Trojan.Zlob & dunno what else [RESOLVED] - Geeks to Go Forums

Jump to content

Log in Register Register Malware removal guide How it works

Trojan.Zlob & dunno what else [RESOLVED] HiJack This Log included

#1 5th Letter

  • Group: Member
  • Posts: 51
  • Joined: 22-November 08

Posted 22 November 2008 - 05:57 PM

I have a problem with my comp.... it freezes if you leave it inactive for say 5-10 minutes. My Symantec Antivirus keeps finding Trojan.Zlob and I do not know what to do now.... I have never used HiJack This before so I don't know what the log means..... Could someone possibly analyze it and tell me what, if anything, they see..... Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:42:57 PM, on 11/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Emory\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Emory\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Emory\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - (no file)
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {42D55BC3-0761-4EC5-B4D2-5FE2A4799EDC} - C:\WINDOWS\system32\vtUooOHB.dll (file missing)
O2 - BHO: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.0\gears.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Emory\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.0\gears.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: CabBuilder - http://ak.imgag.com/imgag/kiw/toolbar/down...llerControl.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Sally's%20Salon/Images/stg_drm.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Sally's%20Salon/Images/armhelper.ocx
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/d...lugin_0.5.1.cab
O17 - HKLM\System\CS2\Services\Tcpip\..\{3B1AE2CE-9827-430F-8CB1-FFC61F677E5F}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: byXoolii - byXoolii.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c90d24db877f26) (gupdate1c90d24db877f26) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 15328 bytes

Peace.

E

#2 RatHat

  • Group: Expert
  • Posts: 7,826
  • Joined: 26-October 06

Posted 22 November 2008 - 07:50 PM

Hi there,

Welcome to GeeksToGo.

The first thing I need you to do is go to this post at Bleeping Computer, and tell them that you are receiving help here.

OK, I need you to print out each post I make so that you can refer to it while we fix your computer. This is because there will be times when you are unable to be online to read my instructions, and I will want you to do everything very carefully. I also need you to follow my instructions in the order that they are given. If however, you cannot carry out one of them, please continue on with the next and let me know what you were unsuccessful with.

Next, I would like to make sure that you can view hidden files and folders;
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading SELECT Show hidden files and folders.
  • UNCHECK the Hide protected operating system files (recommended) option.
  • UNCHECK the Hide extensions for known file types option.
  • Click Yes to confirm.
  • Click OK.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - (no file)
O2 - BHO: (no name) - {42D55BC3-0761-4EC5-B4D2-5FE2A4799EDC} - C:\WINDOWS\system32\vtUooOHB.dll (file missing)
O2 - BHO: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll (file missing)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O20 - Winlogon Notify: byXoolii - byXoolii.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download ATF Cleaner by Atribune.
    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    (If you are not sure how to disable your AntiVirus and AntiSpyware programs, please see this tutorial)


  • Double click on ComboFix.exe & follow the prompts.


  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Disable resident protections (Antivirus...); you can re-enable them after the scan

Download Lop S&D < here

Double-click Lop S&D.exe
Choose the language, then choose Option 1 (Search)
Wait till the end of the scan
Post the log which is created: (%SystemDrive%\lopR.txt)
Note: %SystemDrive% is usually, C:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


So in your next reply, please include the following logs:
  • The contents of Combofix.txt
  • The contents of the MBAM log
  • The contents of lopR.txt

Please make a separate post for each log, and also tell me how the computer is performing after completing all the above.

Regards,
RatHat

#3 5th Letter

  • Group: Member
  • Posts: 51
  • Joined: 22-November 08

Posted 23 November 2008 - 12:14 AM

OK here is my Combofix log:
ComboFix 08-11-22.02 - Emory 2008-11-22 23:32:38.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1128 [GMT -6:00]
Running from: c:\documents and settings\Emory\My Documents\My Music\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\BHOooUtv.ini
c:\windows\system32\BHOooUtv.ini2
c:\windows\system32\bxtkydkp.ini
c:\windows\system32\edLRYGgh.ini
c:\windows\system32\edLRYGgh.ini2
c:\windows\system32\eittobgb.ini
c:\windows\system32\ffuokfkl.ini
c:\windows\system32\lnooYJjl.ini
c:\windows\system32\lnooYJjl.ini2
c:\windows\system32\mkfqdxgw.ini
c:\windows\system32\PYaIknnn.ini2
c:\windows\system32\qjplefyt.ini
c:\windows\system32\tBLkmUtv.ini
c:\windows\system32\tBLkmUtv.ini2
c:\windows\system32\YbJQWyxx.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PERFMONS


((((((((((((((((((((((((( Files Created from 2008-10-23 to 2008-11-23 )))))))))))))))))))))))))))))))
.

2008-11-22 17:33 . 2008-11-22 17:33 <DIR> d-------- c:\program files\Trend Micro
2008-11-21 21:39 . 2008-11-21 21:39 <DIR> d-------- c:\program files\iPod
2008-11-21 21:38 . 2008-11-21 21:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-21 21:36 . 2008-11-21 21:37 <DIR> d-------- c:\program files\QuickTime
2008-11-20 13:50 . 2008-11-20 13:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-20 13:49 . 2008-11-20 13:49 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-11-20 13:49 . 2008-11-20 13:49 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-20 13:49 . 2008-11-20 13:49 <DIR> d-------- c:\documents and settings\Emory\Application Data\SUPERAntiSpyware.com
2008-11-15 23:02 . 2008-11-15 23:02 0 --a------ c:\windows\vpc32.INI
2008-11-15 21:02 . 2008-11-22 23:34 40 --a------ c:\windows\system32\profile.dat
2008-11-15 21:01 . 2008-11-15 21:01 <DIR> d-------- c:\program files\Symantec Client Security
2008-11-15 21:01 . 2008-11-15 21:01 <DIR> d-------- c:\program files\Symantec
2008-11-15 21:01 . 2006-01-31 13:29 107,696 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-11-15 21:01 . 2006-01-31 13:29 87,808 --a------ c:\windows\system32\S32EVNT1.DLL
2008-11-14 19:13 . 2008-11-22 17:35 2,078,818,304 --a------ c:\windows\MEMORY.DMP
2008-11-14 07:04 . 2008-11-15 21:17 <DIR> d-------- c:\program files\SpeedFan
2008-11-14 07:04 . 2008-11-14 07:04 45 --a------ c:\windows\system32\initdebug.nfo
2008-11-13 13:07 . 2006-02-28 06:00 10,096,640 --a--c--- c:\windows\system32\dllcache\hwxcht.dll
2008-11-13 13:05 . 2006-02-28 06:00 16,384 --a--c--- c:\windows\system32\dllcache\isignup.exe
2008-11-13 13:05 . 2008-11-13 13:05 749 -rah----- c:\windows\WindowsShell.Manifest
2008-11-13 13:05 . 2008-11-13 13:05 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest
2008-11-13 13:05 . 2008-11-13 13:05 749 -rah----- c:\windows\system32\sapi.cpl.manifest
2008-11-13 13:05 . 2008-11-13 13:05 749 -rah----- c:\windows\system32\ncpa.cpl.manifest
2008-11-13 13:05 . 2008-11-13 13:05 488 -rah----- c:\windows\system32\logonui.exe.manifest
2008-11-13 12:56 . 2008-11-13 13:11 <DIR> d-------- c:\windows\NV888220.TMP
2008-11-13 12:56 . 2007-10-04 17:14 136,260 --a------ c:\windows\system32\nvapps.nvb
2008-11-13 12:52 . 2006-02-28 06:00 24,661 --a------ c:\windows\system32\spxcoins.dll
2008-11-13 12:52 . 2006-02-28 06:00 24,661 --a--c--- c:\windows\system32\dllcache\spxcoins.dll
2008-11-13 12:52 . 2006-02-28 06:00 13,312 --a------ c:\windows\system32\irclass.dll
2008-11-13 12:52 . 2006-02-28 06:00 13,312 --a--c--- c:\windows\system32\dllcache\irclass.dll
2008-11-13 11:28 . 2008-11-13 11:28 7,680 --ahs---- c:\windows\Thumbs.db
2008-11-05 22:38 . 2008-11-05 22:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-11-04 10:30 . 2008-11-04 10:30 90,112 --a------ c:\windows\system32\QuickTimeVR.qtx
2008-11-04 10:30 . 2008-11-04 10:30 57,344 --a------ c:\windows\system32\QuickTime.qts
2008-11-02 22:58 . 2008-11-02 22:58 <DIR> d-------- c:\program files\Alwil Software
2008-11-01 03:56 . 2008-11-02 22:53 <DIR> d-------- C:\1d085bb8ef03dd8ff89486702831
2008-10-31 11:11 . 2008-11-17 13:59 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-10-31 11:11 . 2008-11-17 13:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-31 11:01 . 2008-10-31 11:01 <DIR> d-------- c:\program files\Safer Networking
2008-10-30 06:55 . 2008-11-02 22:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATI
2008-10-29 10:31 . 2008-10-29 10:31 <DIR> d-------- c:\documents and settings\Emory\Application Data\Malwarebytes
2008-10-29 10:30 . 2008-10-29 10:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-24 13:40 . 2008-10-24 13:40 <DIR> d-------- c:\program files\Windows Sidebar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-23 05:28 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-23 01:54 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-11-22 03:39 --------- d-----w c:\program files\iTunes
2008-11-22 03:36 --------- d-----w c:\program files\Common Files\Apple
2008-11-20 22:40 --------- d-----w c:\program files\Google
2008-11-16 03:01 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-11-14 16:14 --------- d-----w c:\documents and settings\Emory\Application Data\LimeWire
2008-11-14 13:02 --------- d-----w c:\program files\Common Files\Ahead
2008-11-13 19:12 --------- d-----w c:\program files\McAfee
2008-11-10 02:13 --------- d-----w c:\program files\LimeWire
2008-11-10 02:13 --------- d-----w c:\documents and settings\Emory\Application Data\uTorrent
2008-11-03 04:59 --------- d-----w c:\program files\ATI
2008-11-03 04:58 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-03 04:58 --------- d-----w c:\program files\Lavasoft
2008-11-03 04:58 --------- d-----w c:\program files\ATI Technologies
2008-11-03 04:56 --------- d-----w c:\program files\Common Files\LightScribe
2008-11-03 04:56 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2008-10-29 05:40 --------- d-----w c:\program files\AIM6
2008-10-24 20:05 --------- d-----w c:\documents and settings\Emory\Application Data\Nero
2008-10-24 20:02 --------- d-----w c:\program files\Common Files\Nero
2008-10-22 19:49 --------- d-----w c:\program files\Common Files\xing shared
2008-10-22 19:49 --------- d-----w c:\program files\Common Files\Real
2008-10-21 20:59 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-21 19:25 --------- d-----w c:\program files\DivX
2008-10-18 17:52 --------- d-----w c:\program files\VstPlugins
2008-10-16 22:05 --------- d-----w c:\program files\Common Files\Logishrd
2008-10-16 22:04 --------- d-----w c:\program files\Logitech
2008-10-16 22:04 --------- d-----w c:\documents and settings\All Users\Application Data\Logitech
2008-10-16 09:18 --------- d-----w c:\documents and settings\Emory\Application Data\Yahoo!
2008-10-15 18:44 262,144 ----a-w C:\ntuser.dat
2008-10-06 13:57 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-10-06 07:35 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-10-05 01:32 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-10-04 23:59 --------- d-----w c:\documents and settings\Emory\Application Data\J River
2008-10-04 19:42 --------- d-----w c:\documents and settings\Emory\Application Data\COWON
2008-10-04 18:44 --------- d-----w c:\program files\Common Files\MAGIX Shared
2008-10-03 12:25 --------- d-----w c:\documents and settings\All Users\Application Data\Citrix
2008-10-03 12:20 61,224 ----a-w c:\documents and settings\Emory\GoToAssistDownloadHelper.exe
2008-10-03 06:03 --------- d-----w c:\program files\Viewpoint
2008-10-03 06:03 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-09-24 03:09 3,331,072 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2008-09-24 01:18 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2007-12-27 18:14 774,144 ----a-w c:\program files\RngInterstitial.dll
2007-10-14 20:13 1,795,305 ----a-w c:\program files\WinRAR.zip
2008-06-02 23:55 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008060220080603\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-09-19 4347120]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]
"Google Update"="c:\documents and settings\Emory\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-26 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-11-17 1805552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-22 185872]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2006-02-28 44032]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-04 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~2\VPTray.exe" [2006-03-17 124656]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"nwiz"="nwiz.exe" [2007-10-04 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-12 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-02-01 8699904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Daisy.5THCOMPUTER^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Daisy.5THCOMPUTER\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\windows\system32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 10:09 63712 c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2006-02-28 06:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eligmini]
--a------ 2008-04-03 07:56 487424 c:\program files\Fisher-Price\Easy-Link internet launch pad\Easy-Link internet launch pad.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-02 11:53 133104 c:\documents and settings\Emory\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2006-07-07 17:15 600896 c:\program files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
--a------ 2006-07-07 17:14 576320 c:\program files\Microsoft IntelliType Pro\itype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2008-06-09 09:16 2363392 c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
--a------ 2007-07-25 15:02 563984 c:\program files\Common Files\Logishrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 2007-07-25 15:06 2027792 c:\program files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\masqform.exe]
--a------ 2005-07-04 09:50 643072 c:\program files\PureEdge\Viewer 6.5\masqform.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfee Backup]
--a------ 2008-07-10 14:42 5129504 c:\program files\McAfee\MBK\McAfeeDataBackup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
--a------ 2008-07-11 17:48 641208 c:\program files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2008-02-01 14:32 8699904 c:\program files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-10-04 17:14 8491008 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-10-04 17:14 81920 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]
--a------ 2008-10-07 09:23 111856 c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2008-08-01 14:23 61440 c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-09-26 15:04 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-10-22 13:49 185872 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 18:20 866584 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
--a------ 2008-10-07 09:23 111856 c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-ra------ 2005-05-03 04:43 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
--a------ 2007-09-21 03:10 55824 c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-10-04 17:14 1626112 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-ra------ 2006-09-12 02:58 16264192 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-ra------ 2006-05-16 04:04 2879488 c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Nero BackItUp Scheduler 3"=2 (0x2)
"gusvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\GameHouse\\TextTwist\\TextTwist.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Destiny\\RadioDestiny Broadcaster\\RadioDestiny Broadcaster.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Ubisoft\\Heroes of Might and Magic V - Tribes of the East\\bin\\H5_Game.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S0 Spssys;Toshiba SPS Service;c:\windows\system32\drivers\spssys.sys []
S3 EWAVE;EWAVE;\??\c:\windows\system32\drivers\ew.sys [2008-02-02 1693344]
S3 FILESPY;FILESPY;\??\c:\windows\system32\drivers\FILESPY.sys [2008-02-02 26992]
S3 GP2MPM;GP2MPM;\??\c:\windows\system32\drivers\GP2MPM.SYS [2008-02-02 37600]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys []
S3 NSTATION;NSTATION;\??\c:\windows\system32\drivers\nstation.sys [2008-02-02 19808]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\Drivers\tascusb2.sys [2008-02-02 396192]
S3 TASCAM_US144_MIDI;TASCAM US-144 WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [2008-02-02 10752]
S3 TASCAM_US144_WDM;TASCAM US-144 WDM;c:\windows\system32\drivers\tscusb2a.sys [2008-02-02 19904]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2008-11-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-23 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-09-02 11:53]

2008-11-23 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Emory\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 11:53]

2008-10-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2008-11-12 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2008-11-23 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

2008-11-23 c:\windows\Tasks\User_Feed_Synchronization-{13EF8C67-315B-44CD-AF7A-29F1060B482C}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 17:36]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{0388BA0C-C7F1-4E6A-BD7A-B59623F33363} - (no file)
WebBrowser-{6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)
MSConfigStartUp-kdkjg - c:\windows\system32\kdkjg.exe
MSConfigStartUp-DW4 - c:\program files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
MSConfigStartUp-IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
MSConfigStartUp-msnmsgr - c:\program files\MSN Messenger\msnmsgr.exe
MSConfigStartUp-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
MSConfigStartUp-MyWebSearch Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL
MSConfigStartUp-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
MSConfigStartUp-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe
MSConfigStartUp-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Emory\Application Data\Mozilla\Firefox\Profiles\vfbn2frl.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://empiremusiq.iforums.us/
FF -: plugin - c:\documents and settings\Emory\Local Settings\Application Data\Google\Update\1.2.131.27\npGoogleOneClick6.dll
FF -: plugin - c:\program files\Google\Google Updater\2.2.1111.1511\npCIDetect11.dll
FF -: plugin - c:\program files\Google\Update\1.2.131.25\npGoogleOneClick6.dll
FF -: plugin - c:\program files\Google\Update\1.2.131.27\npGoogleOneClick6.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\kSolo\npAVX.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npkimi.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPSFDMGR.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF -: plugin - c:\program files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-22 23:36:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\TMP00000014EAFA47CFF9E163FF 524288 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(772)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\rsaenh.dll

- - - - - - - > 'lsass.exe'(828)
c:\windows\system32\msprivs.dll
c:\windows\system32\rsaenh.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Windows Defender\MsMpEng.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\Crypserv.exe
c:\program files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Logishrd\LVCOMSER\LVComSer.exe
c:\program files\McAfee\SiteAdvisor\McSACore.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
c:\program files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\program files\Common Files\Logishrd\LVCOMSER\LVComSer.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2008-11-22 23:45:33 - machine was rebooted [Emory]
ComboFix-quarantined-files.txt 2008-11-23 05:45:28

Pre-Run: 286,120,521,728 bytes free
Post-Run: 286,681,165,824 bytes free

386 --- E O F --- 2008-11-12 06:17:16

Peace.

E

#4 5th Letter

  • Group: Member
  • Posts: 51
  • Joined: 22-November 08

Posted 23 November 2008 - 12:15 AM

MBAM log:

Malwarebytes' Anti-Malware 1.30
Database version: 1417
Windows 5.1.2600 Service Pack 2

11/23/2008 12:05:52 AM
mbam-log-2008-11-23 (00-05-52).txt

Scan type: Quick Scan
Objects scanned: 54481
Time elapsed: 6 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Peace.

E

#5 5th Letter

  • Group: Member
  • Posts: 51
  • Joined: 22-November 08

Posted 23 November 2008 - 12:17 AM

And finally my Lop S&D log:

--------------------\\ Lop S&D 4.2.4-9c XP/Vista

Microsoft Windows XP Home Edition ( v5.1.2600 ) Service Pack 2
X86-based PC ( Multiprocessor Free : AMD Athlon™ 64 X2 Dual Core Processor 5200+ )
BIOS : Phoenix-Award BIOS v6.00PG
USER : Emory ( Administrator )
BOOT : Normal boot
Antivirus : Symantec AntiVirus Corporate Edition 10.1.0.394 (Activated)
Firewall : Symantec Client Firewall 8.7.0.58 (Activated)
A:\ (USB)
C:\ (Local Disk) - NTFS - Total:465 Go (Free:267 Go)
D:\ (CD or DVD)
E:\ (CD or DVD)

"C:\Lop SD" ( MAJ : 01-11-2008|16:30 )
Option : [1] ( Sun 11/23/2008| 0:07 )

--------------------\\ Listing folders in APPLIC~1

[11/21/2008|09:39] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> {3276BE95_AF08_429F_A64F_CA64CB79BCF6}
[10/11/2007|01:03] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> 55-63-82-56-5s-42
[10/08/2007|02:37] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> 7Wonders2
[06/26/2008|07:12] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> acccore
[08/22/2008|07:41] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe
[02/22/2008|10:57] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe Systems
[08/22/2008|07:41] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> ALM
[02/21/2008|04:26] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AOL
[02/21/2008|04:28] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AOL Downloads
[11/10/2007|08:22] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AOL OCP
[09/25/2007|11:59] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple
[03/01/2008|10:59] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple Computer
[11/02/2008|10:58] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> ATI
[02/01/2008|09:52] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> avg7
[07/21/2008|10:11] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AVS4YOU
[09/26/2007|03:01] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Azureus
[10/03/2008|06:25] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Citrix
[07/25/2008|08:53] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> DVD Shrink
[03/24/2008|09:11] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> FLEXnet
[04/09/2008|09:18] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Google
[09/19/2008|10:34] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Google Updater
[10/14/2007|10:15] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Grisoft
[07/24/2008|04:55] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Lavasoft
[10/01/2007|10:53] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> LightScribe
[02/11/2008|06:04] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> LogiShrd
[10/16/2008|04:04] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Logitech
[10/29/2008|10:30] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Malwarebytes
[10/06/2008|01:35] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> McAfee
[10/16/2008|04:01] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft
[08/19/2008|10:11] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft Help
[09/30/2007|10:49] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Musicnotes
[07/09/2008|07:42] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> n7-89-o9-3r-4t-r9
[11/02/2008|10:56] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Nero
[09/26/2007|02:29] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> NVIDIA
[12/26/2007|07:34] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> PlayFirst
[09/26/2007|01:47] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Propellerhead Software
[12/08/2007|04:08] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> PureEdge
[12/31/2007|04:03] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Simple Star Shared
[11/05/2008|10:38] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> SiteAdvisor
[04/11/2008|07:09] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Spiralfrog
[11/17/2008|01:59] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Spybot - Search & Destroy
[11/20/2008|01:50] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> SUPERAntiSpyware.com
[11/15/2008|09:01] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Symantec
[09/02/2008|01:02] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> TEMP
[10/08/2007|02:37] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Trymedia
[10/03/2008|12:03] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Viewpoint
[09/26/2007|06:36] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Windows Genuine Advantage
[11/26/2007|04:27] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Windows Live Toolbar
[10/04/2008|07:32] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Yahoo!
[10/06/2008|07:57] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Yahoo! Companion
[04/27/2008|11:31] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> YoGen

[02/01/2008|09:52] C:\DOCUME~1\Daisy\APPLIC~1\<DIR> AVG7
[01/06/2008|03:09] C:\DOCUME~1\Daisy\APPLIC~1\<DIR> Identities
[02/01/2008|09:52] C:\DOCUME~1\Daisy\APPLIC~1\<DIR> Microsoft
[01/06/2008|03:09] C:\DOCUME~1\Daisy\APPLIC~1\<DIR> Nero
[01/06/2008|03:09] C:\DOCUME~1\Daisy\APPLIC~1\<DIR> PureEdge
[01/06/2008|03:09] C:\DOCUME~1\Daisy\APPLIC~1\<DIR> Real


[07/25/2008|05:30] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Macromedia
[04/06/2008|08:37] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Microsoft

[12/15/2007|11:29] C:\DOCUME~1\Emory\APPLIC~1\<DIR> 7Wonders
[02/10/2008|01:27] C:\DOCUME~1\Emory\APPLIC~1\<DIR> Ableton
[11/10/2007|08:25] C:\DOCUME~1\Emory\APPLIC~1\<DIR> acccore
[08/22/2008|07:46] C:\DOCUME~1\Emory\APPLIC~1\<DIR> Adobe
[09/28/2007|05:20] C:\DOCUME~1\Emory\APPLIC~1\<DIR> AdobeUM
[02/01/2008|09:39] C:\DOCUME~1\Emory\APPLIC~1\<DIR> Apple Computer
[08/13/2008|12:32] C:\DOCUME~1\Emory\APPLIC~1\<DIR> ATI
[10/04/2008|01:42] C:\DOCUME~1\Emory\APPLIC~1\<DIR> COWON
[12/12/2007|07:12] C:\DOCUME~1\Emory\APPLIC~1\<DIR> CVS
[11/10/2007|03:05] C:\DOCUME~1\Emory\APPLIC~1\<DIR> DivX
[09/26/2007|07:44] C:\DOCUME~1\Emory\APPLIC~1\<DIR> Google
[09/25/2007|06:38] C:\DOCUME~1\Emory\APPLIC~1\<DIR> Identities
[10/04/2008|05:59] C:\DOCUME~1\Emory\APPLIC~1\<DIR> J River
[09/30/2007|09:35] C:\DOCUME~1\Emory\APPLIC~1\<DIR> Leadertech
[11/14/2008|10:14] C:\DOCUME~1\Emory\APPLIC~1\<DIR> LimeWire
[02/02/2008|10:54] C:\DOCUME~1\Emory\APPLIC~1\<DIR> Macromedia
[10/29/2008|10:31] C:\DOCUME~1\Emory\APPLIC~1\<DIR> Malwarebytes
[01/13/2008|07:08] C:\DOCUME~1\Emory\APPLIC~1\<DIR> Media Player Classic
[11/13/2008|01:25] C:\DOCUME~1\Emory\APPLIC~1\<DIR> Microsoft
[07/08/2008|04:05] C:\DOCUME~1\Emory\APPLIC~1\<DIR> Mozilla
[10/01/2007|09:37] C:\DOCUME~1\Emory\APPLIC~1\<DIR> MySpace
[10/24/2008|02:05] C:\DOCUME~1\Emory\APPLIC~1\<DIR> Nero
[03/24/2008|10:48] C:\DOCUME~1\Emory\APPLIC~1\<DIR> NetMedia Providers
[09/26/2007|01:56] C:\DOCUME~1\Emory\APPLIC~1\<DIR> Propellerhead Software
[09/26/2007|02:14] C:\DOCUME~1\Emory\APPLIC~1\<DIR> Publish Providers
[12/08/2007|04:08] C:\DOCUME~1\Emory\APPLIC~1\<DIR> PureEdge
[02/21/2008|05:05] C:\DOCUME~1\Emory\APPLIC~1\<DIR> QQ Games Plugin
[10/22/2008|01:49] C:\DOCUME~1\Emory\APPLIC~1\<DIR> Real
[12/31/2007|03:59] C:\DOCUME~1\Emory\APPLIC~1\<DIR> Simple Star
[12/22/2007|09:23] C:\DOCUME~1\Emory\APPLIC~1\<DIR> Sony
[02/01/2008|11:12] C:\DOCUME~1\Emory\APPLIC~1\<DIR> Sony Corporation
[03/28/2008|10:22] C:\DOCUME~1\Emory\APPLIC~1\<DIR> Sony Setup
[02/03/2008|09:15] C:\DOCUME~1\Emory\APPLIC~1\<DIR> Steinberg
[01/06/2008|01:13] C:\DOCUME~1\Emory\APPLIC~1\<DIR> Sun
[11/20/2008|01:49] C:\DOCUME~1\Emory\APPLIC~1\<DIR> SUPERAntiSpyware.com
[09/30/2007|11:11] C:\DOCUME~1\Emory\APPLIC~1\<DIR> Symantec
[08/13/2008|11:49] C:\DOCUME~1\Emory\APPLIC~1\<DIR> SystemRequirementsLab
[01/04/2008|09:02] C:\DOCUME~1\Emory\APPLIC~1\<DIR> Talkback
[03/24/2008|08:04] C:\DOCUME~1\Emory\APPLIC~1\<DIR> Uniblue
[11/09/2008|08:13] C:\DOCUME~1\Emory\APPLIC~1\<DIR> uTorrent
[04/11/2008|07:17] C:\DOCUME~1\Emory\APPLIC~1\<DIR> Viewpoint
[03/08/2008|10:35] C:\DOCUME~1\Emory\APPLIC~1\<DIR> W Photo Studio Viewer
[09/25/2007|08:14] C:\DOCUME~1\Emory\APPLIC~1\<DIR> WinRAR
[10/16/2008|03:18] C:\DOCUME~1\Emory\APPLIC~1\<DIR> Yahoo!

[10/14/2007|10:15] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> AVG7
[04/06/2008|09:26] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Microsoft
[11/22/2008|07:54] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> SACore

[04/06/2008|12:51] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Microsoft
[07/24/2008|08:07] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Mozilla

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[11/22/2008 09:21 PM][--a------] C:\WINDOWS\tasks\GoogleUpdateTaskUser.job
[11/22/2008 11:55 PM][--a------] C:\WINDOWS\tasks\GoogleUpdateTaskMachine.job
[11/22/2008 11:05 PM][--ah-----] C:\WINDOWS\tasks\User_Feed_Synchronization-{13EF8C67-315B-44CD-AF7A-29F1060B482C}.job
[11/22/2008 11:58 PM][--ah-----] C:\WINDOWS\tasks\MP Scheduled Scan.job
[10/15/2008 12:37 AM][--a------] C:\WINDOWS\tasks\McDefragTask.job
[11/12/2008 03:00 AM][--a------] C:\WINDOWS\tasks\McQcTask.job
[11/21/2008 09:28 PM][--a------] C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[11/22/2008 11:55 PM][--ah-----] C:\WINDOWS\tasks\SA.DAT
[02/28/2006 06:00 AM][-r-h-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[02/10/2008|01:27] C:\Program Files\<DIR> Ableton
[08/22/2008|07:49] C:\Program Files\<DIR> Adobe
[10/28/2008|11:40] C:\Program Files\<DIR> AIM6
[11/02/2008|10:58] C:\Program Files\<DIR> Alwil Software
[08/11/2008|11:12] C:\Program Files\<DIR> AMD
[04/27/2008|11:26] C:\Program Files\<DIR> AnalogX
[09/11/2008|09:40] C:\Program Files\<DIR> Apple Software Update
[11/02/2008|10:59] C:\Program Files\<DIR> ATI
[11/02/2008|10:58] C:\Program Files\<DIR> ATI Technologies
[07/24/2008|04:01] C:\Program Files\<DIR> AVS4YOU
[09/11/2008|09:42] C:\Program Files\<DIR> Bonjour
[02/14/2008|07:59] C:\Program Files\<DIR> CDC 4 Studyware
[02/02/2008|11:02] C:\Program Files\<DIR> CDC 4 Studyware Demo
[11/22/2008|11:33] C:\Program Files\<DIR> Common Files
[11/13/2008|01:04] C:\Program Files\<DIR> ComPlus Applications
[04/20/2008|07:48] C:\Program Files\<DIR> Destiny
[09/25/2007|06:48] C:\Program Files\<DIR> DIFX
[08/27/2008|05:37] C:\Program Files\<DIR> DiskInternals
[10/21/2008|01:25] C:\Program Files\<DIR> DivX
[08/11/2008|05:16] C:\Program Files\<DIR> Fisher-Price
[07/09/2008|07:45] C:\Program Files\<DIR> GameHouse
[11/20/2008|04:40] C:\Program Files\<DIR> Google
[10/14/2007|10:15] C:\Program Files\<DIR> Grisoft
[08/04/2008|02:01] C:\Program Files\<DIR> Image-Line
[01/25/2008|08:57] C:\Program Files\<DIR> Images
[09/09/2008|11:36] C:\Program Files\<DIR> Imikimi
[11/02/2008|10:58] C:\Program Files\<DIR> InstallShield Installation Information
[03/05/2008|08:44] C:\Program Files\<DIR> InterActual
[11/20/2008|11:38] C:\Program Files\<DIR> Internet Explorer
[11/21/2008|09:39] C:\Program Files\<DIR> iPod
[11/21/2008|09:39] C:\Program Files\<DIR> iTunes
[07/31/2008|06:21] C:\Program Files\<DIR> Java
[08/06/2008|04:03] C:\Program Files\<DIR> kSolo
[11/02/2008|10:58] C:\Program Files\<DIR> Lavasoft
[11/09/2008|08:13] C:\Program Files\<DIR> LimeWire
[01/25/2008|08:56] C:\Program Files\<DIR> LockedCDCs
[10/16/2008|04:04] C:\Program Files\<DIR> Logitech
[11/22/2008|11:46] C:\Program Files\<DIR> Malwarebytes' Anti-Malware
[11/13/2008|01:12] C:\Program Files\<DIR> McAfee
[07/24/2008|08:13] C:\Program Files\<DIR> McAfee.com
[08/13/2008|01:40] C:\Program Files\<DIR> Messenger
[09/25/2007|06:34] C:\Program Files\<DIR> microsoft frontpage
[07/31/2008|06:10] C:\Program Files\<DIR> Microsoft IntelliPoint
[07/31/2008|06:09] C:\Program Files\<DIR> Microsoft IntelliType Pro
[10/21/2008|02:59] C:\Program Files\<DIR> Microsoft Silverlight
[11/13/2008|01:05] C:\Program Files\<DIR> Movie Maker
[11/22/2008|11:51] C:\Program Files\<DIR> Mozilla Firefox
[09/28/2007|06:30] C:\Program Files\<DIR> MSN
[09/25/2007|06:31] C:\Program Files\<DIR> MSN Gaming Zone
[04/06/2008|06:28] C:\Program Files\<DIR> MSN Messenger
[12/30/2007|10:43] C:\Program Files\<DIR> MSXML 4.0
[03/30/2008|02:00] C:\Program Files\<DIR> MSXML 6.0
[04/14/2008|01:11] C:\Program Files\<DIR> MySpace
[11/13/2008|01:05] C:\Program Files\<DIR> NetMeeting
[09/25/2007|06:31] C:\Program Files\<DIR> Online Services
[11/13/2008|01:05] C:\Program Files\<DIR> Outlook Express
[08/04/2008|02:01] C:\Program Files\<DIR> Outsim
[11/30/2007|10:53] C:\Program Files\<DIR> PowerISO
[06/06/2008|05:57] C:\Program Files\<DIR> Propellerhead
[12/08/2007|04:08] C:\Program Files\<DIR> PureEdge
[11/21/2008|09:37] C:\Program Files\<DIR> QuickTime
[04/11/2008|11:18] C:\Program Files\<DIR> Real
[09/25/2007|06:48] C:\Program Files\<DIR> Realtek
[03/28/2008|10:28] C:\Program Files\<DIR> Reference Assemblies
[10/31/2008|11:01] C:\Program Files\<DIR> Safer Networking
[03/28/2008|10:42] C:\Program Files\<DIR> Sony
[03/28/2008|10:21] C:\Program Files\<DIR> Sony Setup
[11/15/2008|09:17] C:\Program Files\<DIR> SpeedFan
[11/17/2008|01:59] C:\Program Files\<DIR> Spybot - Search & Destroy
[11/20/2008|01:49] C:\Program Files\<DIR> SUPERAntiSpyware
[12/29/2007|10:42] C:\Program Files\<DIR> SureThing CD Labeler 5
[11/15/2008|09:01] C:\Program Files\<DIR> Symantec
[11/15/2008|09:01] C:\Program Files\<DIR> Symantec Client Security
[08/13/2008|11:50] C:\Program Files\<DIR> SystemRequirementsLab
[02/02/2008|10:56] C:\Program Files\<DIR> Tascam
[11/22/2008|05:33] C:\Program Files\<DIR> Trend Micro
[08/19/2008|11:44] C:\Program Files\<DIR> Ubisoft
[09/25/2007|06:38] C:\Program Files\<DIR> Uninstall Information
[08/22/2008|11:59] C:\Program Files\<DIR> uTorrent
[10/03/2008|12:03] C:\Program Files\<DIR> Viewpoint
[10/18/2008|11:52] C:\Program Files\<DIR> VstPlugins
[09/26/2007|11:18] C:\Program Files\<DIR> Windows Defender
[11/26/2007|11:57] C:\Program Files\<DIR> Windows Live Toolbar
[09/26/2007|06:39] C:\Program Files\<DIR> Windows Media Connect 2
[11/13/2008|01:05] C:\Program Files\<DIR> Windows Media Player
[11/13/2008|01:04] C:\Program Files\<DIR> Windows NT
[10/24/2008|01:40] C:\Program Files\<DIR> Windows Sidebar
[09/25/2007|06:33] C:\Program Files\<DIR> WindowsUpdate
[01/05/2008|05:07] C:\Program Files\<DIR> WinRAR
[09/25/2007|06:34] C:\Program Files\<DIR> xerox
[01/13/2008|04:32] C:\Program Files\<DIR> XP Codec Pack
[08/08/2008|05:43] C:\Program Files\<DIR> Yahoo!
[04/09/2008|08:36] C:\Program Files\<DIR> Yahoo! Games

--------------------\\ Listing Folders in C:\Program Files\Common Files

[08/22/2008|07:40] C:\Program Files\Common Files\<DIR> Adobe
[11/14/2008|07:02] C:\Program Files\Common Files\<DIR> Ahead
[11/10/2007|08:20] C:\Program Files\Common Files\<DIR> AOL
[11/21/2008|09:36] C:\Program Files\Common Files\<DIR> Apple
[07/21/2008|10:16] C:\Program Files\Common Files\<DIR> AVSMedia
[02/01/2008|10:24] C:\Program Files\Common Files\<DIR> InstallShield
[09/26/2007|06:26] C:\Program Files\Common Files\<DIR> Java
[11/02/2008|10:56] C:\Program Files\Common Files\<DIR> LightScribe
[10/16/2008|04:05] C:\Program Files\Common Files\<DIR> Logishrd
[08/04/2008|02:27] C:\Program Files\Common Files\<DIR> Logitech
[08/22/2008|06:43] C:\Program Files\Common Files\<DIR> Macrovision Shared
[10/04/2008|12:44] C:\Program Files\Common Files\<DIR> MAGIX Shared
[07/24/2008|08:25] C:\Program Files\Common Files\<DIR> McAfee
[11/15/2008|09:01] C:\Program Files\Common Files\<DIR> Microsoft Shared
[09/25/2007|06:32] C:\Program Files\Common Files\<DIR> MSSoap
[10/24/2008|02:02] C:\Program Files\Common Files\<DIR> Nero
[09/26/2007|02:28] C:\Program Files\Common Files\<DIR> ODBC
[10/22/2008|01:49] C:\Program Files\Common Files\<DIR> Real
[09/25/2007|06:32] C:\Program Files\Common Files\<DIR> Services
[01/19/2008|03:47] C:\Program Files\Common Files\<DIR> Simple Star Shared
[09/26/2007|02:28] C:\Program Files\Common Files\<DIR> SpeechEngines
[12/29/2007|10:42] C:\Program Files\Common Files\<DIR> SureThing Shared
[11/22/2008|11:45] C:\Program Files\Common Files\<DIR> Symantec Shared
[11/13/2008|01:05] C:\Program Files\Common Files\<DIR> System
[11/20/2008|01:49] C:\Program Files\Common Files\<DIR> Wise Installation Wizard
[10/22/2008|01:49] C:\Program Files\Common Files\<DIR> xing shared

--------------------\\ Process

( 67 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

No Lop folder found !

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-23 00:08:45
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 0

--------------------\\ Searching for other infections

--------------------\\ Cracks & Keygens ..

C:\DOCUME~1\Emory\Application Data\uTorrent\Ahead Nero 9 - All Versions Keygen [h33t].torrent
C:\DOCUME~1\Emory\Desktop\Emulators\NES Emulator and 800+ ROMs\nes em\roms\CRACKOUT.NES
C:\DOCUME~1\Emory\Favorites\Comments on Sony.ACID.Pro.v6.0c.Incl.Keygen-SSG Software Windows - Sound Editing - Mininova.url
C:\DOCUME~1\Emory\Favorites\Comments on Sony.ACID.Pro.v6.0c.Incl.Keygen-SSG Software Windows - Sound Editing - Mininova.url
C:\DOCUME~1\Emory\My Documents\My Music\Bishop Lamont\bishop_lamont-pope_mobile-(dubcnn)\Bishop Lamont - Pope Mobile [Dubcnn.com]\01 - Pope Mobile Intro (Heaven) feat. Bilal & Rev. Keep It Crackin'.mp3
C:\DOCUME~1\Emory\My Documents\My Music\iTunes\iTunes Music\Freeway_Jay-Z_Memphis Bleek_Peedi Crack_
C:\DOCUME~1\Emory\My Documents\My Music\iTunes\iTunes Music\Freeway_Jay-Z_Memphis Bleek_Peedi Crack_\The Blueprintý_ The Gift & the Curse Dis
C:\DOCUME~1\Emory\My Documents\My Music\iTunes\iTunes Music\Freeway_Jay-Z_Memphis Bleek_Peedi Crack_\The Blueprintý_ The Gift & the Curse Dis\10 As One.m4a
C:\DOCUME~1\Emory\My Documents\My Music\iTunes\iTunes Music\Jay-Z\In My Lifetime, Vol. 1\12 Rap Game_Crack Game.m4a
C:\DOCUME~1\Emory\My Documents\My Music\iTunes\iTunes Music\The Notorious B.I.G_\Life After Death [Disc 2]\2-05 Ten Crack Commandments.m4a
C:\DOCUME~1\Emory\My Documents\My Music\iTunes\iTunes Music\Various\Late Registration\08 Crack Music.mp3
C:\DOCUME~1\Emory\My Documents\My Music\Jay-Z\In My Lifetime, Vol. 1\12 Rap Game-Crack Game.wma
C:\DOCUME~1\Emory\My Documents\My Music\Kanye West\Kanye_West_-_Late_Registration\Kanye West - Late Registration\08. Kanye West featuring Game - Crack Music.mp3
C:\DOCUME~1\Emory\My Documents\My Music\Notorious B.I.G\Life After Death [Disc 2]\Life After Death [Disc 2]\2-05 Ten Crack Commandments.m4a
C:\DOCUME~1\Emory\My Documents\My Music\OFTB\14 - O.F.T.B. - Crack'em - Above The Rim Soundtrack.mp3


[F:33][D:1]-> C:\DOCUME~1\Emory\LOCALS~1\Temp
[F:23][D:0]-> C:\DOCUME~1\Emory\Cookies
[F:35][D:4]-> C:\DOCUME~1\Emory\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - Sun 11/23/2008| 0:10 - Option : [1]

--------------------\\ Scan completed at 0:10:58



So that should be everything..... I'm not sure if anything's changed yet as it usually takes a little bit for my comp to freeze..... but we'll see..... And thanks in advance RatHat......

Peace.

E

#6 5th Letter

  • Group: Member
  • Posts: 51
  • Joined: 22-November 08

Posted 23 November 2008 - 01:05 AM

OK i let my system sit for about 30 mins. and it froze again..... pretty much the same at this point.....

Peace.

E

#7 RatHat

  • Group: Expert
  • Posts: 7,826
  • Joined: 26-October 06

Posted 23 November 2008 - 04:48 AM

Please run an online scan with Kaspersky WebScanner.
Note: You must use Internet Explorer to run this scan, and you must disable your Anti Virus program during the scan.

Click the Accept button.

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT

  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases

  • Click OK
  • Now under select a target to scan:
      Select My Computer

  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display the results if your system has been infected.
    • Now click on the View scan report link:

  • Click the Save report as button
  • Under Save as type, choose Text file (*.txt)
  • Save the file to your desktop as Kaspersky.txt
  • Copy and paste that information in your next post.


Regards,
RatHat

#8 5th Letter

  • Group: Member
  • Posts: 51
  • Joined: 22-November 08

Posted 23 November 2008 - 01:49 PM

OK here's my Kapersky log file.....

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, November 23, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, November 23, 2008 02:00:45
Records in database: 1404358
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 133641
Threat name: 2
Infected objects: 11
Suspicious objects: 0
Duration of the scan: 03:43:58


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ10.tmp Infected: Trojan-Downloader.Win32.Zlob.meq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ15.tmp Infected: Trojan-Downloader.Win32.Zlob.meq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ20.tmp Infected: Trojan-Downloader.Win32.Zlob.meq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQE.tmp Infected: Trojan-Downloader.Win32.Zlob.meq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQF.tmp Infected: Trojan-Downloader.Win32.Zlob.meq 1
C:\Documents and Settings\Emory\My Documents\My Music\Linkin Park\Collision Course\Jay-Z & Linkin Park - Collision Course\00-we_got_the_hottest_music_on_the_net.m3u.exe Infected: Trojan.Win32.Monderc.gen 1
C:\Documents and Settings\Emory\My Documents\My Music\Linkin Park\Collision Course\Jay-Z & Linkin Park - Collision Course\00-we_got_the_hottest_music_on_the_net.sfv.exe Infected: Trojan.Win32.Monderc.gen 1
C:\Documents and Settings\Emory\My Documents\My Music\Linkin Park\Collision Course\Jay-Z & Linkin Park - Collision Course\The Bonus Tracks.exe Infected: Trojan.Win32.Monderc.gen 1
C:\Documents and Settings\Emory\My Documents\My Music\Linkin Park\Jay-Z____Linkin_Park_-_Collision_Course\Jay-Z & Linkin Park - Collision Course\00-we_got_the_hottest_music_on_the_net.m3u.exe Infected: Trojan.Win32.Monderc.gen 1
C:\Documents and Settings\Emory\My Documents\My Music\Linkin Park\Jay-Z____Linkin_Park_-_Collision_Course\Jay-Z & Linkin Park - Collision Course\00-we_got_the_hottest_music_on_the_net.sfv.exe Infected: Trojan.Win32.Monderc.gen 1
C:\Documents and Settings\Emory\My Documents\My Music\Linkin Park\Jay-Z____Linkin_Park_-_Collision_Course\Jay-Z & Linkin Park - Collision Course\The Bonus Tracks.exe Infected: Trojan.Win32.Monderc.gen 1

The selected area was scanned.


Thanks.

Peace.

E

#9 RatHat

  • Group: Expert
  • Posts: 7,826
  • Joined: 26-October 06

Posted 23 November 2008 - 05:18 PM

Please uninstall the following programs:
LimeWire
uTorrent
Viewpoint (or anything with Viewpoint in the name)
  • Go to Start then Settings, then Control Panel
  • Choose Add or Remove Programs
  • Remove all of the above

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.


2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\vpc32.INI
C:\Documents and Settings\Emory\My Documents\My Music\Linkin Park\Collision Course\Jay-Z & Linkin Park - Collision Course\00-we_got_the_hottest_music_on_the_net.m3u.exe
C:\Documents and Settings\Emory\My Documents\My Music\Linkin Park\Collision Course\Jay-Z & Linkin Park - Collision Course\The Bonus Tracks.exe
C:\Documents and Settings\Emory\My Documents\My Music\Linkin Park\Jay-Z____Linkin_Park_-_Collision_Course\Jay-Z & Linkin Park - Collision Course\00-we_got_the_hottest_music_on_the_net.m3u.exe
C:\Documents and Settings\Emory\My Documents\My Music\Linkin Park\Jay-Z____Linkin_Park_-_Collision_Course\Jay-Z & Linkin Park - Collision Course\The Bonus Tracks.exe

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-

DirLook::
c:\windows\NV888220.TMP
C:\1d085bb8ef03dd8ff89486702831
c:\windows\TEMP\TMP00000014EAFA47CFF9E163FF



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the Combofix.txt report into your next reply and let me know how the machine is doing now.


Regards,
RatHat

#10 5th Letter

  • Group: Member
  • Posts: 51
  • Joined: 22-November 08

Posted 23 November 2008 - 07:27 PM

OK here's my new Combofix log....

7:24 PM 11/23/2008ComboFix 08-11-22.02 - Emory 2008-11-23 18:50:09.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1083 [GMT -6:00]
Running from: c:\documents and settings\Emory\My Documents\My Music\ComboFix.exe
Command switches used :: c:\documents and settings\Emory\My Documents\CFScript.txt
* Created a new restore point

FILE ::
c:\documents and settings\Emory\My Documents\My Music\Linkin Park\Collision Course\Jay-Z & Linkin Park - Collision Course\00-we_got_the_hottest_music_on_the_net.m3u.exe
c:\documents and settings\Emory\My Documents\My Music\Linkin Park\Collision Course\Jay-Z & Linkin Park - Collision Course\The Bonus Tracks.exe
c:\documents and settings\Emory\My Documents\My Music\Linkin Park\Jay-Z____Linkin_Park_-_Collision_Course\Jay-Z & Linkin Park - Collision Course\00-we_got_the_hottest_music_on_the_net.m3u.exe
c:\documents and settings\Emory\My Documents\My Music\Linkin Park\Jay-Z____Linkin_Park_-_Collision_Course\Jay-Z & Linkin Park - Collision Course\The Bonus Tracks.exe
c:\windows\vpc32.INI
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\vpc32.INI

.
((((((((((((((((((((((((( Files Created from 2008-10-24 to 2008-11-24 )))))))))))))))))))))))))))))))
.

2008-11-23 07:42 . 2008-11-23 07:42 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-23 00:06 . 2008-11-23 00:10 <DIR> d-------- C:\Lop SD
2008-11-22 23:46 . 2008-11-22 23:46 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-22 23:46 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-22 23:46 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-22 17:33 . 2008-11-22 17:33 <DIR> d-------- c:\program files\Trend Micro
2008-11-21 21:39 . 2008-11-21 21:39 <DIR> d-------- c:\program files\iPod
2008-11-21 21:38 . 2008-11-21 21:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-21 21:36 . 2008-11-21 21:37 <DIR> d-------- c:\program files\QuickTime
2008-11-20 13:50 . 2008-11-20 13:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-20 13:49 . 2008-11-20 13:49 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-11-20 13:49 . 2008-11-20 13:49 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-20 13:49 . 2008-11-20 13:49 <DIR> d-------- c:\documents and settings\Emory\Application Data\SUPERAntiSpyware.com
2008-11-15 21:02 . 2008-11-23 09:13 40 --a------ c:\windows\system32\profile.dat
2008-11-15 21:01 . 2008-11-15 21:01 <DIR> d-------- c:\program files\Symantec Client Security
2008-11-15 21:01 . 2008-11-15 21:01 <DIR> d-------- c:\program files\Symantec
2008-11-15 21:01 . 2006-01-31 13:29 107,696 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-11-15 21:01 . 2006-01-31 13:29 87,808 --a------ c:\windows\system32\S32EVNT1.DLL
2008-11-14 19:13 . 2008-11-22 17:35 2,078,818,304 --a------ c:\windows\MEMORY.DMP
2008-11-14 07:04 . 2008-11-15 21:17 <DIR> d-------- c:\program files\SpeedFan
2008-11-14 07:04 . 2008-11-14 07:04 45 --a------ c:\windows\system32\initdebug.nfo
2008-11-13 13:07 . 2006-02-28 06:00 10,096,640 --a--c--- c:\windows\system32\dllcache\hwxcht.dll
2008-11-13 13:05 . 2006-02-28 06:00 16,384 --a--c--- c:\windows\system32\dllcache\isignup.exe
2008-11-13 13:05 . 2008-11-13 13:05 749 -rah----- c:\windows\WindowsShell.Manifest
2008-11-13 13:05 . 2008-11-13 13:05 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest
2008-11-13 13:05 . 2008-11-13 13:05 749 -rah----- c:\windows\system32\sapi.cpl.manifest
2008-11-13 13:05 . 2008-11-13 13:05 749 -rah----- c:\windows\system32\ncpa.cpl.manifest
2008-11-13 13:05 . 2008-11-13 13:05 488 -rah----- c:\windows\system32\logonui.exe.manifest
2008-11-13 12:56 . 2008-11-13 13:11 <DIR> d-------- c:\windows\NV888220.TMP
2008-11-13 12:56 . 2007-10-04 17:14 136,260 --a------ c:\windows\system32\nvapps.nvb
2008-11-13 12:52 . 2006-02-28 06:00 24,661 --a------ c:\windows\system32\spxcoins.dll
2008-11-13 12:52 . 2006-02-28 06:00 24,661 --a--c--- c:\windows\system32\dllcache\spxcoins.dll
2008-11-13 12:52 . 2006-02-28 06:00 13,312 --a------ c:\windows\system32\irclass.dll
2008-11-13 12:52 . 2006-02-28 06:00 13,312 --a--c--- c:\windows\system32\dllcache\irclass.dll
2008-11-13 11:28 . 2008-11-13 11:28 7,680 --ahs---- c:\windows\Thumbs.db
2008-11-05 22:38 . 2008-11-05 22:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-11-04 10:30 . 2008-11-04 10:30 90,112 --a------ c:\windows\system32\QuickTimeVR.qtx
2008-11-04 10:30 . 2008-11-04 10:30 57,344 --a------ c:\windows\system32\QuickTime.qts
2008-11-02 22:58 . 2008-11-02 22:58 <DIR> d-------- c:\program files\Alwil Software
2008-11-01 03:56 . 2008-11-02 22:53 <DIR> d-------- C:\1d085bb8ef03dd8ff89486702831
2008-10-31 11:11 . 2008-11-17 13:59 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-10-31 11:11 . 2008-11-17 13:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-31 11:01 . 2008-10-31 11:01 <DIR> d-------- c:\program files\Safer Networking
2008-10-30 06:55 . 2008-11-02 22:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATI
2008-10-29 10:31 . 2008-10-29 10:31 <DIR> d-------- c:\documents and settings\Emory\Application Data\Malwarebytes
2008-10-29 10:30 . 2008-10-29 10:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-24 13:40 . 2008-10-24 13:40 <DIR> d-------- c:\program files\Windows Sidebar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-24 00:47 --------- d-----w c:\program files\LimeWire
2008-11-24 00:47 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-23 13:42 --------- d-----w c:\program files\Java
2008-11-23 05:45 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-23 01:54 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-11-22 03:39 --------- d-----w c:\program files\iTunes
2008-11-22 03:36 --------- d-----w c:\program files\Common Files\Apple
2008-11-20 22:40 --------- d-----w c:\program files\Google
2008-11-16 03:01 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-11-14 16:14 --------- d-----w c:\documents and settings\Emory\Application Data\LimeWire
2008-11-14 13:02 --------- d-----w c:\program files\Common Files\Ahead
2008-11-13 19:12 --------- d-----w c:\program files\McAfee
2008-11-03 04:59 --------- d-----w c:\program files\ATI
2008-11-03 04:58 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-03 04:58 --------- d-----w c:\program files\Lavasoft
2008-11-03 04:58 --------- d-----w c:\program files\ATI Technologies
2008-11-03 04:56 --------- d-----w c:\program files\Common Files\LightScribe
2008-11-03 04:56 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2008-10-29 05:40 --------- d-----w c:\program files\AIM6
2008-10-24 20:05 --------- d-----w c:\documents and settings\Emory\Application Data\Nero
2008-10-24 20:02 --------- d-----w c:\program files\Common Files\Nero
2008-10-22 19:49 499,712 ----a-w c:\windows\system32\msvcp71.dll
2008-10-22 19:49 348,160 ----a-w c:\windows\system32\msvcr71.dll
2008-10-22 19:49 --------- d-----w c:\program files\Common Files\xing shared
2008-10-22 19:49 --------- d-----w c:\program files\Common Files\Real
2008-10-21 20:59 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-21 19:25 --------- d-----w c:\program files\DivX
2008-10-18 17:52 --------- d-----w c:\program files\VstPlugins
2008-10-16 22:05 --------- d-----w c:\program files\Common Files\Logishrd
2008-10-16 22:04 --------- d-----w c:\program files\Logitech
2008-10-16 22:04 --------- d-----w c:\documents and settings\All Users\Application Data\Logitech
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 09:18 --------- d-----w c:\documents and settings\Emory\Application Data\Yahoo!
2008-10-15 18:44 262,144 ----a-w C:\ntuser.dat
2008-10-06 13:57 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-10-06 07:35 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-10-05 01:32 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-10-04 23:59 --------- d-----w c:\documents and settings\Emory\Application Data\J River
2008-10-04 19:42 --------- d-----w c:\documents and settings\Emory\Application Data\COWON
2008-10-04 18:44 --------- d-----w c:\program files\Common Files\MAGIX Shared
2008-10-03 12:25 --------- d-----w c:\documents and settings\All Users\Application Data\Citrix
2008-10-03 12:20 61,224 ----a-w c:\documents and settings\Emory\GoToAssistDownloadHelper.exe
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-24 03:09 3,331,072 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2008-09-24 02:18 425,984 ----a-w c:\windows\system32\ATIDEMGX.dll
2008-09-24 02:17 311,296 ----a-w c:\windows\system32\ati2dvag.dll
2008-09-24 02:09 10,772,480 ----a-w c:\windows\system32\atioglxx.dll
2008-09-24 02:07 188,416 ----a-w c:\windows\system32\atipdlxx.dll
2008-09-24 02:06 43,520 ----a-w c:\windows\system32\ati2edxx.dll
2008-09-24 02:06 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe
2008-09-24 02:06 143,360 ----a-w c:\windows\system32\Oemdspif.dll
2008-09-24 02:06 143,360 ----a-w c:\windows\system32\ati2evxx.dll
2008-09-24 02:05 593,920 ----a-w c:\windows\system32\ati2sgag.exe
2008-09-24 02:04 581,632 ----a-w c:\windows\system32\ati2evxx.exe
2008-09-24 02:03 53,248 ----a-w c:\windows\system32\ATIDDC.DLL
2008-09-24 01:56 307,200 ----a-w c:\windows\system32\atiiiexx.dll
2008-09-24 01:54 4,008,864 ----a-w c:\windows\system32\ati3duag.dll
2008-09-24 01:38 2,399,744 ----a-w c:\windows\system32\ativvaxx.dll
2008-09-24 01:24 48,640 ----a-w c:\windows\system32\amdpcom32.dll
2008-09-24 01:20 380,928 ----a-w c:\windows\system32\atikvmag.dll
2008-09-24 01:19 39,424 ----a-w c:\windows\system32\atiadlxx.dll
2008-09-24 01:18 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2008-09-24 01:18 253,952 ----a-w c:\windows\system32\atiok3x2.dll
2008-09-24 01:18 17,408 ----a-w c:\windows\system32\atitvo32.dll
2008-09-24 01:12 573,440 ----a-w c:\windows\system32\ati2cqag.dll
2008-09-16 00:14 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-09-16 00:14 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-09-16 00:12 81,920 ----a-w c:\windows\system32\dpl100.dll
2008-09-16 00:12 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-09-16 00:12 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-09-16 00:12 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2008-09-16 00:12 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-09-16 00:12 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-09-16 00:12 294,912 ----a-w c:\windows\system32\dpu10.dll
2008-09-16 00:12 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-09-16 00:12 196,608 ----a-w c:\windows\system32\dtu100.dll
2008-09-16 00:12 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-09-16 00:11 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-09-16 00:11 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-09-16 00:11 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-09-16 00:11 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-09-16 00:11 683,520 ----a-w c:\windows\system32\DivX.dll
2008-09-16 00:11 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-16 00:11 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-08-29 15:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 14:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2007-12-27 18:14 774,144 ----a-w c:\program files\RngInterstitial.dll
2007-10-14 20:13 1,795,305 ----a-w c:\program files\WinRAR.zip
2008-06-02 23:55 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008060220080603\index.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\1d085bb8ef03dd8ff89486702831 ----

2008-11-01 03:56 788 --ah----- c:\1d085bb8ef03dd8ff89486702831\$shtdwn$.req
2006-10-30 03:06 189828 --a------ c:\1d085bb8ef03dd8ff89486702831\baseline.dat
2006-10-30 03:05 98412 --a------ c:\1d085bb8ef03dd8ff89486702831\eula.2052.rtf
2006-10-30 03:05 96621 --a------ c:\1d085bb8ef03dd8ff89486702831\eula.1029.rtf
2006-10-30 03:05 9092 --a------ c:\1d085bb8ef03dd8ff89486702831\eula.1041.rtf
2006-10-30 03:05 82731 --a------ c:\1d085bb8ef03dd8ff89486702831\eula.1025.rtf
2006-10-30 03:05 75991 --a------ c:\1d085bb8ef03dd8ff89486702831\eula.1037.rtf
2006-10-30 03:05 75727 --a------ c:\1d085bb8ef03dd8ff89486702831\eula.1033.rtf
2006-10-30 03:05 620040 --a------ c:\1d085bb8ef03dd8ff89486702831\DW20.EXE
2006-10-30 03:05 5208 --a------ c:\1d085bb8ef03dd8ff89486702831\logo.bmp
2006-10-30 03:05 161383 --a------ c:\1d085bb8ef03dd8ff89486702831\eula.1049.rtf
2006-10-30 03:05 133833 --a------ c:\1d085bb8ef03dd8ff89486702831\eula.1036.rtf
2006-10-30 03:05 123784 --a------ c:\1d085bb8ef03dd8ff89486702831\eula.1044.rtf
2006-10-30 03:05 123052 --a------ c:\1d085bb8ef03dd8ff89486702831\eula.2070.rtf
2006-10-30 03:05 122956 --a------ c:\1d085bb8ef03dd8ff89486702831\eula.1045.rtf
2006-10-30 03:05 122675 --a------ c:\1d085bb8ef03dd8ff89486702831\eula.1040.rtf
2006-10-30 03:05 122440 --a------ c:\1d085bb8ef03dd8ff89486702831\eula.1031.rtf
2006-10-30 03:05 120525 --a------ c:\1d085bb8ef03dd8ff89486702831\eula.1053.rtf
2006-10-30 03:05 119869 --a------ c:\1d085bb8ef03dd8ff89486702831\eula.1043.rtf
2006-10-30 03:05 116787 --a------ c:\1d085bb8ef03dd8ff89486702831\eula.1035.rtf
2006-10-30 03:05 11670 --a------ c:\1d085bb8ef03dd8ff89486702831\eula.1042.rtf
2006-10-30 03:05 111553 --a------ c:\1d085bb8ef03dd8ff89486702831\eula.1028.rtf
2006-10-30 03:05 110614 --a------ c:\1d085bb8ef03dd8ff89486702831\eula.1032.rtf
2006-10-30 03:05 109120 --a------ c:\1d085bb8ef03dd8ff89486702831\DWINTL20.DLL
2006-10-30 03:05 108352 --a------ c:\1d085bb8ef03dd8ff89486702831\eula.1055.rtf
2006-10-30 03:05 105811 --a------ c:\1d085bb8ef03dd8ff89486702831\eula.1030.rtf
2006-10-30 03:05 105466 --a------ c:\1d085bb8ef03dd8ff89486702831\eula.1046.rtf
2006-10-30 03:05 100476 --a------ c:\1d085bb8ef03dd8ff89486702831\eula.3082.rtf
2006-10-30 03:05 100349 --a------ c:\1d085bb8ef03dd8ff89486702831\eula.1038.rtf
2006-10-30 03:04 557056 --a------ c:\1d085bb8ef03dd8ff89486702831\vs_setup.msi
2006-10-30 02:25 99600 --a------ c:\1d085bb8ef03dd8ff89486702831\DeleteTemp.exe
2006-10-30 02:25 365320 --a------ c:\1d085bb8ef03dd8ff89486702831\setup.exe
2006-10-30 02:25 194320 --a------ c:\1d085bb8ef03dd8ff89486702831\RebootStub.exe
2006-10-30 02:25 167176 --a------ c:\1d085bb8ef03dd8ff89486702831\runmsi.exe
2006-10-30 02:19 99840 --a------ c:\1d085bb8ef03dd8ff89486702831\WapRes.1045.dll
2006-10-30 02:19 99328 --a------ c:\1d085bb8ef03dd8ff89486702831\WapRes.1046.dll
2006-10-30 02:19 98816 --a------ c:\1d085bb8ef03dd8ff89486702831\WapRes.1055.dll
2006-10-30 02:19 98816 --a------ c:\1d085bb8ef03dd8ff89486702831\WapRes.1053.dll
2006-10-30 02:19 98816 --a------ c:\1d085bb8ef03dd8ff89486702831\WapRes.1049.dll
2006-10-30 02:19 98816 --a------ c:\1d085bb8ef03dd8ff89486702831\WapRes.1044.dll
2006-10-30 02:19 90624 --a------ c:\1d085bb8ef03dd8ff89486702831\setupres.2070.dll
2006-10-30 02:19 86528 --a------ c:\1d085bb8ef03dd8ff89486702831\setupres.1045.dll
2006-10-30 02:19 84480 --a------ c:\1d085bb8ef03dd8ff89486702831\setupres.1046.dll
2006-10-30 02:19 83968 --a------ c:\1d085bb8ef03dd8ff89486702831\setupres.1053.dll
2006-10-30 02:19 83968 --a------ c:\1d085bb8ef03dd8ff89486702831\setupres.1044.dll
2006-10-30 02:19 82944 --a------ c:\1d085bb8ef03dd8ff89486702831\setupres.1049.dll
2006-10-30 02:19 82432 --a------ c:\1d085bb8ef03dd8ff89486702831\setupres.1055.dll
2006-10-30 02:19 30644 --a------ c:\1d085bb8ef03dd8ff89486702831\LocData.1045.ini
2006-10-30 02:19 29504 --a------ c:\1d085bb8ef03dd8ff89486702831\LocData.1049.ini
2006-10-30 02:19 29392 --a------ c:\1d085bb8ef03dd8ff89486702831\LocData.1046.ini
2006-10-30 02:19 29386 --a------ c:\1d085bb8ef03dd8ff89486702831\LocData.2070.ini
2006-10-30 02:19 29102 --a------ c:\1d085bb8ef03dd8ff89486702831\LocData.1044.ini
2006-10-30 02:19 28950 --a------ c:\1d085bb8ef03dd8ff89486702831\LocData.1053.ini
2006-10-30 02:19 28826 --a------ c:\1d085bb8ef03dd8ff89486702831\LocData.1055.ini
2006-10-30 02:19 101376 --a------ c:\1d085bb8ef03dd8ff89486702831\WapRes.2070.dll
2006-10-30 02:18 99840 --a------ c:\1d085bb8ef03dd8ff89486702831\WapRes.1043.dll
2006-10-30 02:18 98816 --a------ c:\1d085bb8ef03dd8ff89486702831\WapRes.1042.dll
2006-10-30 02:18 98816 --a------ c:\1d085bb8ef03dd8ff89486702831\WapRes.1041.dll
2006-10-30 02:18 98816 --a------ c:\1d085bb8ef03dd8ff89486702831\WapRes.1037.dll
2006-10-30 02:18 98816 --a------ c:\1d085bb8ef03dd8ff89486702831\WapRes.1035.dll
2006-10-30 02:18 91648 --a------ c:\1d085bb8ef03dd8ff89486702831\setupres.1036.dll
2006-10-30 02:18 90112 --a------ c:\1d085bb8ef03dd8ff89486702831\setupres.3082.dll
2006-10-30 02:18 89600 --a------ c:\1d085bb8ef03dd8ff89486702831\setupres.1038.dll
2006-10-30 02:18 88064 --a------ c:\1d085bb8ef03dd8ff89486702831\setupres.1040.dll
2006-10-30 02:18 87040 --a------ c:\1d085bb8ef03dd8ff89486702831\setupres.1043.dll
2006-10-30 02:18 82944 --a------ c:\1d085bb8ef03dd8ff89486702831\setupres.1035.dll
2006-10-30 02:18 80384 --a------ c:\1d085bb8ef03dd8ff89486702831\setupres.1042.dll
2006-10-30 02:18 80384 --a------ c:\1d085bb8ef03dd8ff89486702831\setupres.1041.dll
2006-10-30 02:18 80384 --a------ c:\1d085bb8ef03dd8ff89486702831\setupres.1037.dll
2006-10-30 02:18 29928 --a------ c:\1d085bb8ef03dd8ff89486702831\LocData.1038.ini
2006-10-30 02:18 29824 --a------ c:\1d085bb8ef03dd8ff89486702831\LocData.1036.ini
2006-10-30 02:18 29778 --a------ c:\1d085bb8ef03dd8ff89486702831\LocData.3082.ini
2006-10-30 02:18 29298 --a------ c:\1d085bb8ef03dd8ff89486702831\LocData.1040.ini
2006-10-30 02:18 29220 --a------ c:\1d085bb8ef03dd8ff89486702831\LocData.1043.ini
2006-10-30 02:18 29118 --a------ c:\1d085bb8ef03dd8ff89486702831\LocData.1035.ini
2006-10-30 02:18 28094 --a------ c:\1d085bb8ef03dd8ff89486702831\LocData.1037.ini
2006-10-30 02:18 27620 --a------ c:\1d085bb8ef03dd8ff89486702831\LocData.1041.ini
2006-10-30 02:18 27262 --a------ c:\1d085bb8ef03dd8ff89486702831\LocData.1042.ini
2006-10-30 02:18 103424 --a------ c:\1d085bb8ef03dd8ff89486702831\WapRes.1036.dll
2006-10-30 02:18 102400 --a------ c:\1d085bb8ef03dd8ff89486702831\WapRes.3082.dll
2006-10-30 02:18 102400 --a------ c:\1d085bb8ef03dd8ff89486702831\WapRes.1038.dll
2006-10-30 02:18 101376 --a------ c:\1d085bb8ef03dd8ff89486702831\WapRes.1040.dll
2006-10-30 02:17 99840 --a------ c:\1d085bb8ef03dd8ff89486702831\WapRes.1030.dll
2006-10-30 02:17 99840 --a------ c:\1d085bb8ef03dd8ff89486702831\WapRes.1029.dll
2006-10-30 02:17 98816 --a------ c:\1d085bb8ef03dd8ff89486702831\WapRes.2052.dll
2006-10-30 02:17 98816 --a------ c:\1d085bb8ef03dd8ff89486702831\WapRes.1028.dll
2006-10-30 02:17 98816 --a------ c:\1d085bb8ef03dd8ff89486702831\WapRes.1025.dll
2006-10-30 02:17 94208 --a------ c:\1d085bb8ef03dd8ff89486702831\setupres.1032.dll
2006-10-30 02:17 89600 --a------ c:\1d085bb8ef03dd8ff89486702831\setupres.1031.dll
2006-10-30 02:17 87040 --a------ c:\1d085bb8ef03dd8ff89486702831\setupres.1030.dll
2006-10-30 02:17 86016 --a------ c:\1d085bb8ef03dd8ff89486702831\setupres.1029.dll
2006-10-30 02:17 80384 --a------ c:\1d085bb8ef03dd8ff89486702831\setupres.2052.dll
2006-10-30 02:17 80384 --a------ c:\1d085bb8ef03dd8ff89486702831\setupres.1028.dll
2006-10-30 02:17 80384 --a------ c:\1d085bb8ef03dd8ff89486702831\setupres.1025.dll
2006-10-30 02:17 30116 --a------ c:\1d085bb8ef03dd8ff89486702831\LocData.1032.ini
2006-10-30 02:17 29702 --a------ c:\1d085bb8ef03dd8ff89486702831\LocData.1029.ini
2006-10-30 02:17 29526 --a------ c:\1d085bb8ef03dd8ff89486702831\LocData.1031.ini
2006-10-30 02:17 29492 --a------ c:\1d085bb8ef03dd8ff89486702831\LocData.1030.ini
2006-10-30 02:17 28746 --a------ c:\1d085bb8ef03dd8ff89486702831\LocData.3076.ini
2006-10-30 02:17 28666 --a------ c:\1d085bb8ef03dd8ff89486702831\LocData.1025.ini
2006-10-30 02:17 26568 --a------ c:\1d085bb8ef03dd8ff89486702831\LocData.2052.ini
2006-10-30 02:17 26556 --a------ c:\1d085bb8ef03dd8ff89486702831\LocData.1028.ini
2006-10-30 02:17 104448 --a------ c:\1d085bb8ef03dd8ff89486702831\WapRes.1032.dll
2006-10-30 02:17 102400 --a------ c:\1d085bb8ef03dd8ff89486702831\WapRes.1031.dll
2006-10-29 22:20 541184 --a------ c:\1d085bb8ef03dd8ff89486702831\vsbasereqs.dll
2006-10-29 22:19 1103872 --a------ c:\1d085bb8ef03dd8ff89486702831\WapUI.dll
2006-10-29 22:18 98816 --a------ c:\1d085bb8ef03dd8ff89486702831\WapRes.dll
2006-10-29 22:18 816128 --a------ c:\1d085bb8ef03dd8ff89486702831\vsscenario.dll
2006-10-29 22:18 590848 --a------ c:\1d085bb8ef03dd8ff89486702831\vs70uimgr.dll
2006-10-29 22:17 1054720 --a------ c:\1d085bb8ef03dd8ff89486702831\gencomp.dll
2006-10-29 22:16 1139712 --a------ c:\1d085bb8ef03dd8ff89486702831\vs_setup.dll
2006-10-29 22:15 80384 --a------ c:\1d085bb8ef03dd8ff89486702831\setupres.dll
2006-10-29 22:15 220672 --a------ c:\1d085bb8ef03dd8ff89486702831\dlmgr.dll
2006-10-29 22:15 1621504 --a------ c:\1d085bb8ef03dd8ff89486702831\SITSetup.dll
2006-10-29 22:14 163328 --a------ c:\1d085bb8ef03dd8ff89486702831\HtmlLite.dll
2006-10-29 21:18 856 --a------ c:\1d085bb8ef03dd8ff89486702831\deffactory.dat
2006-10-29 21:18 28746 --a------ c:\1d085bb8ef03dd8ff89486702831\LocData.ini
2006-10-29 21:18 127482 --a------ c:\1d085bb8ef03dd8ff89486702831\setup.sdb
2006-10-29 21:18 11130 --a------ c:\1d085bb8ef03dd8ff89486702831\vs_setup.pdi

---- Directory of c:\windows\NV888220.TMP ----

2007-10-04 17:14 91094 --a------ c:\windows\NV888220.TMP\nv3d.chm
2007-10-04 17:14 60357 --a------ c:\windows\NV888220.TMP\nvmobjpn.chm
2007-10-04 17:14 59261 --a------ c:\windows\NV888220.TMP\nvmobcht.chm
2007-10-04 17:14 59225 --a------ c:\windows\NV888220.TMP\nvmobtha.chm
2007-10-04 17:14 59100 --a------ c:\windows\NV888220.TMP\nvmobell.chm
2007-10-04 17:14 59061 --a------ c:\windows\NV888220.TMP\nvmobkor.chm
2007-10-04 17:14 58607 --a------ c:\windows\NV888220.TMP\nvmobchs.chm
2007-10-04 17:14 58340 --a------ c:\windows\NV888220.TMP\nvmobheb.chm
2007-10-04 17:14 57545 --a------ c:\windows\NV888220.TMP\nvmobsky.chm
2007-10-04 17:14 57512 --a------ c:\windows\NV888220.TMP\nvmobhun.chm
2007-10-04 17:14 57450 --a------ c:\windows\NV888220.TMP\nvmobtrk.chm
2007-10-04 17:14 57387 --a------ c:\windows\NV888220.TMP\nvmobcsy.chm
2007-10-04 17:14 57380 --a------ c:\windows\NV888220.TMP\nvmobslv.chm
2007-10-04 17:14 57376 --a------ c:\windows\NV888220.TMP\nvmobplk.chm
2007-10-04 17:14 57339 --a------ c:\windows\NV888220.TMP\nvmobrus.chm
2007-10-04 17:14 57328 --a------ c:\windows\NV888220.TMP\nvmobara.chm
2007-10-04 17:14 56934 --a------ c:\windows\NV888220.TMP\nvmobfin.chm
2007-10-04 17:14 56175 --a------ c:\windows\NV888220.TMP\nvmobita.chm
2007-10-04 17:14 56087 --a------ c:\windows\NV888220.TMP\nvmobfra.chm
2007-10-04 17:14 56087 --a------ c:\windows\NV888220.TMP\nvmobdeu.chm
2007-10-04 17:14 55992 --a------ c:\windows\NV888220.TMP\nvmobesm.chm
2007-10-04 17:14 55946 --a------ c:\windows\NV888220.TMP\nvmobptb.chm
2007-10-04 17:14 55845 --a------ c:\windows\NV888220.TMP\nvmobptg.chm
2007-10-04 17:14 55693 --a------ c:\windows\NV888220.TMP\nvmobsve.chm
2007-10-04 17:14 55669 --a------ c:\windows\NV888220.TMP\nvmobesn.chm
2007-10-04 17:14 55622 --a------ c:\windows\NV888220.TMP\nvmobdan.chm
2007-10-04 17:14 55525 --a------ c:\windows\NV888220.TMP\nvmobnor.chm
2007-10-04 17:14 55475 --a------ c:\windows\NV888220.TMP\nvmobnld.chm
2007-10-04 17:14 55103 --a------ c:\windows\NV888220.TMP\nvmobeng.chm
2007-10-04 17:14 54988 --a------ c:\windows\NV888220.TMP\nvmob.chm
2007-10-04 17:14 249426 --a------ c:\windows\NV888220.TMP\nvdspjpn.chm
2007-10-04 17:14 231666 --a------ c:\windows\NV888220.TMP\nvdspkor.chm
2007-10-04 17:14 228555 --a------ c:\windows\NV888220.TMP\nvdsptha.chm
2007-10-04 17:14 220343 --a------ c:\windows\NV888220.TMP\nvdspell.chm
2007-10-04 17:14 220295 --a------ c:\windows\NV888220.TMP\nvdspsky.chm
2007-10-04 17:14 220228 --a------ c:\windows\NV888220.TMP\nvdspchs.chm
2007-10-04 17:14 216870 --a------ c:\windows\NV888220.TMP\nvdspcht.chm
2007-10-04 17:14 216226 --a------ c:\windows\NV888220.TMP\nvdspheb.chm
2007-10-04 17:14 213703 --a------ c:\windows\NV888220.TMP\nvdsptrk.chm
2007-10-04 17:14 212753 --a------ c:\windows\NV888220.TMP\nvdsphun.chm
2007-10-04 17:14 212669 --a------ c:\windows\NV888220.TMP\nvdsprus.chm
2007-10-04 17:14 211309 --a------ c:\windows\NV888220.TMP\nvdspplk.chm
2007-10-04 17:14 209976 --a------ c:\windows\NV888220.TMP\nvdspslv.chm
2007-10-04 17:14 209813 --a------ c:\windows\NV888220.TMP\nvdspcsy.chm
2007-10-04 17:14 207242 --a------ c:\windows\NV888220.TMP\nvdspara.chm
2007-10-04 17:14 206448 --a------ c:\windows\NV888220.TMP\nvdspfin.chm
2007-10-04 17:14 204359 --a------ c:\windows\NV888220.TMP\nvdspptg.chm
2007-10-04 17:14 204223 --a------ c:\windows\NV888220.TMP\nvdspita.chm
2007-10-04 17:14 202745 --a------ c:\windows\NV888220.TMP\nvdspdeu.chm
2007-10-04 17:14 200730 --a------ c:\windows\NV888220.TMP\nvdspesn.chm
2007-10-04 17:14 198623 --a------ c:\windows\NV888220.TMP\nvdspsve.chm
2007-10-04 17:14 197183 --a------ c:\windows\NV888220.TMP\nvdspdan.chm
2007-10-04 17:14 195540 --a------ c:\windows\NV888220.TMP\nvdspesm.chm
2007-10-04 17:14 195053 --a------ c:\windows\NV888220.TMP\nvdspnld.chm
2007-10-04 17:14 194897 --a------ c:\windows\NV888220.TMP\nvdspptb.chm
2007-10-04 17:14 194807 --a------ c:\windows\NV888220.TMP\nvdspfra.chm
2007-10-04 17:14 194024 --a------ c:\windows\NV888220.TMP\nvdspnor.chm
2007-10-04 17:14 182638 --a------ c:\windows\NV888220.TMP\nvdspeng.chm
2007-10-04 17:14 170201 --a------ c:\windows\NV888220.TMP\nvdsp.chm
2007-10-04 17:14 130910 --a------ c:\windows\NV888220.TMP\nvcpljpn.chm
2007-10-04 17:14 128742 --a------ c:\windows\NV888220.TMP\nvcpltha.chm
2007-10-04 17:14 128443 --a------ c:\windows\NV888220.TMP\nv3djpn.chm
2007-10-04 17:14 128314 --a------ c:\windows\NV888220.TMP\nvcplsky.chm
2007-10-04 17:14 127960 --a------ c:\windows\NV888220.TMP\nvcplhun.chm
2007-10-04 17:14 127840 --a------ c:\windows\NV888220.TMP\nvcplell.chm
2007-10-04 17:14 127752 --a------ c:\windows\NV888220.TMP\nvcplheb.chm
2007-10-04 17:14 127604 --a------ c:\windows\NV888220.TMP\nvcpltrk.chm
2007-10-04 17:14 127314 --a------ c:\windows\NV888220.TMP\nvcplkor.chm
2007-10-04 17:14 127256 --a------ c:\windows\NV888220.TMP\nvcplsve.chm
2007-10-04 17:14 127102 --a------ c:\windows\NV888220.TMP\nvcplcsy.chm
2007-10-04 17:14 127072 --a------ c:\windows\NV888220.TMP\nvcplrus.chm
2007-10-04 17:14 126954 --a------ c:\windows\NV888220.TMP\nvcplfin.chm
2007-10-04 17:14 126400 --a------ c:\windows\NV888220.TMP\nvcplita.chm
2007-10-04 17:14 126298 --a------ c:\windows\NV888220.TMP\nvcplcht.chm
2007-10-04 17:14 126198 --a------ c:\windows\NV888220.TMP\nvcplara.chm
2007-10-04 17:14 126192 --a------ c:\windows\NV888220.TMP\nvcplesm.chm
2007-10-04 17:14 125970 --a------ c:\windows\NV888220.TMP\nvcpldeu.chm
2007-10-04 17:14 125912 --a------ c:\windows\NV888220.TMP\nvcplptg.chm
2007-10-04 17:14 125810 --a------ c:\windows\NV888220.TMP\nvcplslv.chm
2007-10-04 17:14 125794 --a------ c:\windows\NV888220.TMP\nvcplchs.chm
2007-10-04 17:14 125588 --a------ c:\windows\NV888220.TMP\nvcplfra.chm
2007-10-04 17:14 125360 --a------ c:\windows\NV888220.TMP\nvcplnld.chm
2007-10-04 17:14 125116 --a------ c:\windows\NV888220.TMP\nvcplptb.chm
2007-10-04 17:14 125104 --a------ c:\windows\NV888220.TMP\nvcplplk.chm
2007-10-04 17:14 124456 --a------ c:\windows\NV888220.TMP\nvcpldan.chm
2007-10-04 17:14 124300 --a------ c:\windows\NV888220.TMP\nvcplesn.chm
2007-10-04 17:14 123726 --a------ c:\windows\NV888220.TMP\nvcplnor.chm
2007-10-04 17:14 123008 --a------ c:\windows\NV888220.TMP\nvcpleng.chm
2007-10-04 17:14 121441 --a------ c:\windows\NV888220.TMP\nvcpl.chm
2007-10-04 17:14 119327 --a------ c:\windows\NV888220.TMP\nv3dtha.chm
2007-10-04 17:14 117303 --a------ c:\windows\NV888220.TMP\nv3dkor.chm
2007-10-04 17:14 116332 --a------ c:\windows\NV888220.TMP\nv3dell.chm
2007-10-04 17:14 115403 --a------ c:\windows\NV888220.TMP\nv3dchs.chm
2007-10-04 17:14 114839 --a------ c:\windows\NV888220.TMP\nv3dcht.chm
2007-10-04 17:14 114302 --a------ c:\windows\NV888220.TMP\nv3dheb.chm
2007-10-04 17:14 113801 --a------ c:\windows\NV888220.TMP\nv3dsky.chm
2007-10-04 17:14 113031 --a------ c:\windows\NV888220.TMP\nv3dplk.chm
2007-10-04 17:14 112777 --a------ c:\windows\NV888220.TMP\nv3dtrk.chm
2007-10-04 17:14 112172 --a------ c:\windows\NV888220.TMP\nv3dara.chm
2007-10-04 17:14 111436 --a------ c:\windows\NV888220.TMP\nv3desn.chm
2007-10-04 17:14 111318 --a------ c:\windows\NV888220.TMP\nv3drus.chm
2007-10-04 17:14 111216 --a------ c:\windows\NV888220.TMP\nv3dcsy.chm
2007-10-04 17:14 111050 --a------ c:\windows\NV888220.TMP\nv3desm.chm
2007-10-04 17:14 110880 --a------ c:\windows\NV888220.TMP\nv3dhun.chm
2007-10-04 17:14 110797 --a------ c:\windows\NV888220.TMP\nv3dslv.chm
2007-10-04 17:14 108595 --a------ c:\windows\NV888220.TMP\nv3dita.chm
2007-10-04 17:14 108012 --a------ c:\windows\NV888220.TMP\nv3dfin.chm
2007-10-04 17:14 107240 --a------ c:\windows\NV888220.TMP\nv3ddeu.chm
2007-10-04 17:14 106275 --a------ c:\windows\NV888220.TMP\nv3dfra.chm
2007-10-04 17:14 105772 --a------ c:\windows\NV888220.TMP\nv3dptg.chm
2007-10-04 17:14 105423 --a------ c:\windows\NV888220.TMP\nv3dptb.chm
2007-10-04 17:14 104618 --a------ c:\windows\NV888220.TMP\nv3ddan.chm
2007-10-04 17:14 104004 --a------ c:\windows\NV888220.TMP\nv3dsve.chm
2007-10-04 17:14 103709 --a------ c:\windows\NV888220.TMP\nv3dnld.chm
2007-10-04 17:14 102668 --a------ c:\windows\NV888220.TMP\nv3dnor.chm
2007-10-04 17:14 100759 --a------ c:\windows\NV888220.TMP\nv3deng.chm

---- Directory of c:\windows\TEMP\TMP00000014EAFA47CFF9E163FF ----

c:\windows\TEMP\TMP00000014EAFA47CFF9E163FF\


((((((((((((((((((((((((((((( snapshot@2008-11-22_23.45.00.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-23 04:54:26 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-11-23 18:04:13 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-11-23 04:54:26 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-23 18:04:13 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-06-10 06:21:01 135,168 ----a-w c:\windows\system32\java.exe
+ 2008-11-23 13:42:35 144,792 ----a-w c:\windows\system32\java.exe
- 2008-06-10 06:21:04 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2008-11-23 13:42:35 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-06-10 07:32:34 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2008-11-23 13:42:35 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-11-24 00:36:18 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_1248.dat
+ 2008-11-24 00:31:54 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_76c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-09-19 4347120]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]
"Google Update"="c:\documents and settings\Emory\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-26 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-11-17 1805552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-22 185872]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2006-02-28 44032]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-04 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~2\VPTray.exe" [2006-03-17 124656]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-23 136600]
"nwiz"="nwiz.exe" [2007-10-04 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-12 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-02-01 8699904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Daisy.5THCOMPUTER^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Daisy.5THCOMPUTER\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 10:09 63712 c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2006-02-28 06:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eligmini]
--a------ 2008-04-03 07:56 487424 c:\program files\Fisher-Price\Easy-Link internet launch pad\Easy-Link internet launch pad.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-02 11:53 133104 c:\documents and settings\Emory\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2006-07-07 17:15 600896 c:\program files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
--a------ 2006-07-07 17:14 576320 c:\program files\Microsoft IntelliType Pro\itype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2008-06-09 09:16 2363392 c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
--a------ 2007-07-25 15:02 563984 c:\program files\Common Files\Logishrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 2007-07-25 15:06 2027792 c:\program files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\masqform.exe]
--a------ 2005-07-04 09:50 643072 c:\program files\PureEdge\Viewer 6.5\masqform.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfee Backup]
--a------ 2008-07-10 14:42 5129504 c:\program files\McAfee\MBK\McAfeeDataBackup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
--a------ 2008-07-11 17:48 641208 c:\program files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2008-02-01 14:32 8699904 c:\program files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-10-04 17:14 8491008 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-10-04 17:14 81920 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]
--a------ 2008-10-07 09:23 111856 c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2008-08-01 14:23 61440 c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-09-26 15:04 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-10-22 13:49 185872 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 18:20 866584 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
--a------ 2008-10-07 09:23 111856 c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-ra------ 2005-05-03 04:43 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
--a------ 2007-09-21 03:10 55824 c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-10-04 17:14 1626112 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-ra------ 2006-09-12 02:58 16264192 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-ra------ 2006-05-16 04:04 2879488 c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Nero BackItUp Scheduler 3"=2 (0x2)
"gusvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\GameHouse\\TextTwist\\TextTwist.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Destiny\\RadioDestiny Broadcaster\\RadioDestiny Broadcaster.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Ubisoft\\Heroes of Might and Magic V - Tribes of the East\\bin\\H5_Game.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S0 Spssys;Toshiba SPS Service;c:\windows\system32\drivers\spssys.sys []
S3 EWAVE;EWAVE;\??\c:\windows\system32\drivers\ew.sys [2008-02-02 1693344]
S3 FILESPY;FILESPY;\??\c:\windows\system32\drivers\FILESPY.sys [2008-02-02 26992]
S3 GP2MPM;GP2MPM;\??\c:\windows\system32\drivers\GP2MPM.SYS [2008-02-02 37600]
S3 NSTATION;NSTATION;\??\c:\windows\system32\drivers\nstation.sys [2008-02-02 19808]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\Drivers\tascusb2.sys [2008-02-02 396192]
S3 TASCAM_US144_MIDI;TASCAM US-144 WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [2008-02-02 10752]
S3 TASCAM_US144_WDM;TASCAM US-144 WDM;c:\windows\system32\drivers\tscusb2a.sys [2008-02-02 19904]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2008-11-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-24 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-09-02 11:53]

2008-11-23 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Emory\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 11:53]

2008-10-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2008-11-12 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2008-11-24 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

2008-11-24 c:\windows\Tasks\User_Feed_Synchronization-{13EF8C67-315B-44CD-AF7A-29F1060B482C}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 17:36]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-23 18:54:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\rsaenh.dll

- - - - - - - > 'lsass.exe'(832)
c:\windows\system32\msprivs.dll
c:\windows\system32\rsaenh.dll
.
Completion time: 2008-11-23 18:56:06
ComboFix-quarantined-files.txt 2008-11-24 00:55:40
ComboFix2.txt 2008-11-23 05:45:34

Pre-Run: 286,640,705,536 bytes free
Post-Run: 286,726,991,872 bytes free

604 --- E O F --- 2008-11-12 06:17:16



BTW, I left the comp for about 15 mins. and it froze again..... Thanks.

Peace.

E

#11 RatHat

  • Group: Expert
  • Posts: 7,826
  • Joined: 26-October 06

Posted 23 November 2008 - 09:15 PM

Mmmm, this one is being tricky. You should be clean by now, so it may be something else. Lets have a deeper look into your system though to double check.

Download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
  • Check the box that says Scan All User Accounts
  • Check the box that says Include MD5
  • Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
  • Check the Radio button under Drivers for Non Microsoft
  • Check the radio button under Rootkit Search for Yes
  • Under Additional Scans check the following:
    • Reg - Approved Shell Extensions

    • Reg - BotCheck

    • Reg - Disabled MS Config Items

    • Reg - File Associations

    • Reg - Software Policy Settings

    • File - Additional Folder Scans

    • Evnt - EventViewer Errors/Warnings (last 7 days)

  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.


Please zip the log and attach the zipped file in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

#12 5th Letter

  • Group: Member
  • Posts: 51
  • Joined: 22-November 08

Posted 23 November 2008 - 11:19 PM

OK here's the OTScanIt log file....

Peace.

E

Attached File(s)


#13 RatHat

  • Group: Expert
  • Posts: 7,826
  • Joined: 26-October 06

Posted 24 November 2008 - 02:25 AM

Start OTScanIt.exe Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Driver Services - Non-Microsoft Only]
YN -> (atksgt) atksgt [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\atksgt.sys
YN -> (giveio) giveio [Kernel | Boot | Running] -> %SystemRoot%\system32\giveio.sys
YN -> (lirsgt) lirsgt [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\lirsgt.sys
YN -> (RivaTuner32) RivaTuner32 [Kernel | On_Demand | Stopped] -> H:\RivaTuner v2.02\RivaTuner32.sys
YY -> (sptd) sptd [Kernel | Boot | Stopped] -> %SystemRoot%\system32\drivers\sptd.sys
[Registry - Non-Microsoft Only]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> CabBuilder[HKEY_LOCAL_MACHINE] -> http://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab[Reg Error: Key does not exist or could not be opened.]
[Registry - Additional Scans - Non-Microsoft Only]
< Software Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\policies\
YN -> ] -> 
[Files/Folders - Created Within 90 days]
NY -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> Repository.reg -> %SystemRoot%\System32\Repository.reg
NY -> 10 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> MEMORY.DMP -> %SystemRoot%\MEMORY.DMP
NY -> mgxoschk.ini -> %SystemRoot%\mgxoschk.ini
[CatchMe Rootkit Scan by GMER]
NY -> C:\Documents and Settings\All Users\Application Data\TEMP:78D09D71 94 bytes -> 
NY -> C:\Documents and Settings\All Users\Application Data\TEMP:7A091C6C 116 bytes -> 
NY -> C:\Documents and Settings\All Users\Application Data\TEMP:A7601C61 117 bytes -> 
NY -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1 116 bytes -> 
NY -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2 98 bytes -> 
[Empty Temp Folders]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new HijackThis log.

Let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

#14 5th Letter

  • Group: Member
  • Posts: 51
  • Joined: 22-November 08

Posted 24 November 2008 - 01:08 PM

OTScanIt seems to freeze when I hit Run Fix..... and in my Task Manager it says OTScanIt is not responding.....

Peace.

E

#15 RatHat

  • Group: Expert
  • Posts: 7,826
  • Joined: 26-October 06

Posted 24 November 2008 - 04:59 PM

Reboot the computer, then try to run it again.

Share this topic:


  • 3 Pages +
  • 1
  • 2
  • 3