27 14:50 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-27 14:50 . 2008-07-27 14:50 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-27 14:49 . 2008-07-27 14:49 <DIR> d-------- C:\Program Files\AVG
2008-07-26 23:36 . 2008-07-26 23:36 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-13 00:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-10 03:03 --------- d-----w C:\Program Files\Java
2008-07-27 18:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-07-27 03:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\Skype
2008-07-27 02:20 --------- d-----w C:\Documents and Settings\Owner\Application Data\skypePM
2008-07-16 03:00 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-07-16 02:58 --------- d-----w C:\Program Files\Windows Live Favorites
2008-07-16 02:49 --------- d-----w C:\Program Files\Windows Live
2008-07-16 02:47 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-07-16 02:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-07-16 02:05 --------- d-----w C:\Program Files\Common Files\ArcSoft
2008-07-16 02:04 --------- d-----w C:\Program Files\Philips
2008-07-16 02:04 --------- d-----w C:\Program Files\DIFX
2008-07-16 02:03 --------- d-----w C:\Program Files\Common Files\SPC520NC
2008-07-12 14:03 --------- d-----w C:\Program Files\LimeWire
2008-07-12 04:17 --------- d-----w C:\Program Files\iTunes
2008-07-12 04:17 --------- d-----w C:\Program Files\iPod
2008-07-12 04:15 --------- d-----w C:\Program Files\Bonjour
2008-07-12 04:14 --------- d-----w C:\Program Files\QuickTime
2008-07-12 04:12 --------- d-----w C:\Program Files\Apple Software Update
2008-07-12 04:11 --------- d-----w C:\Program Files\Common Files\Apple
2008-07-11 01:04 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVGTOOLBAR
2008-07-10 13:35 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2006-01-13 20:52 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-12-25 20:50 0 -c--a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gateway Extended Warranty"="C:\Program Files\Gateway\GWCares\GWCares.exe" [2004-02-08 20:30 73728]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-18 23:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-18 23:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-18 23:10 114688]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 02:18 57344]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-13 20:13 185632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 20:16 1121792]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-27 14:49 1232152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 19:29 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VPro520.lnk - C:\WINDOWS\VPro520.exe [2008-07-15 22:03:04 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

R0 adwarealert;adwarealert;C:\WINDOWS\system32\DRIVERS\adwarealert.sys [2008-08-14 13:46]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-27 14:50]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-27 14:49]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-27 14:49]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-27 14:50]
S3 SPC520;Philips SPC520NC PC Camera;C:\WINDOWS\system32\drivers\SPC520.sys [2007-03-27 21:27]
S3 SPC520m;Philips SPC520NC PC Cameram;C:\WINDOWS\system32\drivers\SPC520m.sys [2007-03-27 21:27]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8263c3d0-4b52-11dc-adaa-00038a000015}]
\Shell\AutoRun\command - setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2008-08-23 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2005-11-25 C:\WINDOWS\Tasks\ISP signup reminder 1.job
- C:\WINDOWS\system32\OOBE\oobebaln.exe [2004-08-04 15:00]

2005-11-25 C:\WINDOWS\Tasks\ISP signup reminder 2.job
- C:\WINDOWS\system32\OOBE\oobebaln.exe [2004-08-04 15:00]

2005-11-25 C:\WINDOWS\Tasks\ISP signup reminder 3.job
- C:\WINDOWS\system32\OOBE\oobebaln.exe [2004-08-04 15:00]

2008-08-23 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-YSearchProtection - C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
HKCU-Run-updateMgr - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKCU-Run-msnmsgr - C:\Program Files\MSN Messenger\msnmsgr.exe
HKCU-Run-Aim6 - (no file)
HKLM-Run-YSearchProtection - C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
HKLM-Run-ProfileWatcher - C:\Program Files\ProfileWatcher\profilewatcher.exe
HKLM-Run-LexPPS.exe - C:\WINDOWS\system32\lexpps.exe
MSConfigStartUp-OfotoNow USB Detection - C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\vjqa3tjp.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-22 20:01:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-08-22 20:10:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-23 00:10:21

Pre-Run: 677,871,616 bytes free
Post-Run: 604,065,792 bytes free

194 --- E O F --- 2008-08-22 23:30:48

Hijack This Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:30, on 2008-08-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Gateway Extended Warranty] "C:\Program Files\Gateway\GWCares\GWCares.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: VPro520.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 7567 bytes

Thanks,
Cindy

#9
emeraldnzl

Posted 23 August 2008 - 03:24 PM

GeekU Instructor

GeekU Moderator
20,051 posts

Hello again CindyKay,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8263c3d0-4b52-11dc-adaa-00038a000015}]

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Next

Kaspersky only works if you are using Internet Explorer.

Please do an online scan with Kaspersky WebScanner.

Click on the Kaspersky Online Scanner button. A box will come up, click Accept, this will allow it to install an ActiveX component and download its latest anti-virus database. (Note: It may take a couple of minutes)

Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
* Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:
Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
Save the file to your desktop.

Copy and paste that information in your next post.

So when you come back please post
ComboFix report
Kasperskey scan results

#10
CindyKay

Posted 23 August 2008 - 06:29 PM

Member

Topic Starter
Member
12 posts

Hi, I hope I've done this correctly. Thanks again! Cindy

ComboFix Report:

ComboFix 08-08-21.02 - Owner 2008-08-23 18:02:42.3 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-07-23 to 2008-08-23 )))))))))))))))))))))))))))))))
.

2008-08-23 18:01 . 2008-08-23 18:01 <DIR> d-------- C:\327882R2FWJFW
2008-08-17 20:18 . 2008-08-17 20:18 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\HorizonWimba
2008-08-17 17:47 . 2008-08-17 17:47 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-17 17:47 . 2008-08-17 17:47 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-08-17 17:47 . 2008-08-17 17:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-17 17:47 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-17 17:47 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-17 17:45 . 2008-08-17 17:45 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-08-17 17:23 . 2008-08-17 17:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-17 14:28 . 2008-08-17 14:38 <DIR> d-------- C:\Program Files\Security Task Manager
2008-08-17 14:28 . 2008-08-17 14:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-08-16 18:22 . 2008-08-14 13:46 22,512 --a------ C:\WINDOWS\system32\drivers\adwarealert.sys
2008-08-16 17:21 . 2008-08-17 16:58 1,917 --a------ C:\WINDOWS\imsins.BAK
2008-08-16 17:09 . 2008-08-16 17:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Symantec
2008-08-12 20:02 . 2008-08-12 20:02 <DIR> d-------- C:\Program Files\Ofoto
2008-08-12 20:02 . 2002-10-14 09:56 3,007,488 --------- C:\WINDOWS\system32\OfotoNow.scr
2008-08-12 20:02 . 2002-08-28 10:20 18,102 --------- C:\WINDOWS\system32\OfotoNow.res
2008-07-29 22:07 . 2008-07-29 22:07 <DIR> d-------- C:\Program Files\PassAlong
2008-07-29 22:07 . 2007-10-11 17:41 111,944 --a------ C:\WINDOWS\system32\TPActiveX.dll
2008-07-29 14:28 . 2008-07-29 14:28 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-28 19:18 . 2008-07-28 19:18 <DIR> d---s---- C:\Documents and Settings\LocalService\UserData
2008-07-27 14:50 . 2008-08-22 20:04 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-27 14:50 . 2008-07-27 14:50 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-27 14:50 . 2008-07-27 14:50 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-27 14:50 . 2008-07-27 14:50 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-27 14:49 . 2008-07-27 14:49 <DIR> d-------- C:\Program Files\AVG
2008-07-26 23:36 . 2008-07-26 23:36 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-13 00:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-10 03:03 --------- d-----w C:\Program Files\Java
2008-07-27 18:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-07-27 03:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\Skype
2008-07-27 02:20 --------- d-----w C:\Documents and Settings\Owner\Application Data\skypePM
2008-07-16 03:00 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-07-16 02:58 --------- d-----w C:\Program Files\Windows Live Favorites
2008-07-16 02:49 --------- d-----w C:\Program Files\Windows Live
2008-07-16 02:47 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-07-16 02:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-07-16 02:05 --------- d-----w C:\Program Files\Common Files\ArcSoft
2008-07-16 02:04 --------- d-----w C:\Program Files\Philips
2008-07-16 02:04 --------- d-----w C:\Program Files\DIFX
2008-07-16 02:03 --------- d-----w C:\Program Files\Common Files\SPC520NC
2008-07-12 14:03 --------- d-----w C:\Program Files\LimeWire
2008-07-12 04:17 --------- d-----w C:\Program Files\iTunes
2008-07-12 04:17 --------- d-----w C:\Program Files\iPod
2008-07-12 04:15 --------- d-----w C:\Program Files\Bonjour
2008-07-12 04:14 --------- d-----w C:\Program Files\QuickTime
2008-07-12 04:12 --------- d-----w C:\Program Files\Apple Software Update
2008-07-12 04:11 --------- d-----w C:\Program Files\Common Files\Apple
2008-07-11 01:04 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVGTOOLBAR
2008-07-10 13:35 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 15:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2006-01-13 20:52 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-12-25 20:50 0 -c--a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( snapshot@2008-08-22_20.09.53.50 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gateway Extended Warranty"="C:\Program Files\Gateway\GWCares\GWCares.exe" [2004-02-08 20:30 73728]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-18 23:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-18 23:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-18 23:10 114688]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 02:18 57344]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-13 20:13 185632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 20:16 1121792]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-27 14:49 1232152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 19:29 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VPro520.lnk - C:\WINDOWS\VPro520.exe [2008-07-15 22:03:04 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

R0 adwarealert;adwarealert;C:\WINDOWS\system32\DRIVERS\adwarealert.sys [2008-08-14 13:46]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-27 14:50]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-27 14:49]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-27 14:49]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-27 14:50]
S3 SPC520;Philips SPC520NC PC Camera;C:\WINDOWS\system32\drivers\SPC520.sys [2007-03-27 21:27]
S3 SPC520m;Philips SPC520NC PC Cameram;C:\WINDOWS\system32\drivers\SPC520m.sys [2007-03-27 21:27]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-08-23 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2005-11-25 C:\WINDOWS\Tasks\ISP signup reminder 1.job
- C:\WINDOWS\system32\OOBE\oobebaln.exe [2004-08-04 15:00]

2005-11-25 C:\WINDOWS\Tasks\ISP signup reminder 2.job
- C:\WINDOWS\system32\OOBE\oobebaln.exe [2004-08-04 15:00]

2005-11-25 C:\WINDOWS\Tasks\ISP signup reminder 3.job
- C:\WINDOWS\system32\OOBE\oobebaln.exe [2004-08-04 15:00]

2008-08-23 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-23 18:05:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-08-23 18:08:45
ComboFix-quarantined-files.txt 2008-08-23 22:07:40
ComboFix2.txt 2008-08-23 00:10:29

Pre-Run: 953,528,320 bytes free
Post-Run: 931,024,896 bytes free

146 --- E O F --- 2008-08-23 12:15:43

Kaspersky Results:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, August 23, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, August 23, 2008 13:54:09
Records in database: 1133192
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 56416
Threat name: 16
Infected objects: 16
Suspicious objects: 0
Duration of the scan: 01:46:24

File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\SecTaskMan\sobicyt.exe.q_8048800_q Infected: Trojan.Win32.Agent.zgk 1
C:\Program Files\LimeWire\Cindy's\come see - michael w. smith.mp3 Infected: Trojan-Downloader.WMA.Wimad.n 1
C:\QooBox\Quarantine\C\WINDOWS\system32\atsxyzd.sys.vir Infected: Trojan.Win32.DNSChanger.hpo 1
C:\QooBox\Quarantine\C\WINDOWS\system32\macidwe.exe.vir Infected: Trojan.Win32.Agent.zem 1
C:\QooBox\Quarantine\C\WINDOWS\system32\sobicyt.exe.vir Infected: Trojan.Win32.Agent.zng 1
C:\QooBox\Quarantine\C\WINDOWS\system32\tdxdowkc.exe.vir Infected: Trojan.Win32.Agent.zen 1
C:\WINDOWS\system32\ceswxfst.sys Infected: Trojan-Clicker.Win32.VB.bkq 1
C:\WINDOWS\system32\cexwxfst.sys Infected: Trojan-Clicker.Win32.VB.bjc 1
C:\WINDOWS\system32\cfexfst.sys Infected: Trojan-Clicker.Win32.VB.bnu 1
C:\WINDOWS\system32\edbvfct.sys Infected: Trojan-Clicker.Win32.VB.brm 1
C:\WINDOWS\system32\edtafct.sys Infected: Trojan-Clicker.Win32.VB.bqq 1
C:\WINDOWS\system32\otaxyzd.sys Infected: Trojan.Win32.DNSChanger.hrq 1
C:\WINDOWS\system32\stsycod.sys Infected: Trojan.Win32.Delf.dsw 1
C:\WINDOWS\system32\sxtsyctd.sys Infected: Trojan.Win32.Delf.dsu 1
C:\WINDOWS\system32\tcexfst.sys Infected: Trojan-Clicker.Win32.VB.bkx 1
C:\WINDOWS\system32\yaxcnxd.sys Infected: Trojan.Win32.DNSChanger.fvt 1

The selected area was scanned.

#11
emeraldnzl

Posted 24 August 2008 - 01:28 PM

GeekU Instructor

GeekU Moderator
20,051 posts

Hello again CindyKay,

Going well. Just a bit more to get.

On another matter. You have a file sharing program LimeWire on your machine. It is a P2P sharing program. P2P programs are a notorious source of infection. I recommend removing these programs if possible. You have got infection from LimeWire and can go to Start > Control Panel > Add or Remove programs to remove the program.

Now

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\Documents and Settings\All Users\Application Data\SecTaskMan\sobicyt.exe
C:\Program Files\LimeWire\Cindy's\come see - michael w. smith.mp3
C:\WINDOWS\system32\ceswxfst.sys
C:\WINDOWS\system32\cexwxfst.sys
C:\WINDOWS\system32\cfexfst.sys
C:\WINDOWS\system32\edbvfct.sys
C:\WINDOWS\system32\edtafct.sys
C:\WINDOWS\system32\otaxyzd.sys
C:\WINDOWS\system32\stsycod.sys
C:\WINDOWS\system32\sxtsyctd.sys
C:\WINDOWS\system32\tcexfst.sys
C:\WINDOWS\system32\yaxcnxd.sys

DirLook::
C:\Program Files\LimeWire\Cindy's

Sysrst::

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.

#12
CindyKay

Posted 24 August 2008 - 03:00 PM

Member

Topic Starter
Member
12 posts

I went to Add/Remove and deleted all of the limewire files I could find before I did the ComboFix thing. Do you know of any P2P sites similar to Limewire that are safe?

Here is the ComboFix log:

ComboFix 08-08-21.02 - Owner 2008-08-24 16:34:56.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.255 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\All Users\Application Data\SecTaskMan\sobicyt.exe
C:\Program Files\LimeWire\Cindy's\come see - michael w. smith.mp3
C:\WINDOWS\system32\ceswxfst.sys
C:\WINDOWS\system32\cexwxfst.sys
C:\WINDOWS\system32\cfexfst.sys
C:\WINDOWS\system32\edbvfct.sys
C:\WINDOWS\system32\edtafct.sys
C:\WINDOWS\system32\otaxyzd.sys
C:\WINDOWS\system32\stsycod.sys
C:\WINDOWS\system32\sxtsyctd.sys
C:\WINDOWS\system32\tcexfst.sys
C:\WINDOWS\system32\yaxcnxd.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ceswxfst.sys
C:\WINDOWS\system32\cexwxfst.sys
C:\WINDOWS\system32\cfexfst.sys
C:\WINDOWS\system32\edbvfct.sys
C:\WINDOWS\system32\edtafct.sys
C:\WINDOWS\system32\otaxyzd.sys
C:\WINDOWS\system32\stsycod.sys
C:\WINDOWS\system32\sxtsyctd.sys
C:\WINDOWS\system32\tcexfst.sys
C:\WINDOWS\system32\yaxcnxd.sys

.
((((((((((((((((((((((((( Files Created from 2008-07-24 to 2008-08-24 )))))))))))))))))))))))))))))))
.

2008-08-17 20:18 . 2008-08-17 20:18 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\HorizonWimba
2008-08-17 17:47 . 2008-08-17 17:47 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-17 17:47 . 2008-08-17 17:47 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-08-17 17:47 . 2008-08-17 17:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-17 17:47 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-17 17:47 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-17 17:45 . 2008-08-17 17:45 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-08-17 17:23 . 2008-08-17 17:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-17 14:28 . 2008-08-17 14:38 <DIR> d-------- C:\Program Files\Security Task Manager
2008-08-17 14:28 . 2008-08-17 14:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-08-16 18:22 . 2008-08-14 13:46 22,512 --a------ C:\WINDOWS\system32\drivers\adwarealert.sys
2008-08-16 17:21 . 2008-08-19 16:47 1,917 --a------ C:\WINDOWS\imsins.BAK
2008-08-16 17:09 . 2008-08-16 17:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Symantec
2008-08-12 20:02 . 2008-08-12 20:02 <DIR> d-------- C:\Program Files\Ofoto
2008-08-12 20:02 . 2002-10-14 09:56 3,007,488 --------- C:\WINDOWS\system32\OfotoNow.scr
2008-08-12 20:02 . 2002-08-28 10:20 18,102 --------- C:\WINDOWS\system32\OfotoNow.res
2008-07-29 22:07 . 2008-07-29 22:07 <DIR> d-------- C:\Program Files\PassAlong
2008-07-29 22:07 . 2007-10-11 17:41 111,944 --a------ C:\WINDOWS\system32\TPActiveX.dll
2008-07-29 14:28 . 2008-07-29 14:28 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-28 19:18 . 2008-07-28 19:18 <DIR> d---s---- C:\Documents and Settings\LocalService\UserData
2008-07-27 14:50 . 2008-08-24 14:01 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-27 14:50 . 2008-07-27 14:50 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-27 14:50 . 2008-07-27 14:50 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-27 14:50 . 2008-07-27 14:50 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-27 14:49 . 2008-07-27 14:49 <DIR> d-------- C:\Program Files\AVG
2008-07-26 23:36 . 2008-07-26 23:36 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-24 20:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-08-13 00:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-10 03:03 --------- d-----w C:\Program Files\Java
2008-07-27 18:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-07-27 02:20 --------- d-----w C:\Documents and Settings\Owner\Application Data\skypePM
2008-07-16 03:00 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-07-16 02:58 --------- d-----w C:\Program Files\Windows Live Favorites
2008-07-16 02:49 --------- d-----w C:\Program Files\Windows Live
2008-07-16 02:47 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-07-16 02:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-07-16 02:05 --------- d-----w C:\Program Files\Common Files\ArcSoft
2008-07-16 02:04 --------- d-----w C:\Program Files\Philips
2008-07-16 02:04 --------- d-----w C:\Program Files\DIFX
2008-07-16 02:03 --------- d-----w C:\Program Files\Common Files\SPC520NC
2008-07-12 04:17 --------- d-----w C:\Program Files\iTunes
2008-07-12 04:17 --------- d-----w C:\Program Files\iPod
2008-07-12 04:15 --------- d-----w C:\Program Files\Bonjour
2008-07-12 04:14 --------- d-----w C:\Program Files\QuickTime
2008-07-12 04:12 --------- d-----w C:\Program Files\Apple Software Update
2008-07-12 04:11 --------- d-----w C:\Program Files\Common Files\Apple
2008-07-11 01:04 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVGTOOLBAR
2008-07-10 13:35 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2006-01-13 20:52 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-12-25 20:50 0 -c--a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Program Files\LimeWire\Cindy's ----

C:\Program Files\LimeWire\Cindy's\

((((((((((((((((((((((((((((((((((((((( System Restore )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{656DC5FF-3386-45CA-8147-C1C08D0B0F0F}\mpengine.dll
2008-08-02 01:04 3358800 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP864\A0232543.dll

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{D361F4EF-94DE-4703-9C21-02099A6D77D0}\mpengine.dll
2008-08-02 01:04 3358800 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP862\A0231543.dll

2008-08-02 01:04 3358800 C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2008-08-02 01:04 3358800 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP862\A0231542.dll
2008-08-02 01:04 3358800 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP864\A0232542.dll

C:\Program Files\AdwareAlert\AdwareAlert.exe
2008-08-14 14:01 9098480 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP858\A0227572.exe

C:\Program Files\AdwareAlert\Difxapi.dll
2008-08-14 13:46 319456 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP858\A0227574.dll

C:\Program Files\AdwareAlert\FilterDrv\AdwareAlert.amd64.sys
2008-08-14 13:46 28144 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP858\A0227578.sys

C:\Program Files\AdwareAlert\FilterDrv\AdwareAlert.x86.sys
2008-08-14 13:46 22512 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP858\A0227581.sys

C:\Program Files\AdwareAlert\SpyCleaner.dll
2008-08-14 14:01 795888 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP858\A0227575.dll

C:\Program Files\AdwareAlert\TCL.dll
2008-08-14 14:01 165104 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP858\A0227576.dll

C:\Program Files\AdwareAlert\zlib.dll
2008-08-14 14:01 161008 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP858\A0227577.dll

2008-05-01 10:30 331776 C:\Program Files\Common Files\System\msadc\msadce.dll
2004-08-04 15:00 331776 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225219.dll

2008-06-23 05:49 18432 C:\Program Files\Internet Explorer\iedw.exe
2008-04-17 06:52 18432 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225161.exe

C:\Program Files\LimeWire\lib\jdic.dll
2008-06-18 14:46 110592 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP870\A0236547.dll

C:\Program Files\LimeWire\lib\SystemUtilities.dll
2008-06-18 14:46 90112 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP870\A0236550.dll

C:\Program Files\LimeWire\lib\SystemUtilitiesA.dll
2008-06-18 14:46 86016 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP870\A0236551.dll

C:\Program Files\LimeWire\lib\tray.dll
2008-06-18 14:46 45056 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP870\A0236552.dll

C:\Program Files\LimeWire\LimeWire.exe
2008-06-18 14:46 147456 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP870\A0236553.exe

C:\Program Files\LimeWire\uninstall.exe
2008-07-12 00:31 124399 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP870\A0236557.exe

2008-05-02 10:22 83968 C:\Program Files\Messenger\msgsc.dll
2004-08-04 11:06 82944 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225252.dll

C:\Program Files\Ofoto\OfotoNow\OFUSBS.dll
{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP855\A0227543.dllC:\WINDOWS\system32\sobicyt.exe
2004-08-04 15:00 34816 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP857\A0227544.exe

C:\Program Files\XoftSpySE\autoupdate.dll
2008-08-13 13:29 249856 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP851\A0225389.dll

C:\Program Files\XoftSpySE\resources.dll
2008-08-13 13:29 122880 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP851\A0225391.dll

C:\Program Files\XoftSpySE\uninstall.exe
2008-08-16 10:36 67778 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP851\A0225382.exe

C:\Program Files\XoftSpySE\XoftSpy.exe
2008-08-13 13:29 728576 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP851\A0225387.exe

C:\Program Files\XoftSpySE\zlibwapi.dll
2008-08-13 13:29 72192 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP851\A0225390.dll

2007-11-30 08:39 17272 C:\WINDOWS\$hf_mig$\KB951748\spmsg.dll
2007-11-30 08:39 17272 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP851\A0225335.dll

2007-11-30 08:39 231288 C:\WINDOWS\$hf_mig$\KB951748\spuninst.exe
2007-11-30 08:39 231288 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP851\A0225334.exe

2007-11-30 08:39 26488 C:\WINDOWS\$hf_mig$\KB951748\update\spcustom.dll
2007-11-30 08:39 26488 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP851\A0225336.dll

2007-11-30 08:39 755576 C:\WINDOWS\$hf_mig$\KB951748\update\update.exe
2007-11-30 08:39 755576 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP851\A0225338.exe

2007-11-30 08:39 382840 C:\WINDOWS\$hf_mig$\KB951748\update\updspapi.dll
2007-11-30 08:39 382840 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP851\A0225339.dll

C:\WINDOWS\_000002_.tmp.dll
2008-06-21 06:36 18785 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP851\A0225330.dll

C:\WINDOWS\_000005_.tmp.dll
2008-04-11 15:18 12431 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225213.dll
2008-06-24 13:04 12431 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225255.dll

C:\WINDOWS\_000046_.tmp.dll
2008-07-03 20:43 27555 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225145.dll

C:\WINDOWS\assembly\temp\0CKS08GOW4\Microsoft.MapPoint.Rendering3D.dll
2008-07-18 20:49 770048 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225470.dll

C:\WINDOWS\assembly\temp\0CKS08GOW4\Microsoft.MapPoint.Rendering3D.Utility.dll
2008-07-18 20:49 131072 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225479.dll

C:\WINDOWS\assembly\temp\0W4CKS08GO\System.Data.SqlXml.ni.dll
2008-07-19 09:09 2756608 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225462.dll

C:\WINDOWS\assembly\temp\1X5DLS08GO\System.Runtime.Serialization.Formatters.Soap.ni.dll
2008-07-19 09:09 339968 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225453.dll

C:\WINDOWS\assembly\temp\3Y6EMU2AIQ\Microsoft.MapPoint.UtilityPartialTrust.ni.dll
2008-07-19 09:08 249856 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225458.dll

C:\WINDOWS\assembly\temp\3Z7FNV3BJR\Microsoft.MapPoint.Utility.ni.dll
2008-07-19 09:09 335872 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225451.dll

C:\WINDOWS\assembly\temp\4GOW4CJRZ7\Microsoft.MapPoint.Utility.dll
2008-07-18 20:49 94208 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225476.dll

C:\WINDOWS\assembly\temp\63BJRZ7FNU\Microsoft.MapPoint.Rendering3D.WorldMemoryDataSource.ni.dll
2008-07-19 09:09 1683456 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225450.dll

C:\WINDOWS\assembly\temp\8LT19HPX4B\Microsoft.MapPoint.GeoCommunities.resources.dll
2008-07-18 20:49 356352 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225483.dll

C:\WINDOWS\assembly\temp\9LT19HPX5D\Microsoft.MapPoint.Data.CompactMapFile.dll
2008-07-18 20:49 163840 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225465.dll

C:\WINDOWS\assembly\temp\9LT19HPX5D\Microsoft.MapPoint.Data.VirtualEarthTileDataSource.dll
2008-07-18 20:49 151552 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225467.dll

C:\WINDOWS\assembly\temp\9LT19HPX5D\Microsoft.MapPoint.Rendering3D.Resources.dll
2008-07-18 20:49 73728 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225474.dll

C:\WINDOWS\assembly\temp\9LT19HPX5D\Microsoft.WindowsLive.Id.Client.resources.dll
2008-07-18 20:49 106496 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225487.dll

C:\WINDOWS\assembly\temp\A6EMU2AHPX\Microsoft.MapPoint.Data.VirtualEarthTileDataSource.ni.dll
2008-07-19 09:09 856064 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225449.dll

C:\WINDOWS\assembly\temp\ALT19GOV3B\Microsoft.MapPoint.Graphics3D.dll
2008-07-18 20:49 540672 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225469.dll

C:\WINDOWS\assembly\temp\AMU19HPW4C\Microsoft.MapPoint.GeoCommunities.dll
2008-07-18 20:49 819200 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225481.dll

C:\WINDOWS\assembly\temp\AMU2AIQY5D\Microsoft.MapPoint.GraphicsAPI.dll
2008-07-18 20:49 880640 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225489.dll

C:\WINDOWS\assembly\temp\DAIQY6EMT1\Microsoft.MapPoint.Graphics3D.ni.dll
2008-07-19 09:09 2592768 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225452.dll

C:\WINDOWS\assembly\temp\E9HPX5DLT0\Microsoft.VisualC.ni.dll
2008-07-19 09:09 17920 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225460.dll

C:\WINDOWS\assembly\temp\GDKS08GOW3\Microsoft.MapPoint.Data.CompactMapFile.ni.dll
2008-07-19 09:09 475136 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225448.dll

C:\WINDOWS\assembly\temp\GS08GOW4CK\Microsoft.MapPoint.Network.dll
2008-07-18 20:49 77824 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225478.dll

C:\WINDOWS\assembly\temp\KFNV3BJRZ7\Microsoft.MapPoint.MapControl3D.dll
2008-07-18 20:49 143360 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225464.dll

C:\WINDOWS\assembly\temp\KW4CKS08GO\Microsoft.MapPoint.Rendering3D.Resources.dll
2008-07-18 20:49 69632 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225472.dll

C:\WINDOWS\assembly\temp\KW4CKSZ7FN\Microsoft.MapPoint.GeoCommunities.COM.dll
2008-07-18 20:49 65536 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225484.dll

C:\WINDOWS\assembly\temp\LGOV3BIQY6\Microsoft.MapPoint.Geometry.ni.dll
2008-07-19 09:08 839680 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225459.dll

C:\WINDOWS\assembly\temp\NJRZ7FNV3B\Microsoft.MapPoint.Rendering3D.Utility.ni.dll
2008-07-19 09:08 520192 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225455.dll

C:\WINDOWS\assembly\temp\NKS08GOW4C\Microsoft.MapPoint.Rendering3D.ni.dll
2008-07-19 09:08 3588096 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225456.dll

C:\WINDOWS\assembly\temp\OZ7FNV3BJR\Microsoft.MapPoint.Geometry.dll
2008-07-18 20:49 208896 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225468.dll

C:\WINDOWS\assembly\temp\Q2AIQY5DLT\Microsoft.WindowsLive.Id.Client.dll
2008-07-18 20:49 200704 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225486.dll

C:\WINDOWS\assembly\temp\RNV3BJRZ7F\Microsoft.MapPoint.Data.ni.dll
2008-07-19 09:09 1454080 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225454.dll

C:\WINDOWS\assembly\temp\S4CKS08GOV\Microsoft.MapPoint.Modeling.dll
2008-07-18 20:49 270336 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225485.dll

C:\WINDOWS\assembly\temp\SNV3BJRZ7F\Microsoft.MapPoint.GraphicsAPI.ni.dll
2008-07-19 09:09 1601536 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225461.dll

C:\WINDOWS\assembly\temp\T4CKS08FNV\Microsoft.MapPoint.Rendering3D.Resources.dll
2008-07-18 20:49 73728 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225475.dll

C:\WINDOWS\assembly\temp\U6EMU19HPX\Microsoft.MapPoint.Rendering3D.Resources.dll
2008-07-18 20:49 69632 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225473.dll

C:\WINDOWS\assembly\temp\W9HOW4CKRZ\Microsoft.MapPoint.UtilityPartialTrust.dll
2008-07-18 20:49 61440 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225477.dll

C:\WINDOWS\assembly\temp\X8GOW4CKS0\GeoCommunityCommon.dll
2008-07-18 20:49 33808 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225488.dll

C:\WINDOWS\assembly\temp\Y9HPW4CKS0\Microsoft.MapPoint.Rendering3D.Resources.dll
2008-07-18 20:49 73728 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225471.dll

C:\WINDOWS\assembly\temp\YAIQY6EMU2\Microsoft.MapPoint.Rendering3D.WorldMemoryDataSource.dll
2008-07-18 20:49 245760 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225480.dll

C:\WINDOWS\assembly\temp\ZBJRY6EMU2\Microsoft.MapPoint.Data.dll
2008-07-18 20:49 376832 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225466.dll

C:\WINDOWS\assembly\temp\ZCKS08GOW3\Microsoft.MapPoint.GeoCommunities.resources.dll
2008-07-18 20:49 356352 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225482.dll

C:\WINDOWS\assembly\temp\ZU2AIQY6EM\Microsoft.MapPoint.Modeling.ni.dll
2008-07-19 09:09 1863680 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225463.dll

C:\WINDOWS\assembly\temp\ZV3BJRZ7FN\Microsoft.MapPoint.MapControl3D.ni.dll
2008-07-19 09:08 372736 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP852\A0225457.dll

C:\WINDOWS\inf\_000000_.tmp.dll
2008-06-20 13:55 926 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225143.dll
2008-05-02 10:16 926 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225253.dll

C:\WINDOWS\system32\_000001_.tmp.dll
2007-11-30 08:39 17272 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP851\A0225327.dll

C:\WINDOWS\system32\_000004_.tmp.dll
2007-11-30 08:39 17272 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225212.dll
2007-11-30 08:39 17272 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225254.dll

C:\WINDOWS\system32\_000045_.tmp.dll
2007-11-30 08:39 17272 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225144.dll

C:\WINDOWS\system32\afinding.exe
2004-08-04 15:00 187392 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP858\A0227583.exe

C:\WINDOWS\system32\atsxyzd.sys
2004-08-04 15:00 278016 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP866\A0232553.sys

2008-06-23 11:38 1023488 C:\WINDOWS\system32\browseui.dll
2008-04-21 03:03 1023488 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225160.dll

2008-06-23 11:38 151040 C:\WINDOWS\system32\cdfview.dll
2008-04-21 03:03 151040 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225159.dll

C:\WINDOWS\system32\ceswxfst.sys
2004-08-04 15:00 40960 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP872\A0236597.sys

C:\WINDOWS\system32\cexwxfst.sys
2004-08-04 15:00 40960 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP872\A0236598.sys

C:\WINDOWS\system32\cfexfst.sys
2004-08-04 15:00 40960 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP872\A0236599.sys

C:\WINDOWS\system32\comsa32.sys
2004-08-04 15:00 3 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP853\A0225556.sys
2004-08-04 15:00 11 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP858\A0227582.sys

2004-08-04 15:00 27648 C:\WINDOWS\system32\conime.exe
2004-08-04 15:00 27648 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP857\A0227547.exe

2008-06-23 11:38 1054208 C:\WINDOWS\system32\danim.dll
2008-04-21 03:03 1054208 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225158.dll

2008-06-23 11:38 1023488 C:\WINDOWS\system32\dllcache\browseui.dll
2008-04-21 03:03 1023488 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225181.dll

2008-06-23 11:38 151040 C:\WINDOWS\system32\dllcache\cdfview.dll
2008-04-21 03:03 151040 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225180.dll

2008-06-23 11:38 1054208 C:\WINDOWS\system32\dllcache\danim.dll
2008-04-21 03:03 1054208 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225179.dll

2008-06-23 11:38 357888 C:\WINDOWS\system32\dllcache\dxtmsft.dll
2008-04-21 03:03 357888 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225178.dll

2008-06-23 11:38 205312 C:\WINDOWS\system32\dllcache\dxtrans.dll
2008-04-21 03:03 205312 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225177.dll

2008-07-07 16:32 253952 C:\WINDOWS\system32\dllcache\es.dll
2005-07-26 00:39 243200 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225245.dll

2008-06-23 11:38 55808 C:\WINDOWS\system32\dllcache\extmgr.dll
2008-04-21 03:03 55808 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225176.dll

2008-06-23 05:49 18432 C:\WINDOWS\system32\dllcache\iedw.exe
2008-04-17 06:52 18432 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225175.exe

2008-06-23 11:38 251392 C:\WINDOWS\system32\dllcache\iepeers.dll
2008-04-21 03:03 251392 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225174.dll

2008-04-11 14:50 683520 C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-21 02:15 683520 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225215.dll

2008-06-23 11:38 96256 C:\WINDOWS\system32\dllcache\inseng.dll
2008-04-21 03:03 96256 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225173.dll

2008-06-23 11:38 16384 C:\WINDOWS\system32\dllcache\jsproxy.dll
2008-04-21 03:03 16384 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225172.dll

2008-05-01 10:30 331776 C:\WINDOWS\system32\dllcache\msadce.dll
2004-08-04 15:00 331776 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225220.dll

2008-06-24 12:23 74240 C:\WINDOWS\system32\dllcache\mscms.dll
2005-06-28 21:46 74240 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225257.dll

2008-06-23 11:38 3059712 C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-21 03:03 3059712 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225171.dll

2008-06-23 11:38 449024 C:\WINDOWS\system32\dllcache\mshtmled.dll
2008-04-21 03:03 449024 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225170.dll

2008-06-23 11:38 146432 C:\WINDOWS\system32\dllcache\msrating.dll
2008-04-21 03:03 146432 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225169.dll

2008-06-23 11:38 532480 C:\WINDOWS\system32\dllcache\mstime.dll
2008-04-21 03:03 532480 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225168.dll

2004-08-04 15:00 15872 C:\WINDOWS\system32\dllcache\perfmon.exe
2004-08-04 15:00 15872 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP857\A0227554.exe
2004-08-04 15:00 15872 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP857\A0227555.exe

2008-06-23 11:38 39424 C:\WINDOWS\system32\dllcache\pngfilt.dll
2008-04-21 03:03 39424 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225167.dll

2008-06-23 11:38 1494528 C:\WINDOWS\system32\dllcache\shdocvw.dll
2008-04-21 03:04 1494528 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225166.dll

2008-06-23 11:38 474112 C:\WINDOWS\system32\dllcache\shlwapi.dll
2008-04-21 03:04 474112 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225165.dll

2008-06-23 11:38 615936 C:\WINDOWS\system32\dllcache\urlmon.dll
2008-04-21 03:04 615936 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225164.dll

2008-06-23 11:38 659456 C:\WINDOWS\system32\dllcache\wininet.dll
2008-04-21 03:04 659456 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225163.dll

C:\WINDOWS\system32\drivers\xwgqy.sys
2008-08-17 21:59 61440 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP858\A0228534.sys

2008-06-23 11:38 357888 C:\WINDOWS\system32\dxtmsft.dll
2008-04-21 03:03 357888 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225157.dll

2008-06-23 11:38 205312 C:\WINDOWS\system32\dxtrans.dll
2008-04-21 03:03 205312 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225156.dll

C:\WINDOWS\system32\edbvfct.sys
2004-08-04 15:00 36864 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP872\A0236600.sys

C:\WINDOWS\system32\edtafct.sys
2004-08-04 15:00 40960 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP872\A0236601.sys

2008-07-07 16:32 253952 C:\WINDOWS\system32\es.dll
2005-07-26 00:39 243200 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225244.dll
2005-07-26 00:39 243200 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225264.dll

2008-06-23 11:38 55808 C:\WINDOWS\system32\extmgr.dll
2008-04-21 03:03 55808 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225162.dll

2008-06-23 11:38 251392 C:\WINDOWS\system32\iepeers.dll
2008-04-21 03:03 251392 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225155.dll

2008-04-11 14:50 683520 C:\WINDOWS\system32\inetcomm.dll
2007-08-21 02:15 683520 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225214.dll

2008-06-23 11:38 96256 C:\WINDOWS\system32\inseng.dll
2008-04-21 03:03 96256 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225154.dll

2008-06-23 11:38 16384 C:\WINDOWS\system32\jsproxy.dll
2008-04-21 03:03 16384 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225153.dll

C:\WINDOWS\system32\macidwe.exe
{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP842\A0224995.exe
2004-08-04 15:00 34816 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP866\A0232551.exe

2007-04-09 13:23 28040 C:\WINDOWS\system32\mdimon.dll
2007-04-09 13:23 28040 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225098.dll

2004-08-04 15:00 47104 C:\WINDOWS\system32\mprui.dll
2004-08-04 15:00 47104 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP857\A0227548.dll

2008-08-05 14:11 15888504 C:\WINDOWS\system32\MRT.exe
2008-06-25 12:15 17972344 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225225.exe
2008-08-05 14:11 15888504 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP857\A0227549.exe

2008-06-24 12:23 74240 C:\WINDOWS\system32\mscms.dll
2005-06-28 21:46 74240 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225256.dll
2005-06-28 21:46 74240 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225265.dll

2008-06-23 11:38 3059712 C:\WINDOWS\system32\mshtml.dll
2008-04-21 03:03 3059712 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225262.dll

2008-06-23 11:38 449024 C:\WINDOWS\system32\mshtmled.dll
2008-04-21 03:03 449024 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225152.dll

2008-06-23 11:38 146432 C:\WINDOWS\system32\msrating.dll
2008-04-21 03:03 146432 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225151.dll

2008-06-23 11:38 532480 C:\WINDOWS\system32\mstime.dll
2008-04-21 03:03 532480 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225150.dll

C:\WINDOWS\system32\Nobicyt.exe
{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP845\A0225047.exe
2004-08-04 15:00 34816 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP858\A0228535.exe

C:\WINDOWS\system32\otaxyzd.sys
2004-08-04 15:00 278016 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP872\A0236602.sys

C:\WINDOWS\system32\perfs.exe
2004-08-04 15:00 33280 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP858\A0227587.exe

2008-06-23 11:38 39424 C:\WINDOWS\system32\pngfilt.dll
2008-04-21 03:03 39424 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225149.dll

C:\WINDOWS\system32\REGOBJ.DLL
1998-01-12 04:00 40448 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP866\A0232550.DLL

C:\WINDOWS\system32\routing.exe
2004-08-04 15:00 33792 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP858\A0227585.exe

2008-06-23 11:38 1494528 C:\WINDOWS\system32\shdocvw.dll
2008-04-21 03:04 1494528 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225261.dll

2008-06-23 11:38 474112 C:\WINDOWS\system32\shlwapi.dll
2008-04-21 03:04 474112 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225148.dll
2008-04-21 03:04 474112 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225260.dll

C:\WINDOWS\system32\sobicyt.exe
{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP842\A0224997.exe
2004-08-04 15:00 34816 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP866\A0232554.exe

2007-04-09 13:24 758664 C:\WINDOWS\system32\spool\drivers\w32x86\3\mdigraph.dll
2007-04-09 13:24 758664 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225093.dll

2007-04-09 13:23 46472 C:\WINDOWS\system32\spool\drivers\w32x86\3\mdiui.dll
2007-04-09 13:23 46472 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225095.dll

C:\WINDOWS\system32\spool\drivers\w32x86\3\Old\1\mdiui.dll
2007-04-09 13:23 46472 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225097.dll

C:\WINDOWS\system32\spool\drivers\w32x86\3\Old\1\UNIDRV.DLL
2004-08-04 01:56 264704 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP840\A0224970.DLL

C:\WINDOWS\system32\spool\drivers\w32x86\3\Old\1\UNIDRVUI.DLL
2004-08-04 01:56 197120 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP840\A0224971.DLL

C:\WINDOWS\system32\spool\drivers\w32x86\3\Old\1\UNIRES.DLL
2004-08-04 01:56 619520 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP840\A0224972.DLL

2007-04-09 13:24 758664 C:\WINDOWS\system32\spool\drivers\w32x86\mdigraph.dll
2007-04-09 13:24 758664 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225094.dll

2007-04-09 13:23 46472 C:\WINDOWS\system32\spool\drivers\w32x86\mdiui.dll
2007-04-09 13:23 46472 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225096.dll

2007-04-09 13:23 28552 C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
2007-04-09 13:23 28552 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225099.dll

C:\WINDOWS\system32\stsycod.sys
2004-08-04 15:00 643584 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP872\A0236603.sys

C:\WINDOWS\system32\sxtsyctd.sys
2004-08-04 15:00 644608 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP872\A0236604.sys

C:\WINDOWS\system32\tcexfst.sys
2004-08-04 15:00 40960 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP872\A0236605.sys

C:\WINDOWS\system32\tdxdowkc.exe
{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP842\A0224994.exe
2004-08-04 15:00 34816 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP866\A0232552.exe

2008-07-14 07:09 62976 C:\WINDOWS\system32\tzchange.exe
2007-11-13 07:31 60416 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225224.exe

2008-06-23 11:38 615936 C:\WINDOWS\system32\urlmon.dll
2008-04-21 03:04 615936 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225147.dll
2008-04-21 03:04 615936 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225259.dll

2008-06-23 11:38 659456 C:\WINDOWS\system32\wininet.dll
2008-04-21 03:04 659456 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225146.dll
2008-04-21 03:04 659456 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225258.dll

C:\WINDOWS\system32\wserving.exe
2004-08-04 15:00 186368 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP858\A0227584.exe

2008-07-03 05:14 351744 C:\WINDOWS\system32\xpsp3res.dll
2008-04-17 06:37 351744 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0225263.dll

C:\WINDOWS\system32\yaxcnxd.sys
2004-08-04 15:00 289280 {F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP872\A0236606.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gateway Extended Warranty"="C:\Program Files\Gateway\GWCares\GWCares.exe" [2004-02-08 20:30 73728]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-18 23:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-18 23:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-18 23:10 114688]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 02:18 57344]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-13 20:13 185632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 20:16 1121792]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-27 14:49 1232152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 19:29 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VPro520.lnk - C:\WINDOWS\VPro520.exe [2008-07-15 22:03:04 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

R0 adwarealert;adwarealert;C:\WINDOWS\system32\DRIVERS\adwarealert.sys [2008-08-14 13:46]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-27 14:50]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-27 14:49]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-27 14:49]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-27 14:50]
S3 SPC520;Philips SPC520NC PC Camera;C:\WINDOWS\system32\drivers\SPC520.sys [2007-03-27 21:27]
S3 SPC520m;Philips SPC520NC PC Cameram;C:\WINDOWS\system32\drivers\SPC520m.sys [2007-03-27 21:27]
.
Contents of the 'Scheduled Tasks' folder

2008-08-24 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2005-11-25 C:\WINDOWS\Tasks\ISP signup reminder 1.job
- C:\WINDOWS\system32\OOBE\oobebaln.exe [2004-08-04 15:00]

2005-11-25 C:\WINDOWS\Tasks\ISP signup reminder 2.job
- C:\WINDOWS\system32\OOBE\oobebaln.exe [2004-08-04 15:00]

2005-11-25 C:\WINDOWS\Tasks\ISP signup reminder 3.job
- C:\WINDOWS\system32\OOBE\oobebaln.exe [2004-08-04 15:00]

2008-08-24 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-24 16:40:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-08-24 16:52:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-24 20:52:25
ComboFix2.txt 2008-08-23 22:08:46
ComboFix3.txt 2008-08-23 00:10:29

Pre-Run: 1,149,964,288 bytes free
Post-Run: 1,178,820,608 bytes free

525 --- E O F --- 2008-08-24 12:41:38

#13
emeraldnzl

Posted 24 August 2008 - 05:05 PM

GeekU Instructor

GeekU Moderator
20,051 posts

Hello CindyKay,

Do you know of any P2P sites similar to Limewire that are safe?

There are absolutely no p2p programs that are safe. If you use them, your machine will get infected. If you get re-infected you will not be helped here again as frankly it is a waste of our time and there are a lot more deserving people who need our help.

This site is dedicated to malware removal, we would not in any way suggest a p2p program to use; it is against the rules here and we don't want your machine to get infected.

If you persist on using p2p programs, you will find that you will not get help here or at many other sites.

#14
CindyKay

Posted 24 August 2008 - 05:30 PM

Member

Topic Starter
Member
12 posts

Oh I totally understand your policy. I've deleted all of the Limewire files that I can find and will not have a website such as that on my computer again. I've warned my teenagers not to load it either.
Thank you so much for your help through this.
Is there anything else I should do or am I healed?
Cindy

#15
emeraldnzl

Posted 24 August 2008 - 06:40 PM

GeekU Instructor

GeekU Moderator
20,051 posts

Hello CindyKay,

Yep not quite there, bit more to go.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\WINDOWS\system32\comsa32.sys
C:\WINDOWS\_000002_.tmp.dll
C:\WINDOWS\_000005_.tmp.dll
C:\WINDOWS\_000046_.tmp.dll
C:\WINDOWS\inf\_000000_.tmp.dll
C:\WINDOWS\system32\_000001_.tmp.dll
C:\WINDOWS\system32\_000004_.tmp.dll
C:\WINDOWS\system32\_000045_.tmp.dll

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt.

So when you come back please post
the ComboFix text
and tell me how your machine is running now.