Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Vundo/Google redirect [Solved]


  • This topic is locked This topic is locked

#1
thisisaperson

thisisaperson

    New Member

  • Member
  • Pip
  • 9 posts
In 15 years of computing, I've finally had my first virus infection, and the [bleep] thing is a doozy. I've run TrendMicro's Housecall, McAfee, and Malwarebytes' Anti-Malware. They all say they've found and deleted or quarantined the problem, but it always comes back. I have the Vundo virus, and my Google searches in Firefox and IE are being redirected to another site (something like seocash.ru). Any help with truly obliterating this thing would be greatly appreciated.

Windows XP Media Center Edition, Service Pack 2
IE 6.0.2900
Windows Update will not run

I've run ATF cleaner, System Restore, and ERUNT. I tried VundoFix... it doesn't find any infected files. But the Google redirect is still there, I still can't access my IE homepage, and when I rerun Malwarebytes, I inevitably get at least one Vundo reference.

I'm pasting in 3 log files: Malwarebytes, HJT, and the HJT uninstall list.

First, the Malwarebytes log.............
Malwarebytes' Anti-Malware 1.31
Database version: 1580
Windows 5.1.2600 Service Pack 2

12/31/2008 12:38:32 AM
mbam-log-2008-12-31 (00-38-32).txt

Scan type: Full Scan (C:\|)
Objects scanned: 156365
Time elapsed: 1 hour(s), 12 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 25
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 44

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\urqRIcbx.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\cneedx.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\dzmgyo.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\xkjpgf.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\nnnOGyww.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{218bd0d1-f920-4701-9504-ad02ab7d85fd} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{218bd0d1-f920-4701-9504-ad02ab7d85fd} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77ab5974-55a3-4737-9fd5-b93c64307f78} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{77ab5974-55a3-4737-9fd5-b93c64307f78} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2832f920-081a-43d9-9563-30084ca7c28d} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2832f920-081a-43d9-9563-30084ca7c28d} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{139a1d5e-2922-4d6c-ae04-ba185dcb86c8} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{84b8d2cd-3cb8-400e-a5cf-4e4f296217f4} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nnnogyww (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{218bd0d1-f920-4701-9504-ad02ab7d85fd} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{77ab5974-55a3-4737-9fd5-b93c64307f78} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\urqricbx -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\urqricbx -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\urqRIcbx.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\xbcIRqru.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xbcIRqru.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\crqpfdqp.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pqdfpqrc.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fccDtRjh.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hjRtDccf.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hjRtDccf.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hgGyVmLF.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FLmVyGgh.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FLmVyGgh.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\irwsnyjx.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xjynswri.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lgikgenk.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\knegkigl.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wjpwisgy.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cneedx.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\dzmgyo.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\xkjpgf.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\nnnOGyww.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Debbie\Local Settings\Temporary Internet Files\Content.IE5\8LQBG9MF\CA7IE533 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Debbie\Local Settings\Temporary Internet Files\Content.IE5\CO3IKLBV\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Debbie\Local Settings\Temporary Internet Files\Content.IE5\SHUVGXQ7\CA2JO5IN (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Debbie\Local Settings\Temporary Internet Files\Content.IE5\SHYDMF47\CAUBGTE7 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Debbie\Local Settings\Temporary Internet Files\Content.IE5\XC2RLDG9\CA98U1HJ (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Debbie\Local Settings\Temporary Internet Files\Content.IE5\YQJSPIT0\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Local Settings\Temp\winvsnet.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{AAF2E5A8-5C28-4CCD-ABE6-1F06363859F7}\RP666\A0069413.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{AAF2E5A8-5C28-4CCD-ABE6-1F06363859F7}\RP666\A0069414.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{AAF2E5A8-5C28-4CCD-ABE6-1F06363859F7}\RP667\A0069556.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\csrqay.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fxgjkc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fxpptqop.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ieajlrqv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iqanrnck.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\norrlptu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\awtsQHYS.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\owafihmb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xautrlts.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xlurwmwx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yutjcs.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zhrccs.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fiavoyru.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.




------------------------------

HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:51:57 AM, on 12/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\WallpaperToy\Wallpapertoy.Exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.15westbellamy.com/home/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,[email protected]
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [autochk] rundll32.exe C:\DOCUME~1\user\protect.dll,[email protected]
O4 - Startup: ChkDisk.dll
O4 - Startup: ChkDisk.lnk = ?
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Jewelleria\Images\stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo1.walgre...eensActivia.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.co...?BundleId=26688
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://rd.altn.com/...perSetupSP1.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - AppInit_DLLs: cneedx.dll dzmgyo.dll xkjpgf.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 7206 bytes





--------------------------------

HJT uninstall list:
Ad-Aware
Adobe Flash Player ActiveX
Adobe Reader 7.0.8
Adobe Shockwave Player
Advanced WMA Workshop version 2.3
Agatha Christie Peril at End House
Alt-N ComAgent
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Big Fish Games Client
Catalyst Control Center - Branding
Cate West - The Vanishing Files
Cisco Systems VPN Client 4.8.02.0010
Color Wheel Pro 2.0
Compatibility Pack for the 2007 Office system
CrossLoop 2.31
Diablo II
DUXUS CLOCK FONT (1.0.0)
EA Download Manager
ERUNT 1.1j
Free Video to JPG Converter version 1.2
Google Earth
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB952287)
Intel Audio Studio 2.0
Intel® PRO Network Connections Drivers
iTunes
Java™ 6 Update 11
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
JEOPARDY! Deluxe (remove only)
Logitech Desktop Messenger
Logitech Harmony Remote Software 7
Logitech MouseWare 9.79.1
Macromedia Flash MX
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Office Standard Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (2.0.0.16)
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MSXML 6 Service Pack 2 (KB954459)
Mystery Case Files: Huntsville
Mystic Inn
Nero Suite
PowerDVD
Protected Music Converter 1.0.0.12
QuickTime
Remote Control USB Driver
Restaurant Rush
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB960714)
Sid Meier's Railroads!
SigmaTel Audio
Skype 3.8
Sony DVD Architect Studio 3.0b
Sony Vegas Movie Studio 6.0b
SPORE
TextPad 5
Tropico
Tropico: Paradise Island
Uninstall 1.0.0.0
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update Rollup 1 for Windows XP Media Center Edition 2005 with HDTV Support (KB873369)
Wallpaper Changer for Windows XP
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 10 SDK
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Media Center Edition 2005 KB888316
World of Warcraft FREE Trial
Zoo Tycoon 2 Endangered Species
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Happy New Year and welcome to GTG.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O20 - AppInit_DLLs: cneedx.dll dzmgyo.dll xkjpgf.dll

Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

c:\windows\system32\cneedx.dll
c:\windows\system32\dzmgyo.dll
c:\windows\system32\xkjpgf.dll


1. Download combofix at http://download.blee...Bs/ComboFix.exe Save it to your Desktop before you run it.
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#3
thisisaperson

thisisaperson

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thanks, greyknight. I actually found a thread with the combofix suggestion after posting my initial thread yesterday, and ran it (just didn't want to post that log to screw up how you guys look through the posts). So while I didn't do the first part of your suggestion, I'll give you the initial combofix log. I can say that combofix DID NOT solve the problem yet, but I didn't want to follow your suggestion and re-run combofix without verifying that's the correct thing to do first.

Sorry if I'm confusing things. Here's the combofix log...


ComboFix 08-12-30.02 - user 2008-12-31 10:33:27.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.611 [GMT -5:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\user\LOCALS~1\Temp\tmp1.tmp
c:\docume~1\user\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\user\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\accessories\cup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\accessories\customer_cup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\accessories\heart.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\accessories\menu_down.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\accessories\menu_up.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\accessories\plates.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\accessories\ticket.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\accessories\tray.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\music\mainmenumusic.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\sfx\sfx_bring_check_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\sfx\sfx_deliver_food_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\sfx\sfx_deliver_order_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\sfx\sfx_diner.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\sfx\sfx_dish_dropoff_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\sfx\sfx_food_ready_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\sfx\sfx_gain_heart_1.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\sfx\sfx_get_drinks_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\sfx\sfx_party_arrive_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\sfx\sfx_pencil_write_2.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\sfx\sfx_pickup_food_1_snd.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\sfx\sfx_rollover_1.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\audio\sfx\sfx_seat_people_snd.ogg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\choosedifficulty.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\credits.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\flo_lose.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\flo_win.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\help1.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\help2.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\highscores.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\levelintro.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\levelintro_mask.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\levelover.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\levelover_mask.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\mainmenu.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\popup.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\popup_mask.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\upgradegrid.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\upgradetitle.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\backgrounds\upsell.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\arrowleft_blue.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\arrowleft_yellow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\arrowright_blue.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\arrowright_yellow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\back_blue.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\back_yellow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\backchalk.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\backchalkup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\backtomenu_blue.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\backtomenu_yellow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\cancel.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\cancelup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\career.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\career_over.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\close.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\closeup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\continue.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\continueover.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\credits_blue.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\credits_yellow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\download_blue.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\download_yellow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\easy.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\easy_over.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\endlessshift.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\endlessshift_over.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\hard.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\hard_over.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\help.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\help_over.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\highscores.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\highscores_over.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\instructions_blue.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\instructions_yellow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\letsplay.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\letsplayover.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\medium.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\medium_over.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\moreinfo.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\moreinfoup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\off.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\off_on.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\on.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\on_on.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\pause.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\pauseover.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\quit.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\quitgame.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\quitgameover.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\quitover.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\resumegame.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\resumegameover.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\submit.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\submitup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\tryagain.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\tryagainover.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\upgrade_over.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\upgrade_up.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\viewglobal.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\viewglobalup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\viewhighscore.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\viewhighscoreon.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\viewlocal.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\buttons\viewlocalup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\comics\webcomic.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\config\career.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\config\customer.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\config\endless.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\config\global.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\config\powerups.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\cook\cook.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\cook\cook.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\cook\stove.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\cursor\arrow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\cursor\click.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\cursor\click2.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\cursor\grab.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\cursor\open.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\blue\anim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\blue\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\blue\sit_legs.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\green\anim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\green\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\green\sit_legs.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\purple\anim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\purple\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\purple\sit_legs.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\red\anim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\red\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\red\sit_legs.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\yellow\anim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\yellow\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\old_male\yellow\sit_legs.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\blue\anim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\blue\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\blue\sit_legs.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\green\anim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\green\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\green\sit_legs.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\purple\anim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\purple\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\purple\sit_legs.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\red\anim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\red\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\red\sit_legs.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\yellow\anim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\yellow\anim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\customers\young_female\yellow\sit_legs.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\flo\idle.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\flo\idle.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\flo\lower.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\flo\lower.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\flo\upper.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\flo\upper.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\fonts\arial.mvec
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\fonts\komikaaxis.mvec
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\furniture\chair.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\furniture\chair.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\furniture\dirt2top.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\furniture\dirt4top.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\furniture\dishcart.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\furniture\dishcart.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\furniture\drinkstation_off.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\furniture\drinkstation_on1.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\furniture\drinkstation_on2.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\furniture\ticketstation.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\furniture\ticketstation.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\hiscore\arrowdown.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\hiscore\arrowdownon.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\hiscore\arrowleft.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\hiscore\arrowlefton.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\hiscore\arrowright.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\hiscore\arrowrighton.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\hiscore\arrowup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\hiscore\arrowupon.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\hiscore\p1icon.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\hiscore\textedit.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\hiscore\title.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_1.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_1_a.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_1_b.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_1_c.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_2.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_2_a.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_2_b.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_2_c.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_2_d.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_3.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_3_a.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_3_b.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_3_c.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\endless_1_3_d.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\fifth_level_diner.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\first_level_diner.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\fourth_level_diner.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\layouts\second_level_diner.txt
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\playfirst_logo.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\diner\background.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\diner\food\food1.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\diner\food\food1.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\diner\food\food2.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\diner\food\food2.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\diner\food\food3.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\diner\food\food3.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\diner\frames\upgrade_0001.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\diner\tables\2top.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\diner\tables\2top.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\diner\tables\4top.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\diner\tables\4top.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\diner\upgrades.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\restaurants\tableshadow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\choosedifficulty.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\chooseplayer.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\chooserestaurant.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\credits.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\game.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\gothighscore.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\help.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\help2.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\hiscore.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\hiscoreinfo.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\hiscoresubmit.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\levelintro.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\levelover.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\loading.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\mainloop.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\mainmenu.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\ok.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\pause.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\style.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\tutorialintro.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\upgrade.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\upsell.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\webcomic.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\scripts\yesno.lua
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\splash\aol_logo.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\splash\gamelabsplash.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\splash\playfirst_logo.jpg
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\strings.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\angersmoke.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\angersmoke.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\chairflags.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\chairflags.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\check.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\checkmark.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\clock.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\closed.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\closingtime.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\coinflip.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\coinflip.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\dollar.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\doodles\coffee.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\doodles\tables.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\doodles\wallpaper.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\expert.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\expertscore.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\foodpoof.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\foodpoof.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\fork_timer.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\goalcompleted.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\heartgrow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\heartgrow.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\jar.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\jar.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\level.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\level_career.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\score.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\sound.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\staroff.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\staron.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\tablenumber.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\tablenumberup.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\traynumber.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\tutorial_character.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\tutorialarrow.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\tutorialbox.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\upgradeanim.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\upgradeanim.xml
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\upgrades\drinks.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\upgrades\maitred.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\upgrades\oven.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\upgrades\select.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\upgrades\shoes.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\upgrades\stereo.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\assets\ui\upgrades\table.png
c:\windows\Downloaded Program Files\DinerDash.1.0.0.80\dinerdash.exe
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\music\mainmenumusic.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\areabomb.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\beetlezap.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\bonusrow.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\bonustimer.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\bucketfilled.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\clearpyramid.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\cleartriangle1a.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\cleartriangle1b.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\cleartriangle1c.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\cleartriangle2a.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\cleartriangle2b.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\cleartriangle2c.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\colorchain.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\dialogbox.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\drumbeat.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\fillrow.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\gateopen.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\helptip.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\powerup.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\rotateboardleft.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\timerup.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\warning.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\warning2.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\artifacts-bb.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\bar.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\chamber0.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\chamber1.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\circledoor.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\full_screen_dialog.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\global-hs-bb_large.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\global-hs-bb_small.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\help-bb_large.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\help-bb_small.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\hexfield.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\hidden-artifact_icon.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\large_dialog.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\local-hs-bb.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\mainmenu.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\small_dialog.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\textfield.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\trifield.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\beetles\beetlehover1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\beetles\beetlehover2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\beetles\beetlehover3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\beetles\beetlehover4.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\beetles\beetleshock1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\beetles\beetleshock2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\beetles\beetleshock3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\beetles\beetleshock4.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\beetles\beetletatoo.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\beetles\dirt.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\beetles\scarabpost.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\beetles\scarabpostovr.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\beetles\tritop.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\arrowdown_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\arrowdown_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\arrowdown_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\arrowleft_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\arrowleft_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\arrowleft_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\arrowright_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\arrowright_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\arrowright_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\arrowup_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\arrowup_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\arrowup_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\bluearrowleft_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\bluearrowleft_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\bluearrowleft_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\bluearrowright_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\bluearrowright_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\bluearrowright_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\checkdown.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\checkup.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\long_button_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\long_button_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\long_button_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\orange-button_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\orange-button_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\orange-button_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\rotleft_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\rotleft_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\rotleft_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\rotright_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\rotright_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\rotright_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\simplebutton_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\simplebutton_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\simplebutton_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\sliderknob.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\sliderknobover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\sliderrail.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\characters\anwar\look\pl0001.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\characters\bast\look\bl0001.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\characters\kristine\look\kl0001.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\crackedstopper.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\cursor.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\doorlights.txt
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\fonts\jackarmstrong.mvec
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\fonts\lithos.mvec
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\greybomb.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\helptips\arrowkeys.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\helptips\helptip.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\levels\levels.dat
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\models\disk.mesh
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\models\equilateraltriangle.mesh
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\models\flattri.mesh
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\models\pyramid.mesh
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\models\quad.mesh
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\models\rotatingpyramid.mesh
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\models\scarabpanel.mesh
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\p1icon.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\scenes\page1-0.xml
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\scenes\page1-1.xml
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\scenes\panel1-0-1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\scenes\panel1-1-1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\scorecloud.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\setup.xml
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\sfx\areashockwave.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\sfx\bolt_1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\sfx\bolt_2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\sfx\bolt_3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\sfx\bolt_4.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\sfx\bolt_starter.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\sfx\bolt_tail.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\sfx\flash.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\sfx\rubble.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\sfx\smoke.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\sfx\smoke2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\sfx\smoke3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\splash\aol_logo.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\splash\playfirst_logo.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\statues\statue0\snake_dirty.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\statues\statue1\arm01_dirty.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\statues\statue1\mask01_1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\statues\statue1\statue01_dirty.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\stopper.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\timer.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\timerglow.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\timericon.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\tm.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\trails\mouseblue1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\trails\mouseblue2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\trails\mouseblue3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\trails\mousegreen1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\trails\mousegreen2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\trails\mousegreen3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\trails\mousered1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\trails\mousered2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\trails\mousered3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\trails\mouseyellow1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\trails\mouseyellow2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\trails\mouseyellow3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\areabomb.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\areabombrollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\blue.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\bluerollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\boardfill.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\brick.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\brick1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\brick2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\brick3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\bricktip.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\clearanim\cleared1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\clearanim\cleared2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\clearanim\cleared3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\clearanim\cleared4.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\clearanim\cleared5.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\clearanim\cleared6.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\eye1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\eye2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\eye3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\eye4.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\green.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\greenrollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\plain_tri-blue.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\plain_tri-bluerollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\plain_tri-green.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\plain_tri-greenrollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\plain_tri-red.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\plain_tri-redrollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\plain_tri-yellow.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\plain_tri-yellowrollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\red.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\redrollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\wild.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\wildrollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\yellow.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\yellowrollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\upsell\image0.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\upsell\image1.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\upsell\image2.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\upsell\image3.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\bluebucket.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\buckettriangle.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\chainlink.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\chaintip.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\genericbucket.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\greenbucket.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\redbucket.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\smallblue.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\smallgreen.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\smallred.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\smallyellow.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\urnglow.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\urnplatform.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\yellowbucket.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\assets\warning.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\error.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\game.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\gameover.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\hiscore.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\hiscoreinfo.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\hiscoresubmit.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\instructions.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\leveldesign.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\levelover.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\mainarcade.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\mainconfirm.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\maincontinue.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\maingames.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\mainpuzzle.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\maphelptip.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\options.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\pause.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\quitconfirm.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\start.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\storyplayer.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\style.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\screens\upsell.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\strings.xml
c:\windows\Downloaded Program Files\TriJinx.1.0.0.67\TriJinx.exe
c:\windows\system32\autochk.dll
c:\windows\system32\csqskwhd.ini
c:\windows\system32\ekyfalim.ini
c:\windows\system32\mhalfpwa.ini

.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-31 )))))))))))))))))))))))))))))))
.

2008-12-31 10:37 . 2008-12-31 10:40 21,504 --ahs---- c:\windows\system32\autochk.dll
2008-12-31 09:06 . 2008-12-31 09:06 <DIR> d-------- C:\VundoFix Backups
2008-12-31 08:47 . 2008-12-31 08:47 <DIR> d-------- c:\program files\ERUNT
2008-12-30 23:21 . 2008-12-30 23:21 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-30 23:21 . 2008-12-30 23:21 <DIR> d-------- c:\documents and settings\user\Application Data\Malwarebytes
2008-12-30 23:21 . 2008-12-30 23:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-30 23:21 . 2008-12-03 19:59 38,
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
The ComboFix log was cut off (too long). Can you post the remaining portions of the log file? It's located at C:\ComboFix.txt.
  • 0

#5
thisisaperson

thisisaperson

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Oops, sorry, didn't even notice! Here's the rest...

((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-31 )))))))))))))))))))))))))))))))
.

2008-12-31 10:37 . 2008-12-31 10:40 21,504 --ahs---- c:\windows\system32\autochk.dll
2008-12-31 09:06 . 2008-12-31 09:06 <DIR> d-------- C:\VundoFix Backups
2008-12-31 08:47 . 2008-12-31 08:47 <DIR> d-------- c:\program files\ERUNT
2008-12-30 23:21 . 2008-12-30 23:21 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-30 23:21 . 2008-12-30 23:21 <DIR> d-------- c:\documents and settings\user\Application Data\Malwarebytes
2008-12-30 23:21 . 2008-12-30 23:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-30 23:21 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-30 23:21 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-30 16:00 . 2008-12-30 16:00 21,504 --ahs---- c:\documents and settings\Debbie\protect.dll
2008-12-30 15:47 . 2008-12-31 10:35 4,579 --a------ c:\windows\system32\Config.MPF
2008-12-30 14:41 . 2006-03-03 08:07 143,360 --a------ c:\windows\system32\dunzip32.dll
2008-12-30 14:37 . 2007-11-22 06:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys
2008-12-30 14:37 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2008-12-30 14:37 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2008-12-30 14:37 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2008-12-30 14:37 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2008-12-30 14:37 . 2007-11-22 06:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys
2008-12-30 14:36 . 2008-12-30 14:36 <DIR> d-------- c:\program files\McAfee.com
2008-12-30 14:35 . 2008-12-30 16:53 <DIR> d-------- c:\program files\McAfee
2008-12-30 14:35 . 2008-12-30 14:37 <DIR> d-------- c:\program files\Common Files\McAfee
2008-12-30 12:51 . 2008-12-30 15:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-12-30 11:55 . 2008-12-30 11:55 21,504 --ahs---- c:\documents and settings\user\protect.dll
2008-12-30 11:54 . 2008-12-30 11:54 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-30 11:54 . 2008-12-30 11:54 1,409 --a------ c:\windows\QTFont.for
2008-12-29 14:51 . 2008-12-29 14:51 <DIR> d-------- c:\program files\Lavasoft
2008-12-29 14:51 . 2008-12-29 14:51 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-29 14:51 . 2008-12-29 14:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-29 14:33 . 2008-12-29 14:33 <DIR> d-------- c:\documents and settings\Administrator
2008-12-25 20:44 . 2008-12-25 20:44 <DIR> d-------- C:\ProgramData
2008-12-25 20:44 . 2008-12-25 21:22 <DIR> d-------- c:\documents and settings\Debbie\Application Data\SPORE
2008-12-25 20:44 . 2008-12-25 20:44 <DIR> dr-h----- c:\documents and settings\Debbie\Application Data\SecuROM
2008-12-25 20:43 . 2008-12-25 20:43 1,216 --a------ c:\windows\system32\ealregsnapshot1.reg
2008-12-25 20:33 . 2008-12-25 20:44 <DIR> d-------- c:\program files\Electronic Arts
2008-12-24 17:27 . 2007-08-01 22:47 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-12-23 22:30 . 2008-12-23 22:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATI
2008-12-23 22:26 . 2008-12-23 22:30 <DIR> d-------- c:\program files\ATI
2008-12-23 22:25 . 2008-12-23 22:26 <DIR> d-------- c:\program files\ATI Technologies
2008-12-23 22:25 . 2008-12-01 14:35 593,920 --a------ c:\windows\system32\ati2sgag.exe
2008-12-23 22:24 . 2008-12-23 22:24 <DIR> d-------- C:\ATI
2008-12-23 22:16 . 2008-12-23 22:16 <DIR> d-------- c:\windows\system32\XPSViewer
2008-12-23 22:16 . 2008-12-23 22:16 <DIR> d-------- c:\program files\MSBuild
2008-12-23 22:15 . 2008-12-23 22:16 <DIR> d-------- C:\0fa6b3ced8c5037d5b915dbf00429a8c
2008-12-23 21:57 . 2008-12-23 21:57 10 --a------ c:\windows\WININIT.INI
2008-12-23 21:48 . 2008-12-23 22:00 <DIR> d-------- c:\windows\SxsCaPendDel
2008-12-17 22:15 . 2008-12-17 22:15 0 --a------ c:\windows\ativpsrm.bin
2008-12-16 13:18 . 2008-12-16 13:18 <DIR> d-------- c:\documents and settings\Debbie\Application Data\World-LooM
2008-12-08 11:19 . 2008-12-08 11:21 <DIR> d-------- c:\documents and settings\user\Application Data\Juniper Networks
2008-12-01 15:52 . 2008-12-01 15:52 425,984 --a------ c:\windows\system32\ATIDEMGX.dll
2008-12-01 15:46 . 2008-12-01 15:46 11,304,960 --a------ c:\windows\system32\atioglxx.dll
2008-12-01 15:41 . 2008-12-01 15:41 188,416 --a------ c:\windows\system32\atipdlxx.dll
2008-12-01 15:40 . 2008-12-01 15:40 147,456 --a------ c:\windows\system32\Oemdspif.dll
2008-12-01 15:40 . 2008-12-01 15:40 143,360 --a------ c:\windows\system32\ati2evxx.dll
2008-12-01 15:40 . 2008-12-01 15:40 43,520 --a------ c:\windows\system32\ati2edxx.dll
2008-12-01 15:40 . 2008-12-01 15:40 26,112 --a------ c:\windows\system32\Ati2mdxx.exe
2008-12-01 15:38 . 2008-12-01 15:38 598,016 --a------ c:\windows\system32\ati2evxx.exe
2008-12-01 15:37 . 2008-12-01 15:37 53,248 --a------ c:\windows\system32\ATIDDC.DLL
2008-12-01 15:19 . 2008-12-01 15:19 307,200 --a------ c:\windows\system32\atiiiexx.dll
2008-12-01 15:11 . 2008-12-01 15:11 3,107,788 --a------ c:\windows\system32\ativvaxx.dat
2008-12-01 15:11 . 2008-12-01 15:11 3,107,788 --a------ c:\windows\system32\ativva5x.dat
2008-12-01 15:11 . 2008-12-01 15:11 887,724 --a------ c:\windows\system32\ativva6x.dat
2008-12-01 15:11 . 2008-12-01 15:11 69,112 --a------ c:\windows\system32\ativvaxx.cap
2008-12-01 14:57 . 2008-12-01 14:57 48,640 --a------ c:\windows\system32\amdpcom32.dll
2008-12-01 14:53 . 2008-12-01 14:53 401,408 --a------ c:\windows\system32\atikvmag.dll
2008-12-01 14:53 . 2008-12-01 14:53 45,056 --a------ c:\windows\system32\amdcalrt.dll
2008-12-01 14:53 . 2008-12-01 14:53 45,056 --a------ c:\windows\system32\amdcalcl.dll
2008-12-01 14:52 . 2008-12-01 14:52 86,016 --a------ c:\windows\system32\atiadlxx.dll
2008-12-01 14:52 . 2008-12-01 14:52 17,408 --a------ c:\windows\system32\atitvo32.dll
2008-12-01 14:51 . 2008-12-01 14:51 53,248 --a------ c:\windows\system32\drivers\ati2erec.dll
2008-12-01 14:50 . 2008-12-01 14:50 3,252,224 --a------ c:\windows\system32\Amdcaldd.dll
2008-12-01 14:50 . 2008-12-01 14:50 286,720 --a------ c:\windows\system32\atiok3x2.dll
2008-11-29 10:07 . 2008-11-29 10:07 <DIR> d-------- c:\program files\Common Files\Remote Control Software Common
2008-11-29 10:07 . 2008-11-29 10:09 <DIR> d-------- c:\documents and settings\user\logitech
2008-11-29 10:06 . 2008-11-29 10:06 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-11-29 10:06 . 2008-11-29 10:06 <DIR> d-------- c:\program files\Common Files\Remote Control USB Driver
2008-11-29 10:06 . 2008-11-29 10:06 127,034 -r------- c:\windows\bwUnin-8.1.1.50-8876480SL.exe
2008-11-27 08:45 . 2008-11-27 08:45 <DIR> d-------- c:\program files\Microsoft Silverlight
2008-11-23 14:59 . 2008-11-10 05:43 410,984 --a------ c:\windows\system32\deploytk.dll
2008-11-15 20:19 . 2008-12-18 12:26 <DIR> d-------- c:\program files\Mystery Case Files - Huntsville
2008-11-09 11:42 . 2008-12-04 15:51 <DIR> d-------- c:\program files\Restaurant Rush
2008-11-09 11:41 . 2008-11-09 11:41 <DIR> d-------- c:\program files\ReflexiveArcade
2008-11-06 09:50 . 2008-11-08 00:39 <DIR> d-------- c:\program files\Shockwave.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-26 01:44 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-25 05:07 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-25 04:20 --------- d-----w c:\documents and settings\All Users\Application Data\BigFishGamesCache
2008-12-12 13:21 --------- d-----w c:\program files\Java
2008-12-07 02:44 --------- d-----w c:\program files\Common Files\Adobe
2008-12-07 02:44 --------- d-----w c:\documents and settings\user\Application Data\AdobeUM
2008-12-01 22:13 3,452,928 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2008-11-29 15:07 --------- d-----w c:\program files\Logitech
2008-11-10 05:50 --------- d-----w c:\program files\Google
2008-11-08 16:11 --------- d-----w c:\documents and settings\Debbie\Application Data\GameHouse
2008-11-08 16:03 --------- d-----w c:\program files\GameHouse
2008-11-07 01:51 --------- d-----w c:\program files\bfgclient
2008-10-30 12:20 --------- d-----w c:\program files\CrossLoop
2008-10-30 01:58 --------- d-----w c:\documents and settings\Debbie\Application Data\iWin_JanesRealty
2008-10-28 22:00 --------- d-----w c:\documents and settings\Debbie\Application Data\Jane s Hotel Family Hero
2008-10-28 15:41 --------- d-----w c:\documents and settings\Debbie\Application Data\Jane s Hotel
2008-10-28 03:18 --------- d-----w c:\documents and settings\Debbie\Application Data\BFG_JanesRealty
2007-11-22 22:06 32 ----a-r c:\documents and settings\All Users\hash.dat
2004-07-19 02:27 372,736 ----a-w c:\program files\putty.exe
2008-11-14 02:34 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-11-14 02:34 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-11-14 02:34 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-11-14 02:34 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-11-14 02:34 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2007-12-05 18:35 88 --sha-r c:\windows\system32\575DF840AB.sys
2007-12-05 18:35 2,828 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"autochk"="c:\docume~1\user\protect.dll" [2008-12-30 21504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-06-07 9129984]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\2\printray.exe" [2001-03-27 36864]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"autochk"="c:\windows\system32\autochk.dll" [2008-12-31 21504]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 c:\windows\LOGI_MWX.EXE]

c:\documents and settings\Debbie\Start Menu\Programs\Startup\
ChkDisk.dll [2008-12-30 21504]
ChkDisk.lnk - c:\windows\system32\rundll32.exe [2006-03-15 33280]

c:\documents and settings\user\Start Menu\Programs\Startup\
ChkDisk.dll [2008-12-30 21504]
ChkDisk.lnk - c:\windows\system32\rundll32.exe [2006-03-15 33280]
Wallpaper Changer.lnk - c:\program files\WallpaperToy\Wallpapertoy.Exe [2007-09-02 110592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-11-29 67128]
VPN Client.lnk - c:\windows\Installer\{176130BC-99A1-41FE-A78B-56045E33AD70}\Icon3E5562ED7.ico [2007-03-05 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=cneedx.dll dzmgyo.dll xkjpgf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.mpng"= c:\program files\[email protected]\0.956\686\tabdec.dll
"vidc.mjpg"= c:\program files\[email protected]\0.956\686\tabdec.dll
"vidc.mvjp"= c:\program files\[email protected]\0.956\686\tabdec.dll
"vidc.444p"= c:\program files\[email protected]\0.956\686\tabdec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\FileZilla\\FileZilla.exe"=
"c:\\ftp\\WS_FTP32.EXE"=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"c:\\Program Files\\Macromedia\\Flash MX\\Flash.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Railroads!\\RailRoads.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\CrossLoop\\CrossLoopConnect.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

.
Contents of the 'Scheduled Tasks' folder

2008-12-30 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-12-30 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-12-31 c:\windows\Tasks\qctkvnpr.job
- c:\windows\system32\rundll32.exe [2006-03-15 07:00]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SigmatelSysTrayApp - sttray.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.15westbellamy.com/home/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

c:\windows\Downloaded Program Files\stg_drm.ocx - c:\windows\Downloaded Program Files\CONFLICT.1\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.2\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.3\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.4\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.5\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.6\stg_drm.ocx
O16 -: {149E45D8-163E-4189-86FC-45022AB2B6C9}
file://c:\program files\Jewelleria\Images\stg_drm.ocx
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\p0xsdzkl.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-31 10:37:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-117609710-1547161642-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\EA GAMES\T*NULL*h*NULL*e*NULL* *NULL*S*NULL*i*NULL*m*NULL*s*NULL*"! *NULL*2*NULL* *NULL*F*NULL*r*NULL*e*NULL*e*NULL*T*NULL*i*NULL*m*NULL*e*NULL*]
@Security="Inherited"
"Order"=hex:08,00,00,00,02,00,00,00,fe,03,00,00,01,00,00,00,07,00,00,00,98,00,\
00,00,00,00,00,00,8a,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,78,00,32,\
00,7a,00,00,00,64,38,ae,a5,20,00,45,4c,45,43,54,52,7e,31,2e,55,52,4c,00,00,\
4e,00,03,00,04,00,ef,be,64,38,ae,a5,64,38,ae,a5,14,00,00,00,45,00,6c,00,65,\
00,63,00,74,00,72,00,6f,00,6e,00,69,00,63,00,20,00,52,00,65,00,67,00,69,00,\
73,00,74,00,72,00,61,00,74,00,69,00,6f,00,6e,00,2e,00,75,00,72,00,6c,00,00,\
00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,\
78,00,00,00,01,00,00,00,6a,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,58,\
00,32,00,ba,03,00,00,64,38,ae,a5,20,00,52,45,41,44,4d,45,7e,31,2e,4c,4e,4b,\
00,00,2e,00,03,00,04,00,ef,be,64,38,ae,a5,64,38,ae,a5,14,00,00,00,52,00,65,\
00,61,00,64,00,20,00,4d,00,65,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,\
00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,8c,00,00,00,02,\
00,00,00,7e,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,6c,00,32,00,d1,04,\
00,00,64,38,ae,a5,20,00,54,45,43,48,4e,49,7e,31,2e,4c,4e,4b,00,00,42,00,03,\
00,04,00,ef,be,64,38,ae,a5,64,38,ae,a5,14,00,00,00,54,00,65,00,63,00,68,00,\
6e,00,69,00,63,00,61,00,6c,00,20,00,53,00,75,00,70,00,70,00,6f,00,72,00,74,\
00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,\
1c,00,00,00,00,00,00,00,00,00,94,00,00,00,03,00,00,00,86,00,00,00,41,75,67,\
4d,02,00,00,00,01,00,00,00,74,00,32,00,95,07,00,00,64,38,ae,a5,20,00,54,48,\
45,53,49,4d,7e,32,2e,4c,4e,4b,00,00,4a,00,03,00,04,00,ef,be,64,38,ae,a5,64,\
38,ae,a5,14,00,00,00,54,00,68,00,65,00,20,00,53,00,69,00,6d,00,73,00,22,21,\
20,00,32,00,20,00,42,00,6f,00,64,00,79,00,20,00,53,00,68,00,6f,00,70,00,2e,\
00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,\
00,00,00,00,00,00,00,00,92,00,00,00,04,00,00,00,84,00,00,00,41,75,67,4d,02,\
00,00,00,01,00,00,00,72,00,32,00,8b,07,00,00,64,38,ae,a5,20,00,54,48,45,53,\
49,4d,7e,31,2e,4c,4e,4b,00,00,48,00,03,00,04,00,ef,be,64,38,ae,a5,64,38,ae,\
a5,14,00,00,00,54,00,68,00,65,00,20,00,53,00,69,00,6d,00,73,00,22,21,20,00,\
32,00,20,00,46,00,72,00,65,00,65,00,54,00,69,00,6d,00,65,00,2e,00,6c,00,6e,\
00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,\
00,00,00,00,a6,00,00,00,05,00,00,00,98,00,00,00,41,75,67,4d,02,00,00,00,01,\
00,00,00,86,00,32,00,3f,07,00,00,64,38,ae,a5,20,00,55,4e,49,4e,53,54,7e,31,\
2e,4c,4e,4b,00,00,5c,00,03,00,04,00,ef,be,64,38,ae,a5,64,38,ae,a5,14,00,00,\
00,55,00,6e,00,69,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,20,00,54,00,68,00,\
65,00,20,00,53,00,69,00,6d,00,73,00,22,21,20,00,32,00,20,00,46,00,72,00,65,\
00,65,00,54,00,69,00,6d,00,65,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,\
00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,8a,00,00,00,06,\
00,00,00,7c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,6a,00,32,00,31,00,\
00,00,64,38,ae,a5,20,00,57,57,57,54,48,45,7e,31,2e,55,52,4c,00,00,40,00,03,\
00,04,00,ef,be,64,38,ae,a5,64,38,ae,a5,14,00,00,00,77,00,77,00,77,00,2e,00,\
74,00,68,00,65,00,73,00,69,00,6d,00,73,00,32,00,2e,00,63,00,6f,00,6d,00,2e,\
00,75,00,72,00,6c,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,\
00,00,00,00,00,00,00,00

[HKEY_USERS\S-1-5-21-117609710-1547161642-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\EA GAMES\T*NULL*h*NULL*e*NULL* *NULL*S*NULL*i*NULL*m*NULL*s*NULL*"! *NULL*2*NULL* *NULL*S*NULL*e*NULL*a*NULL*s*NULL*o*NULL*n*NULL*s*NULL*]
@Security="Inherited"
"Order"=hex:08,00,00,00,02,00,00,00,76,04,00,00,01,00,00,00,08,00,00,00,7c,00,\
00,00,00,00,00,00,6e,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,5c,00,32,\
00,05,04,00,00,49,38,7c,01,20,00,45,41,53,59,49,4e,7e,31,2e,4c,4e,4b,00,00,\
32,00,03,00,04,00,ef,be,49,38,7c,01,5d,38,cf,6c,14,00,00,00,45,00,41,00,73,\
00,79,00,20,00,49,00,6e,00,66,00,6f,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,\
0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,98,00,00,\
00,01,00,00,00,8a,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,78,00,32,00,\
09,04,00,00,49,38,7c,01,20,00,45,4c,45,43,54,52,7e,31,2e,4c,4e,4b,00,00,4e,\
00,03,00,04,00,ef,be,49,38,7c,01,5d,38,cf,6c,14,00,00,00,45,00,6c,00,65,00,\
63,00,74,00,72,00,6f,00,6e,00,69,00,63,00,20,00,52,00,65,00,67,00,69,00,73,\
00,74,00,72,00,61,00,74,00,69,00,6f,00,6e,00,2e,00,6c,00,6e,00,6b,00,00,00,\
1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,78,\
00,00,00,02,00,00,00,6a,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,58,00,\
32,00,b5,03,00,00,49,38,7c,01,20,00,52,45,41,44,4d,45,7e,31,2e,4c,4e,4b,00,\
00,2e,00,03,00,04,00,ef,be,49,38,7c,01,5d,38,cf,6c,14,00,00,00,52,00,65,00,\
61,00,64,00,20,00,4d,00,65,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,\
00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,8c,00,00,00,03,00,\
00,00,7e,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,6c,00,32,00,ca,04,00,\
00,49,38,7c,01,20,00,54,45,43,48,4e,49,7e,31,2e,4c,4e,4b,00,00,42,00,03,00,\
04,00,ef,be,49,38,7c,01,5d,38,cf,6c,14,00,00,00,54,00,65,00,63,00,68,00,6e,\
00,69,00,63,00,61,00,6c,00,20,00,53,00,75,00,70,00,70,00,6f,00,72,00,74,00,\
2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,\
00,00,00,00,00,00,00,00,00,94,00,00,00,04,00,00,00,86,00,00,00,41,75,67,4d,\
02,00,00,00,01,00,00,00,74,00,32,00,8c,07,00,00,49,38,7c,01,20,00,54,48,45,\
53,49,4d,7e,32,2e,4c,4e,4b,00,00,4a,00,03,00,04,00,ef,be,49,38,7c,01,5d,38,\
cf,6c,14,00,00,00,54,00,68,00,65,00,20,00,53,00,69,00,6d,00,73,00,20,00,32,\
00,22,21,20,00,42,00,6f,00,64,00,79,00,20,00,53,00,68,00,6f,00,70,00,2e,00,\
6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,00,\
00,00,00,00,00,00,00,90,00,00,00,05,00,00,00,82,00,00,00,41,75,67,4d,02,00,\
00,00,01,00,00,00,70,00,32,00,67,07,00,00,49,38,7c,01,20,00,54,48,45,53,49,\
4d,7e,31,2e,4c,4e,4b,00,00,46,00,03,00,04,00,ef,be,49,38,7c,01,5d,38,cf,6c,\
14,00,00,00,54,00,68,00,65,00,20,00,53,00,69,00,6d,00,73,00,22,21,20,00,32,\
00,20,00,53,00,65,00,61,00,73,00,6f,00,6e,00,73,00,2e,00,6c,00,6e,00,6b,00,\
00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,\
00,a4,00,00,00,06,00,00,00,96,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,\
84,00,32,00,34,07,00,00,49,38,7c,01,20,00,55,4e,49,4e,53,54,7e,31,2e,4c,4e,\
4b,00,00,5a,00,03,00,04,00,ef,be,49,38,7c,01,5d,38,cf,6c,14,00,00,00,55,00,\
6e,00,69,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,20,00,54,00,68,00,65,00,20,\
00,53,00,69,00,6d,00,73,00,22,21,20,00,32,00,20,00,53,00,65,00,61,00,73,00,\
6f,00,6e,00,73,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,\
be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,8a,00,00,00,07,00,00,00,7c,00,\
00,00,41,75,67,4d,02,00,00,00,01,00,00,00,6a,00,32,00,58,04,00,00,49,38,7d,\
01,20,00,57,57,57,54,48,45,7e,31,2e,4c,4e,4b,00,00,40,00,03,00,04,00,ef,be,\
49,38,7d,01,5d,38,cf,6c,14,00,00,00,77,00,77,00,77,00,2e,00,74,00,68,00,65,\
00,73,00,69,00,6d,00,73,00,32,00,2e,00,63,00,6f,00,6d,00,2e,00,6c,00,6e,00,\
6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,\
00,00,00

[HKEY_USERS\S-1-5-21-117609710-1547161642-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\EA GAMES\T*NULL*h*NULL*e*NULL* *NULL*S*NULL*i*NULL*m*NULL*s*NULL*"! *NULL*2*NULL* *NULL*T*NULL*e*NULL*e*NULL*n*NULL* *NULL*S*NULL*t*NULL*y*NULL*l*NULL*e*NULL* *NULL*S*NULL*t*NULL*u*NULL*f*NULL*f*NULL*]
@Security="Inherited"
"Order"=hex:08,00,00,00,02,00,00,00,1e,04,00,00,01,00,00,00,07,00,00,00,98,00,\
00,00,00,00,00,00,8a,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,78,00,32,\
00,7a,00,00,00,49,38,9c,00,20,00,45,4c,45,43,54,52,7e,31,2e,55,52,4c,00,00,\
4e,00,03,00,04,00,ef,be,49,38,9c,00,5d,38,cf,6c,14,00,00,00,45,00,6c,00,65,\
00,63,00,74,00,72,00,6f,00,6e,00,69,00,63,00,20,00,52,00,65,00,67,00,69,00,\
73,00,74,00,72,00,61,00,74,00,69,00,6f,00,6e,00,2e,00,75,00,72,00,6c,00,00,\
00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,\
78,00,00,00,01,00,00,00,6a,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,58,\
00,32,00,e2,03,00,00,49,38,9c,00,20,00,52,45,41,44,4d,45,7e,31,2e,4c,4e,4b,\
00,00,2e,00,03,00,04,00,ef,be,49,38,9c,00,5d,38,cf,6c,14,00,00,00,52,00,65,\
00,61,00,64,00,20,00,4d,00,65,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,\
00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,8c,00,00,00,02,\
00,00,00,7e,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,6c,00,32,00,09,05,\
00,00,49,38,9c,00,20,00,54,45,43,48,4e,49,7e,31,2e,4c,4e,4b,00,00,42,00,03,\
00,04,00,ef,be,49,38,9c,00,5d,38,cf,6c,14,00,00,00,54,00,65,00,63,00,68,00,\
6e,00,69,00,63,00,61,00,6c,00,20,00,53,00,75,00,70,00,70,00,6f,00,72,00,74,\
00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,\
1c,00,00,00,00,00,00,00,00,00,94,00,00,00,03,00,00,00,86,00,00,00,41,75,67,\
4d,02,00,00,00,01,00,00,00,74,00,32,00,dd,07,00,00,49,38,9c,00,20,00,54,48,\
45,53,49,4d,7e,32,2e,4c,4e,4b,00,00,4a,00,03,00,04,00,ef,be,49,38,9c,00,5d,\
38,cf,6c,14,00,00,00,54,00,68,00,65,00,20,00,53,00,69,00,6d,00,73,00,22,21,\
20,00,32,00,20,00,42,00,6f,00,64,00,79,00,20,00,53,00,68,00,6f,00,70,00,2e,\
00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,\
00,00,00,00,00,00,00,00,a2,00,00,00,04,00,00,00,94,00,00,00,41,75,67,4d,02,\
00,00,00,01,00,00,00,82,00,32,00,e3,07,00,00,49,38,9c,00,20,00,54,48,45,53,\
49,4d,7e,31,2e,4c,4e,4b,00,00,58,00,03,00,04,00,ef,be,49,38,9c,00,5d,38,cf,\
6c,14,00,00,00,54,00,68,00,65,00,20,00,53,00,69,00,6d,00,73,00,22,21,20,00,\
32,00,20,00,54,00,65,00,65,00,6e,00,20,00,53,00,74,00,79,00,6c,00,65,00,20,\
00,53,00,74,00,75,00,66,00,66,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,\
00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,b6,00,00,00,05,\
00,00,00,a8,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,96,00,32,00,97,07,\
00,00,49,38,9c,00,20,00,55,4e,49,4e,53,54,7e,31,2e,4c,4e,4b,00,00,6c,00,03,\
00,04,00,ef,be,49,38,9c,00,5d,38,cf,6c,14,00,00,00,55,00,6e,00,69,00,6e,00,\
73,00,74,00,61,00,6c,00,6c,00,20,00,54,00,68,00,65,00,20,00,53,00,69,00,6d,\
00,73,00,22,21,20,00,32,00,20,00,54,00,65,00,65,00,6e,00,20,00,53,00,74,00,\
79,00,6c,00,65,00,20,00,53,00,74,00,75,00,66,00,66,00,2e,00,6c,00,6e,00,6b,\
00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,\
00,00,8a,00,00,00,06,00,00,00,7c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,\
00,6a,00,32,00,6a,04,00,00,49,38,9c,00,20,00,57,57,57,54,48,45,7e,31,2e,4c,\
4e,4b,00,00,40,00,03,00,04,00,ef,be,49,38,9c,00,5d,38,cf,6c,14,00,00,00,77,\
00,77,00,77,00,2e,00,74,00,68,00,65,00,73,00,69,00,6d,00,73,00,32,00,2e,00,\
63,00,6f,00,6d,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,\
be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}]
@Owner=S-1-5-21-117609710-1547161642-725345543-1003
@Denied: (A 2) (Everyone)
@Denied: (A 2) (S-1-5-7)
@="FlashProp Class"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\InprocServer32]
@Owner=S-1-5-21-117609710-1547161642-725345543-1003
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\Flash9b.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\Programmable]
@Owner=S-1-5-21-117609710-1547161642-725345543-1003

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\*NULL*_ |*NULL*]
@Security="Inherited"
"DisplayName"="?\11"
"DeviceDesc"="?\11"
"ProviderName"="?\11???\11\08"
"MFG"="??\09"
"ReinstallString"="8.561.0.0000"
"DeviceInstanceIds"=multi:"c:\\ati\\support\\8-12_xp32_dd_ccc_wdm_enu_72271\\driver\\driver\\xp_inf\\cx_72271.inf\00"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\*NULL*u |*NULL*]
@Security="Inherited"
"DisplayName"="?\11"
"DeviceDesc"="?\11"
"ProviderName"="?\11???\11\08"
"MFG"="??\09"
"ReinstallString"="8.241.0.0"
"DeviceInstanceIds"=multi:"d:\\install\\driver\\2kxp_inf\\cx_31962.inf\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1004)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\LexBceS.exe
c:\windows\system32\Lexpps.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\program files\McAfee\VirusScan\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\PSIService.exe
c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\dllhost.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-12-31 10:45:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-31 15:44:51

Pre-Run: 106,632,015,872 bytes free
Post-Run: 112,500,064,256 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

959 --- E O F --- 2008-12-22 03:48:51
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

File::
c:\windows\system32\cneedx.dll
c:\windows\system32\dzmgyo.dll
c:\windows\system32\xkjpgf.dll
c:\windows\Tasks\qctkvnpr.job
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#7
thisisaperson

thisisaperson

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
ComboFix 08-12-31.01 - user 2009-01-01 23:31:03.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.693 [GMT -5:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point

FILE ::
c:\windows\system32\cneedx.dll
c:\windows\system32\dzmgyo.dll
c:\windows\system32\xkjpgf.dll
c:\windows\Tasks\qctkvnpr.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\autochk.dll
c:\windows\Tasks\qctkvnpr.job

.
((((((((((((((((((((((((( Files Created from 2008-12-02 to 2009-01-02 )))))))))))))))))))))))))))))))
.

2009-01-01 16:18 . 2009-01-01 16:18 <DIR> d-------- c:\documents and settings\user\Application Data\SPORE
2009-01-01 16:17 . 2009-01-01 16:17 <DIR> dr-h----- c:\documents and settings\user\Application Data\SecuROM
2008-12-31 15:14 . 2008-12-31 15:14 21,504 --ahs---- c:\documents and settings\NetworkService\protect.dll
2008-12-31 09:06 . 2008-12-31 09:06 <DIR> d-------- C:\VundoFix Backups
2008-12-31 08:47 . 2008-12-31 08:47 <DIR> d-------- c:\program files\ERUNT
2008-12-30 23:21 . 2008-12-30 23:21 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-30 23:21 . 2008-12-30 23:21 <DIR> d-------- c:\documents and settings\user\Application Data\Malwarebytes
2008-12-30 23:21 . 2008-12-30 23:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-30 23:21 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-30 23:21 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-30 16:00 . 2008-12-30 16:00 21,504 --ahs---- c:\documents and settings\Debbie\protect.dll
2008-12-30 15:47 . 2009-01-01 23:35 5,171 --a------ c:\windows\system32\Config.MPF
2008-12-30 14:41 . 2006-03-03 08:07 143,360 --a------ c:\windows\system32\dunzip32.dll
2008-12-30 14:37 . 2007-11-22 06:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys
2008-12-30 14:37 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2008-12-30 14:37 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2008-12-30 14:37 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2008-12-30 14:37 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2008-12-30 14:37 . 2007-11-22 06:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys
2008-12-30 14:36 . 2008-12-30 14:36 <DIR> d-------- c:\program files\McAfee.com
2008-12-30 14:35 . 2008-12-30 16:53 <DIR> d-------- c:\program files\McAfee
2008-12-30 14:35 . 2008-12-30 14:37 <DIR> d-------- c:\program files\Common Files\McAfee
2008-12-30 12:51 . 2008-12-30 15:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-12-30 11:55 . 2008-12-30 11:55 21,504 --ahs---- c:\documents and settings\user\protect.dll
2008-12-29 14:51 . 2008-12-29 14:51 <DIR> d-------- c:\program files\Lavasoft
2008-12-29 14:51 . 2008-12-29 14:51 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-29 14:51 . 2008-12-29 14:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-29 14:33 . 2008-12-29 14:33 <DIR> d-------- c:\documents and settings\Administrator
2008-12-25 20:44 . 2008-12-25 20:44 <DIR> d-------- C:\ProgramData
2008-12-25 20:44 . 2008-12-25 21:22 <DIR> d-------- c:\documents and settings\Debbie\Application Data\SPORE
2008-12-25 20:44 . 2008-12-25 20:44 <DIR> dr-h----- c:\documents and settings\Debbie\Application Data\SecuROM
2008-12-25 20:43 . 2008-12-25 20:43 1,216 --a------ c:\windows\system32\ealregsnapshot1.reg
2008-12-25 20:33 . 2008-12-25 20:44 <DIR> d-------- c:\program files\Electronic Arts
2008-12-24 17:27 . 2007-08-01 22:47 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-12-23 22:30 . 2008-12-23 22:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATI
2008-12-23 22:26 . 2008-12-23 22:30 <DIR> d-------- c:\program files\ATI
2008-12-23 22:25 . 2008-12-23 22:26 <DIR> d-------- c:\program files\ATI Technologies
2008-12-23 22:25 . 2008-12-01 14:35 593,920 --a------ c:\windows\system32\ati2sgag.exe
2008-12-23 22:24 . 2008-12-23 22:24 <DIR> d-------- C:\ATI
2008-12-23 22:16 . 2008-12-23 22:16 <DIR> d-------- c:\windows\system32\XPSViewer
2008-12-23 22:16 . 2008-12-23 22:16 <DIR> d-------- c:\program files\MSBuild
2008-12-23 22:15 . 2008-12-23 22:16 <DIR> d-------- C:\0fa6b3ced8c5037d5b915dbf00429a8c
2008-12-23 21:57 . 2008-12-23 21:57 10 --a------ c:\windows\WININIT.INI
2008-12-23 21:48 . 2008-12-23 22:00 <DIR> d-------- c:\windows\SxsCaPendDel
2008-12-17 22:15 . 2008-12-17 22:15 0 --a------ c:\windows\ativpsrm.bin
2008-12-16 13:18 . 2008-12-16 13:18 <DIR> d-------- c:\documents and settings\Debbie\Application Data\World-LooM
2008-12-08 11:19 . 2008-12-08 11:21 <DIR> d-------- c:\documents and settings\user\Application Data\Juniper Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-26 01:44 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-25 05:07 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-25 04:20 --------- d-----w c:\documents and settings\All Users\Application Data\BigFishGamesCache
2008-12-18 17:26 --------- d-----w c:\program files\Mystery Case Files - Huntsville
2008-12-12 13:21 --------- d-----w c:\program files\Java
2008-12-07 02:44 --------- d-----w c:\program files\Common Files\Adobe
2008-12-07 02:44 --------- d-----w c:\documents and settings\user\Application Data\AdobeUM
2008-12-04 20:51 --------- d-----w c:\program files\Restaurant Rush
2008-12-01 22:13 3,452,928 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2008-12-01 19:51 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2008-11-29 15:07 --------- d-----w c:\program files\Logitech
2008-11-29 15:07 --------- d-----w c:\program files\Common Files\Remote Control Software Common
2008-11-29 15:06 127,034 ------r c:\windows\bwUnin-8.1.1.50-8876480SL.exe
2008-11-29 15:06 --------- d-----w c:\program files\Common Files\Remote Control USB Driver
2008-11-27 13:45 --------- d-----w c:\program files\Microsoft Silverlight
2008-11-10 05:50 --------- d-----w c:\program files\Google
2008-11-09 16:41 --------- d-----w c:\program files\ReflexiveArcade
2008-11-08 16:11 --------- d-----w c:\documents and settings\Debbie\Application Data\GameHouse
2008-11-08 16:03 --------- d-----w c:\program files\GameHouse
2008-11-08 05:39 --------- d-----w c:\program files\Shockwave.com
2008-11-07 01:51 --------- d-----w c:\program files\bfgclient
2007-11-22 22:06 32 ----a-r c:\documents and settings\All Users\hash.dat
2004-07-19 02:27 372,736 ----a-w c:\program files\putty.exe
2008-11-14 02:34 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-11-14 02:34 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-11-14 02:34 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-11-14 02:34 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-11-14 02:34 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2007-12-05 18:35 88 --sha-r c:\windows\system32\575DF840AB.sys
2007-12-05 18:35 2,828 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [email protected]_10.44.04.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-31 15:22:49 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-02 03:04:08 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-31 15:22:49 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-02 03:04:08 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-02 04:37:19 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_64c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"autochk"="c:\docume~1\NETWOR~1\protect.dll" [2008-12-31 21504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-06-07 9129984]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\2\printray.exe" [2001-03-27 36864]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"autochk"="c:\windows\system32\autochk.dll" [2009-01-01 21504]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 c:\windows\LOGI_MWX.EXE]

c:\documents and settings\Debbie\Start Menu\Programs\Startup\
ChkDisk.dll [2008-12-30 21504]
ChkDisk.lnk - c:\windows\system32\rundll32.exe [2006-03-15 33280]

c:\documents and settings\user\Start Menu\Programs\Startup\
ChkDisk.dll [2008-12-30 21504]
ChkDisk.lnk - c:\windows\system32\rundll32.exe [2006-03-15 33280]
Wallpaper Changer.lnk - c:\program files\WallpaperToy\Wallpapertoy.Exe [2007-09-02 110592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-11-29 67128]
VPN Client.lnk - c:\windows\Installer\{176130BC-99A1-41FE-A78B-56045E33AD70}\Icon3E5562ED7.ico [2007-03-05 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.mpng"= c:\program files\[email protected]\0.956\686\tabdec.dll
"vidc.mjpg"= c:\program files\[email protected]\0.956\686\tabdec.dll
"vidc.mvjp"= c:\program files\[email protected]\0.956\686\tabdec.dll
"vidc.444p"= c:\program files\[email protected]\0.956\686\tabdec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\FileZilla\\FileZilla.exe"=
"c:\\ftp\\WS_FTP32.EXE"=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"c:\\Program Files\\Macromedia\\Flash MX\\Flash.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Railroads!\\RailRoads.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

.
Contents of the 'Scheduled Tasks' folder

2008-12-30 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-12-30 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.15westbellamy.com/home/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

c:\windows\Downloaded Program Files\stg_drm.ocx - c:\windows\Downloaded Program Files\CONFLICT.1\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.2\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.3\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.4\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.5\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.6\stg_drm.ocx
O16 -: {149E45D8-163E-4189-86FC-45022AB2B6C9}
file://c:\program files\Jewelleria\Images\stg_drm.ocx
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\p0xsdzkl.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-01 23:38:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-117609710-1547161642-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\EA GAMES\T*NULL*h*NULL*e*NULL* *NULL*S*NULL*i*NULL*m*NULL*s*NULL*"! *NULL*2*NULL* *NULL*F*NULL*r*NULL*e*NULL*e*NULL*T*NULL*i*NULL*m*NULL*e*NULL*]
@Security="Inherited"
"Order"=hex:08,00,00,00,02,00,00,00,fe,03,00,00,01,00,00,00,07,00,00,00,98,00,\
00,00,00,00,00,00,8a,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,78,00,32,\
00,7a,00,00,00,64,38,ae,a5,20,00,45,4c,45,43,54,52,7e,31,2e,55,52,4c,00,00,\
4e,00,03,00,04,00,ef,be,64,38,ae,a5,64,38,ae,a5,14,00,00,00,45,00,6c,00,65,\
00,63,00,74,00,72,00,6f,00,6e,00,69,00,63,00,20,00,52,00,65,00,67,00,69,00,\
73,00,74,00,72,00,61,00,74,00,69,00,6f,00,6e,00,2e,00,75,00,72,00,6c,00,00,\
00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,\
78,00,00,00,01,00,00,00,6a,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,58,\
00,32,00,ba,03,00,00,64,38,ae,a5,20,00,52,45,41,44,4d,45,7e,31,2e,4c,4e,4b,\
00,00,2e,00,03,00,04,00,ef,be,64,38,ae,a5,64,38,ae,a5,14,00,00,00,52,00,65,\
00,61,00,64,00,20,00,4d,00,65,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,\
00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,8c,00,00,00,02,\
00,00,00,7e,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,6c,00,32,00,d1,04,\
00,00,64,38,ae,a5,20,00,54,45,43,48,4e,49,7e,31,2e,4c,4e,4b,00,00,42,00,03,\
00,04,00,ef,be,64,38,ae,a5,64,38,ae,a5,14,00,00,00,54,00,65,00,63,00,68,00,\
6e,00,69,00,63,00,61,00,6c,00,20,00,53,00,75,00,70,00,70,00,6f,00,72,00,74,\
00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,\
1c,00,00,00,00,00,00,00,00,00,94,00,00,00,03,00,00,00,86,00,00,00,41,75,67,\
4d,02,00,00,00,01,00,00,00,74,00,32,00,95,07,00,00,64,38,ae,a5,20,00,54,48,\
45,53,49,4d,7e,32,2e,4c,4e,4b,00,00,4a,00,03,00,04,00,ef,be,64,38,ae,a5,64,\
38,ae,a5,14,00,00,00,54,00,68,00,65,00,20,00,53,00,69,00,6d,00,73,00,22,21,\
20,00,32,00,20,00,42,00,6f,00,64,00,79,00,20,00,53,00,68,00,6f,00,70,00,2e,\
00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,\
00,00,00,00,00,00,00,00,92,00,00,00,04,00,00,00,84,00,00,00,41,75,67,4d,02,\
00,00,00,01,00,00,00,72,00,32,00,8b,07,00,00,64,38,ae,a5,20,00,54,48,45,53,\
49,4d,7e,31,2e,4c,4e,4b,00,00,48,00,03,00,04,00,ef,be,64,38,ae,a5,64,38,ae,\
a5,14,00,00,00,54,00,68,00,65,00,20,00,53,00,69,00,6d,00,73,00,22,21,20,00,\
32,00,20,00,46,00,72,00,65,00,65,00,54,00,69,00,6d,00,65,00,2e,00,6c,00,6e,\
00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,\
00,00,00,00,a6,00,00,00,05,00,00,00,98,00,00,00,41,75,67,4d,02,00,00,00,01,\
00,00,00,86,00,32,00,3f,07,00,00,64,38,ae,a5,20,00,55,4e,49,4e,53,54,7e,31,\
2e,4c,4e,4b,00,00,5c,00,03,00,04,00,ef,be,64,38,ae,a5,64,38,ae,a5,14,00,00,\
00,55,00,6e,00,69,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,20,00,54,00,68,00,\
65,00,20,00,53,00,69,00,6d,00,73,00,22,21,20,00,32,00,20,00,46,00,72,00,65,\
00,65,00,54,00,69,00,6d,00,65,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,\
00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,8a,00,00,00,06,\
00,00,00,7c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,6a,00,32,00,31,00,\
00,00,64,38,ae,a5,20,00,57,57,57,54,48,45,7e,31,2e,55,52,4c,00,00,40,00,03,\
00,04,00,ef,be,64,38,ae,a5,64,38,ae,a5,14,00,00,00,77,00,77,00,77,00,2e,00,\
74,00,68,00,65,00,73,00,69,00,6d,00,73,00,32,00,2e,00,63,00,6f,00,6d,00,2e,\
00,75,00,72,00,6c,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,\
00,00,00,00,00,00,00,00

[HKEY_USERS\S-1-5-21-117609710-1547161642-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\EA GAMES\T*NULL*h*NULL*e*NULL* *NULL*S*NULL*i*NULL*m*NULL*s*NULL*"! *NULL*2*NULL* *NULL*S*NULL*e*NULL*a*NULL*s*NULL*o*NULL*n*NULL*s*NULL*]
@Security="Inherited"
"Order"=hex:08,00,00,00,02,00,00,00,76,04,00,00,01,00,00,00,08,00,00,00,7c,00,\
00,00,00,00,00,00,6e,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,5c,00,32,\
00,05,04,00,00,49,38,7c,01,20,00,45,41,53,59,49,4e,7e,31,2e,4c,4e,4b,00,00,\
32,00,03,00,04,00,ef,be,49,38,7c,01,5d,38,cf,6c,14,00,00,00,45,00,41,00,73,\
00,79,00,20,00,49,00,6e,00,66,00,6f,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,\
0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,98,00,00,\
00,01,00,00,00,8a,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,78,00,32,00,\
09,04,00,00,49,38,7c,01,20,00,45,4c,45,43,54,52,7e,31,2e,4c,4e,4b,00,00,4e,\
00,03,00,04,00,ef,be,49,38,7c,01,5d,38,cf,6c,14,00,00,00,45,00,6c,00,65,00,\
63,00,74,00,72,00,6f,00,6e,00,69,00,63,00,20,00,52,00,65,00,67,00,69,00,73,\
00,74,00,72,00,61,00,74,00,69,00,6f,00,6e,00,2e,00,6c,00,6e,00,6b,00,00,00,\
1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,78,\
00,00,00,02,00,00,00,6a,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,58,00,\
32,00,b5,03,00,00,49,38,7c,01,20,00,52,45,41,44,4d,45,7e,31,2e,4c,4e,4b,00,\
00,2e,00,03,00,04,00,ef,be,49,38,7c,01,5d,38,cf,6c,14,00,00,00,52,00,65,00,\
61,00,64,00,20,00,4d,00,65,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,\
00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,8c,00,00,00,03,00,\
00,00,7e,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,6c,00,32,00,ca,04,00,\
00,49,38,7c,01,20,00,54,45,43,48,4e,49,7e,31,2e,4c,4e,4b,00,00,42,00,03,00,\
04,00,ef,be,49,38,7c,01,5d,38,cf,6c,14,00,00,00,54,00,65,00,63,00,68,00,6e,\
00,69,00,63,00,61,00,6c,00,20,00,53,00,75,00,70,00,70,00,6f,00,72,00,74,00,\
2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,\
00,00,00,00,00,00,00,00,00,94,00,00,00,04,00,00,00,86,00,00,00,41,75,67,4d,\
02,00,00,00,01,00,00,00,74,00,32,00,8c,07,00,00,49,38,7c,01,20,00,54,48,45,\
53,49,4d,7e,32,2e,4c,4e,4b,00,00,4a,00,03,00,04,00,ef,be,49,38,7c,01,5d,38,\
cf,6c,14,00,00,00,54,00,68,00,65,00,20,00,53,00,69,00,6d,00,73,00,20,00,32,\
00,22,21,20,00,42,00,6f,00,64,00,79,00,20,00,53,00,68,00,6f,00,70,00,2e,00,\
6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,00,\
00,00,00,00,00,00,00,90,00,00,00,05,00,00,00,82,00,00,00,41,75,67,4d,02,00,\
00,00,01,00,00,00,70,00,32,00,67,07,00,00,49,38,7c,01,20,00,54,48,45,53,49,\
4d,7e,31,2e,4c,4e,4b,00,00,46,00,03,00,04,00,ef,be,49,38,7c,01,5d,38,cf,6c,\
14,00,00,00,54,00,68,00,65,00,20,00,53,00,69,00,6d,00,73,00,22,21,20,00,32,\
00,20,00,53,00,65,00,61,00,73,00,6f,00,6e,00,73,00,2e,00,6c,00,6e,00,6b,00,\
00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,\
00,a4,00,00,00,06,00,00,00,96,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,\
84,00,32,00,34,07,00,00,49,38,7c,01,20,00,55,4e,49,4e,53,54,7e,31,2e,4c,4e,\
4b,00,00,5a,00,03,00,04,00,ef,be,49,38,7c,01,5d,38,cf,6c,14,00,00,00,55,00,\
6e,00,69,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,20,00,54,00,68,00,65,00,20,\
00,53,00,69,00,6d,00,73,00,22,21,20,00,32,00,20,00,53,00,65,00,61,00,73,00,\
6f,00,6e,00,73,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,\
be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,8a,00,00,00,07,00,00,00,7c,00,\
00,00,41,75,67,4d,02,00,00,00,01,00,00,00,6a,00,32,00,58,04,00,00,49,38,7d,\
01,20,00,57,57,57,54,48,45,7e,31,2e,4c,4e,4b,00,00,40,00,03,00,04,00,ef,be,\
49,38,7d,01,5d,38,cf,6c,14,00,00,00,77,00,77,00,77,00,2e,00,74,00,68,00,65,\
00,73,00,69,00,6d,00,73,00,32,00,2e,00,63,00,6f,00,6d,00,2e,00,6c,00,6e,00,\
6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,\
00,00,00

[HKEY_USERS\S-1-5-21-117609710-1547161642-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\EA GAMES\T*NULL*h*NULL*e*NULL* *NULL*S*NULL*i*NULL*m*NULL*s*NULL*"! *NULL*2*NULL* *NULL*T*NULL*e*NULL*e*NULL*n*NULL* *NULL*S*NULL*t*NULL*y*NULL*l*NULL*e*NULL* *NULL*S*NULL*t*NULL*u*NULL*f*NULL*f*NULL*]
@Security="Inherited"
"Order"=hex:08,00,00,00,02,00,00,00,1e,04,00,00,01,00,00,00,07,00,00,00,98,00,\
00,00,00,00,00,00,8a,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,78,00,32,\
00,7a,00,00,00,49,38,9c,00,20,00,45,4c,45,43,54,52,7e,31,2e,55,52,4c,00,00,\
4e,00,03,00,04,00,ef,be,49,38,9c,00,5d,38,cf,6c,14,00,00,00,45,00,6c,00,65,\
00,63,00,74,00,72,00,6f,00,6e,00,69,00,63,00,20,00,52,00,65,00,67,00,69,00,\
73,00,74,00,72,00,61,00,74,00,69,00,6f,00,6e,00,2e,00,75,00,72,00,6c,00,00,\
00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,\
78,00,00,00,01,00,00,00,6a,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,58,\
00,32,00,e2,03,00,00,49,38,9c,00,20,00,52,45,41,44,4d,45,7e,31,2e,4c,4e,4b,\
00,00,2e,00,03,00,04,00,ef,be,49,38,9c,00,5d,38,cf,6c,14,00,00,00,52,00,65,\
00,61,00,64,00,20,00,4d,00,65,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,\
00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,8c,00,00,00,02,\
00,00,00,7e,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,6c,00,32,00,09,05,\
00,00,49,38,9c,00,20,00,54,45,43,48,4e,49,7e,31,2e,4c,4e,4b,00,00,42,00,03,\
00,04,00,ef,be,49,38,9c,00,5d,38,cf,6c,14,00,00,00,54,00,65,00,63,00,68,00,\
6e,00,69,00,63,00,61,00,6c,00,20,00,53,00,75,00,70,00,70,00,6f,00,72,00,74,\
00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,\
1c,00,00,00,00,00,00,00,00,00,94,00,00,00,03,00,00,00,86,00,00,00,41,75,67,\
4d,02,00,00,00,01,00,00,00,74,00,32,00,dd,07,00,00,49,38,9c,00,20,00,54,48,\
45,53,49,4d,7e,32,2e,4c,4e,4b,00,00,4a,00,03,00,04,00,ef,be,49,38,9c,00,5d,\
38,cf,6c,14,00,00,00,54,00,68,00,65,00,20,00,53,00,69,00,6d,00,73,00,22,21,\
20,00,32,00,20,00,42,00,6f,00,64,00,79,00,20,00,53,00,68,00,6f,00,70,00,2e,\
00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,\
00,00,00,00,00,00,00,00,a2,00,00,00,04,00,00,00,94,00,00,00,41,75,67,4d,02,\
00,00,00,01,00,00,00,82,00,32,00,e3,07,00,00,49,38,9c,00,20,00,54,48,45,53,\
49,4d,7e,31,2e,4c,4e,4b,00,00,58,00,03,00,04,00,ef,be,49,38,9c,00,5d,38,cf,\
6c,14,00,00,00,54,00,68,00,65,00,20,00,53,00,69,00,6d,00,73,00,22,21,20,00,\
32,00,20,00,54,00,65,00,65,00,6e,00,20,00,53,00,74,00,79,00,6c,00,65,00,20,\
00,53,00,74,00,75,00,66,00,66,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,\
00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,b6,00,00,00,05,\
00,00,00,a8,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,96,00,32,00,97,07,\
00,00,49,38,9c,00,20,00,55,4e,49,4e,53,54,7e,31,2e,4c,4e,4b,00,00,6c,00,03,\
00,04,00,ef,be,49,38,9c,00,5d,38,cf,6c,14,00,00,00,55,00,6e,00,69,00,6e,00,\
73,00,74,00,61,00,6c,00,6c,00,20,00,54,00,68,00,65,00,20,00,53,00,69,00,6d,\
00,73,00,22,21,20,00,32,00,20,00,54,00,65,00,65,00,6e,00,20,00,53,00,74,00,\
79,00,6c,00,65,00,20,00,53,00,74,00,75,00,66,00,66,00,2e,00,6c,00,6e,00,6b,\
00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,\
00,00,8a,00,00,00,06,00,00,00,7c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,\
00,6a,00,32,00,6a,04,00,00,49,38,9c,00,20,00,57,57,57,54,48,45,7e,31,2e,4c,\
4e,4b,00,00,40,00,03,00,04,00,ef,be,49,38,9c,00,5d,38,cf,6c,14,00,00,00,77,\
00,77,00,77,00,2e,00,74,00,68,00,65,00,73,00,69,00,6d,00,73,00,32,00,2e,00,\
63,00,6f,00,6d,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,\
be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00

[HKEY_USERS\S-1-5-21-117609710-1547161642-725345543-1003\Software\SecuROM\License information*NULL*]
@Security="Inherited"
"datasecu"=hex:7b,3e,9a,e7,90,5f,c7,50,33,07,70,5e,2c,ce,94,a3,e2,36,ce,63,f9,\
72,cf,5d,39,68,3b,98,a9,8c,9d,8b,b6,b2,7d,fe,f1,4d,2c,a2,f0,e4,0a,ff,af,b9,\
93,81,25,eb,7c,80,9a,e0,3f,d8,69,87,49,f6,c1,b4,63,a7,ef,69,74,4d,be,cb,ac,\
ef,05,cc,5f,af,cb,5d,64,e0,39,2e,f9,d6,ac,88,d9,bd,6a,2a,46,04,7a,74,0e,ad,\
17,fa,04,40,22,1b,20,d2,0a,7e,73,c7,0f,4f,06,1d,6e,4b,d9,30,20,9c,55,e8,be,\
e6,66,c2,26,6e,44,36,e2,59,44,c0,8d,4a,e5,0e,d0,af,2c,02,bd,a8,29,20,43,48,\
6d,b5,12,7a,5f,22,cb,e8,e8,33,ff,d4,24,69,29,78,ea,d3,0d,79,0b,bc,1e,4f,0c,\
98,7a,f8,b8,c7,e5,0a,30,c0,ab,0c,37,28,2a,ec,a7,d5,18,c9,41,a0,00,ec,28,64,\
2e,3c,22,4c,10,5c,7e,87,7b,b9,44,45,08,36,e8,5a,74,b0,8d,d7,83,3c,73,d4,75,\
ec,0b,8c,88,8a,08,84,cb,86,7c,02,33,3e,f6,94,e1,d7,cb,7a,3c,e8,1c,09,45,fe,\
ca,df,6d,c8,dd,7a,3d,66,c8,12,dd,f5,03,b2,98,cf,3e,87,e9,d1,fa,e1,83,51,f4,\
fe,89,46,30,55,df,46,50,d2,2e,dd,6c,bc,ff,b1,16,b3,35,2c,fd,9c,c9,65,9d,e1,\
66,60,4d,c3,25,e4,57,67,49,35,4d,19,f1,73,22,30,17,21,5e,29,c0,f5,00,1e,d5,\
51,dd,28,5e,13,c7,72,20,2a,b7,30,ae,9e,18,92,f9,53,81,4a,b4,7d,61,d7,50,ab,\
d3,ef,a7,af,19,6d,02,18,49,f3,eb,e7,88,14,55,14,05,4c,67,c9,61,1f,08,ed,79,\
7e,fc,a7,71,a3,a6,1c,d2,4a,73,a8,69,2d,81,54,fb,39,29,3f,b1,93,f1,f8,de,7a,\
e1,bf,62,aa,10,50,e6,d5,5b,0d,d3,10,32,16,46,bf,11,df,fd,c5,70,24,3f,6f,fe,\
82,fb,bc,f4,86,41,42,0c,ff,8c,ec,53,1a,31,cc,5f,7b,6c,98,28,32,81,33,63,4f,\
9b,7c,cb,d7,6f,6a,cc,60,cb,9e,5f,8d,72,91,c6,7d,02,9a,38,5d,d5,d6,26,0d,c3,\
f2,f2,2b,14,2d,b3,60,4f,07,d5,86,5d,22,fd,6d,46,7e,75,b2,b3,80,fc,e2,5a,f6,\
79,9b,95,ea,6c,86,56,f9,19,1b,30,2f,27,d4,ac,76,6d,ba,24,5e,01,a6,7e,81,17,\
60,be,10,5b,78,a5,ea,dc,4a,61,01,45,28,03,07,bf,cc,30,8a,d8,c2,c4,72,69,8d,\
83,c5,c6,c0,48,74,f3,b6,6d,4a,e6,56,33,4d,29,28,0b,4a,a0,1f,81,9a,59,c6,c5,\
9a,4e,e9,da,cc,15,d8,27,f1,16,6f,31,34,c7,3b,29,3b,ec,27,d8,a8,31,f7,e2,61,\
99,d7,07,67,40,6c,ee,8a,c4,ef,14,ec,0d,d4,d2,05,d1,1a,47,d6,5e,44,08,16,0c,\
6c,bc,22,0e,df,6a,cc,be,02,fd,4e,3c,8e,ff,59,17,37,67,f6,78,a4,1f,c5,d0,c8,\
20,ef,39,5e,43,c4,46,af,80,9a,24,48,e5,f7,ed,2d,71,8d,4a,bb,67,81,1d,99,0f,\
d4,a0,d0,3a,9e,a1,b7,78,a0,44,1f,e4,8e,c8,9f,32,a3,4b,9d,ac,45,46,22,0b,72,\
05,43,24,aa,87,b0,e1,03,cc,70,88,3b,5a,08,57,2f,cd,c1,6e,d0,66,65,47,9f,24,\
d4,02,fe,e3,27,99,25,6b,7d,f2,4c,f4,8f,ca,75,c6,81,b4,24,e8,0f,59,13,e8,e9,\
81,8b,51,b0,29,d1,19,7e,6f,a2,41,19,43,84,c5,16,f1,9a,e9,94,92,04,c0,79,1e,\
24,07,8f,f5,61,2e,b8,90,e2,a4,90,79,69,c8,5f,4d,74,cf,a1,99,68,7f,29,47,56,\
12,2f,87,95,d4,96,4a,7f,85,94,5c,69,71,93,32,09,47,53,0d,99,c2,28,53,c1,34,\
ba,5e,91,dc,70,c2,9e,8d,25,68,69,58,9b,3e,c2,82,64,80,28,f3,91,91,6e,8a,77,\
51,61,5c,4d,7b,f4,70,cd,87,80,ef,23,f9,07,0d,62,8f,4f,37,83,39,14,c9,7f,ef,\
65,ce,24,61,4a,ff,a3,2d,07,7c,cc,e1,89,b0,f3,a4,df,9b,88,90,fa,c0,90,7c,14,\
c1,c8,0e,23,34,af,17,39,4a,72,f3,45,31,2a,7c,25,c4,3c,ba,2c,3f,d4,9f,b9,2c,\
6c,1c,d4,cb,7b,c9,88,73,a9,46,0e,cd,f5,33,c7,82,f8,f6,4c,4b,a0,a0,d4,ea,9f,\
31,bc,69,19,9a,c0,6b,60,e3,fe,a1,cd,65,4e,76,76,d4,92,7f,07,76,8c,0d,5c,b0,\
31,e6,3f,34,6f,28,51,bd,54,c0,10,ae,99,94,59,60,ad,58,73,f3,51,20,e8,55,39,\
c1,82,98,8e,06,d7,d4,58,dc,13,5b,6e,43,dc,09,f4,2e,1e,a8,17,49,85,9e,ae,f3,\
65,7a,30,83,26,14,eb,a3,33,8f,4c,88,db,ab,80,79,1f,5f,3a,74,74,e0,a2,92,5b,\
46,0d,1e,93,ab,e2,fe,b5,c3,8a,1d,bf,38,4d,6d,2a,ec,0c,f5,b7,2a,c8,89,96,cd,\
08,3b,bb,4f,63,52,0b,e5,80,88,38,b4,c6,61,02,c3,f9,7a,fd,0f,0d,24,d0,28,05,\
77,ca,44,fb,1d,a7,af,2f,24,46,7e,17,f3,73,6b,7d,7d,63,1c,71,cd,35,8b,a0,c9,\
4d,fe,9b,e9,aa,f7,1d,d7,12,d5,75,12,32,1c,3e,38,be,e3,9d,9c,95,81,56,fb,63,\
34,09,22,c5,9b,27,8f,d3,6c,0f,89,a6,74,3d,c0,71,06,4d,e7,2d,ce,eb,e9,9a,84,\
43,19,41,73,ee,9d,b8,a1,f3,9c,bc,ae,60,bc,8a,40,09,17,59,f6,95,5c,db,44,99,\
f3,7c,a9,3b,10,b4,b7,f1,f7,a4,d8,c8,2f,65,07,d7,0a,3b,ce,7b,fb,78,8e,b0,74,\
b2,33,df,de,01,97,28,5d,a5,0c,8c,93,df,ff,a7,1b,5f,6f,48,7d,a0,7e,ee,bd,70,\
41,ea,8b,b2,e9,d4,2e,88,5e,2b,bd,6a,8c,0b,a1,b9,58,83,3e,36,88,44,0a,49,a4,\
cd,26,29,73,e9,aa,18,28,04,09,38,70,4e,aa,75,cf,0c,a2,8f,33,7c,24,f7,6f,0b,\
5a,0f,b4,93,06,f0,3f,0e,2f,c9,7e,59,17,17,ab,0e,67,ff,58,e4,64,4b,6c,12,b3,\
bc,23,a5,0d,d9,ef,38,95,d1,c8,7a,ee,19,70,2a,3c,15,0f,83,7d,40,ed,04,33,da,\
bd,d5,e4,b7,98,10,59,8b,54,7a,67,79,3f,73,03,54,14,b4,24,ba,f1,99,0e,0d,d3,\
73,8a,0a,d1,7f,3b,2c,8e,a5,30,ec,1a,39,f4,2e,93,fa,9f,83,5c,be,9f,c6,b8,89,\
e1,88,6c,fb,18,d7,b6,79,15,02,35,73,30,d2,9f,87,cd,25,a0,6e,68,b2,a3,c3,b9,\
64,ea,f6,bf,79,ed,b5,7c,82,b4,69,b3,bf,33,b7,a4,54,0f,0d,d1,c0,74,55,13,bc,\
b3,02,54,a7,42,dd,24,72,44,42,4e,dc,c5,d4,5d,5c,a1,9b,3c,3a,2b,29,63,3e,f9,\
5f,d7,d7,ce,53,d8,91,a3,c4,0b,7f,7e,61,a6,7f,54,31,49,d9,f4,70,9e,83,21,4e,\
6c,49,4e,16,c6,48,b5,2b,e2,48,ec,bd,06,2d,db,b3,e9,df,bb,71,85,01,60,3b,aa,\
d3,33,9a,51,7c,1e,b7,c3,ca,a9,81,a4,f5,e0,11,a4,fb,f6,31,39,3e,01,89,f6,dc,\
0e,d0,8d,c0,ea,41,31,f6,ec,db,e8,ae,de,1a,ec,1c,c7,db,c3,55,eb,92,2c,08,1d,\
d2,d3,f9,48,a7,fb,b4,d7,12,f5,9b,63,47,08,db,a9,ea,cd,de,26,45,2f,57,94,f2,\
49,b9,9f,1b,bc,43,b4,2d,3d,d0,f2,23,13,8a,5a,72,17,c1,cb,d5,9b,8a,23,a0,f0,\
31,ff,af,21,73,b8,09,be,39,2a,ee,13,c0,a0,f2,51,b1,8c,a4,ef,79,3b,df,b9,cf,\
22,f2,ec,cf,8f,60,91,44,a0,5c,e5,3b,a8,a2,0e,37,17,4d,a5,54,ab,d9,61,39,01,\
35,b7,37,fa,51,53,0c,ab,74,cf,3b,39,9f,e8,ec,1f,91,22,4e,24,3e,97,de,73,e2,\
5f,7f,f8,ba,88,41,54,ce,b7,7a,7c,27,2d,3a,c3,6d,7c,b7,3a,a9,27,1c,3f,d1,1e,\
6f,08,ef,f8,fc,59,ee,2a,0a,7a,83,68,4d,2d,76,ea,6b,16,8a,48,b0,f4,31,03,71,\
be,91,01,56,1e,a1,42,8d,ab,e9,fc,da,b3,ac,e4,a2,36,e9,b2,42,b2,7a,73,2e,0b,\
6e,f2,08,ea,56,31,25,cc,8c,7d,16,c4,f2,f1,a3,d5,5c,3d,85,14,15,5a,1b,b6,31,\
87,36,2b,43,9c,28,4a,c7,ae,23,c1,0e,ec,27,fb,89,32,b4,55,2c,10,8c,c1,fb,44,\
00,a3,e7,17,2d,dd,f8,7b,3e,7d,4f,f4,11,43,ed,77,e1,53,dd,33,00,e6,fa,2f,f2,\
97,ea,c7,57,19,52,23,9b,bf,09,d4,43,3d,00,b9,a1,2a,17,43,d0,11,ff,f3,cb,69,\
fc,20,39,5a,02,da,f8,e7,39,60,7c,fc,7a,97,ba,a3,29,69,05,1d,52,21,27,99,96,\
19,0c,f9,54,3b,cf,81,6f,28,e8,ed,b5,1d,3d,28,7e,95,a7,0b,00,53,25,e3,c9,0e,\
fe,e6,03,3d,7b,13,cf,9a,40,9a,3d,62,d1,47,23,07,53,3d,b5,92,02,6b,13,12,89,\
3d,3a,1b,3f,34,c2,81,f2,7d,f3,7b,e3,e1,00,ba,81,f2,29,27,96,51,8e,08,83,c3,\
6b,08,83,c3,6b,18
"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\*NULL*_ |*NULL*]
@Security="Inherited"
"DisplayName"="?\11"
"DeviceDesc"="?\11"
"ProviderName"="?\11???\11\08"
"MFG"="??\09"
"ReinstallString"="8.561.0.0000"
"DeviceInstanceIds"=multi:"c:\\ati\\support\\8-12_xp32_dd_ccc_wdm_enu_72271\\driver\\driver\\xp_inf\\cx_72271.inf\00"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\*NULL*u |*NULL*]
@Security="Inherited"
"DisplayName"="?\11"
"DeviceDesc"="?\11"
"ProviderName"="?\11???\11\08"
"MFG"="??\09"
"ReinstallString"="8.241.0.0"
"DeviceInstanceIds"=multi:"d:\\install\\driver\\2kxp_inf\\cx_31962.inf\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1008)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\LexBceS.exe
c:\windows\system32\Lexpps.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\program files\McAfee\VirusScan\Mcshield.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\PSIService.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-01-01 23:43:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-02 04:43:45
ComboFix2.txt 2008-12-31 17:43:12
ComboFix3.txt 2008-12-31 15:45:06

Pre-Run: 112,356,130,816 bytes free
Post-Run: 112,372,056,064 bytes free

480 --- E O F --- 2008-12-22 03:48:51
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#9
thisisaperson

thisisaperson

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Well that's a problem, because I'm still having the Google redirect issue! The Vundo issues do seem to have disappeared, but just about every search engine I try is redirecting through seocash.us, and many of my bookmarks come up as "Action Cancelled" or a blank page.

I do appreciate your assistance!
  • 0

#10
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Sorry about that....kept overlooking a few of the files there.

Download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :processes
    explorer
    :files
    c:\documents and settings\Debbie\Start Menu\Programs\Startup\ChkDisk.dll
    c:\documents and settings\Debbie\Start Menu\Programs\Startup\ChkDisk.lnk
    c:\documents and settings\user\Start Menu\Programs\Startup\ChkDisk.dll
    c:\documents and settings\user\Start Menu\Programs\Startup\ChkDisk.lnk
    :command 
    [start explorer]
    [reboot]
  • Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.+ vbCrLf+ vbCrLf
  • Click the red MoveIt! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Now, the log should be clean :)
  • 0

Advertisements


#11
thisisaperson

thisisaperson

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Nope, that didn't work... but I feel like we're getting closer! :) Here's the log...

========== PROCESSES ==========
Unable to kill process: explorer
========== FILES ==========
File/Folder c:\documents and settings\Debbie\Start Menu\Programs\Startup\ChkDisk.dll not found.
File/Folder c:\documents and settings\Debbie\Start Menu\Programs\Startup\ChkDisk.lnk not found.
DllUnregisterServer procedure not found in c:\documents and settings\user\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\user\Start Menu\Programs\Startup\ChkDisk.dll NOT unregistered.
c:\documents and settings\user\Start Menu\Programs\Startup\ChkDisk.dll moved successfully.
c:\documents and settings\user\Start Menu\Programs\Startup\ChkDisk.lnk moved successfully.
Error: Unable to interpret <:command > in the current context!
Error: Unable to interpret <[start explorer]> in the current context!
Error: Unable to interpret <[reboot]> in the current context!

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01042009_195240
  • 0

#12
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Still getting redirected? Run ComboFix again and post the new log here.
  • 0

#13
thisisaperson

thisisaperson

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Reran Combofix, redirect still going. Here's the latest log...

ComboFix 09-01-02.01 - user 2009-01-04 23:04:22.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.650 [GMT -5:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\autochk.dll

.
((((((((((((((((((((((((( Files Created from 2008-12-05 to 2009-01-05 )))))))))))))))))))))))))))))))
.

2009-01-04 19:44 . 2009-01-04 19:44 <DIR> d-------- C:\_OTMoveIt
2009-01-04 15:32 . 2009-01-04 16:17 <DIR> d-------- c:\program files\ATITool
2009-01-02 10:19 . 2009-01-02 10:20 <DIR> d-------- c:\documents and settings\user\Application Data\SPORE
2009-01-02 10:08 . 2009-01-02 10:08 <DIR> d-------- c:\program files\Electronic Arts
2009-01-01 16:17 . 2009-01-01 16:17 <DIR> dr-h----- c:\documents and settings\user\Application Data\SecuROM
2008-12-31 15:14 . 2008-12-31 15:14 21,504 --ahs---- c:\documents and settings\NetworkService\protect.dll
2008-12-31 09:06 . 2008-12-31 09:06 <DIR> d-------- C:\VundoFix Backups
2008-12-31 08:47 . 2008-12-31 08:47 <DIR> d-------- c:\program files\ERUNT
2008-12-30 23:21 . 2008-12-30 23:21 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-30 23:21 . 2008-12-30 23:21 <DIR> d-------- c:\documents and settings\user\Application Data\Malwarebytes
2008-12-30 23:21 . 2008-12-30 23:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-30 23:21 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-30 23:21 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-30 16:00 . 2008-12-30 16:00 21,504 --ahs---- c:\documents and settings\Debbie\protect.dll
2008-12-30 15:47 . 2009-01-04 23:09 5,331 --a------ c:\windows\system32\Config.MPF
2008-12-30 14:41 . 2006-03-03 08:07 143,360 --a------ c:\windows\system32\dunzip32.dll
2008-12-30 14:37 . 2007-11-22 06:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys
2008-12-30 14:37 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2008-12-30 14:37 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2008-12-30 14:37 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2008-12-30 14:37 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2008-12-30 14:37 . 2007-11-22 06:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys
2008-12-30 14:36 . 2008-12-30 14:36 <DIR> d-------- c:\program files\McAfee.com
2008-12-30 14:35 . 2008-12-30 16:53 <DIR> d-------- c:\program files\McAfee
2008-12-30 14:35 . 2008-12-30 14:37 <DIR> d-------- c:\program files\Common Files\McAfee
2008-12-30 12:51 . 2008-12-30 15:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-12-30 11:55 . 2008-12-30 11:55 21,504 --ahs---- c:\documents and settings\user\protect.dll
2008-12-29 14:51 . 2008-12-29 14:51 <DIR> d-------- c:\program files\Lavasoft
2008-12-29 14:51 . 2008-12-29 14:51 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-29 14:51 . 2008-12-29 14:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-29 14:33 . 2008-12-29 14:33 <DIR> d-------- c:\documents and settings\Administrator
2008-12-25 20:44 . 2008-12-25 20:44 <DIR> d-------- C:\ProgramData
2008-12-25 20:44 . 2008-12-25 21:22 <DIR> d-------- c:\documents and settings\Debbie\Application Data\SPORE
2008-12-25 20:44 . 2008-12-25 20:44 <DIR> dr-h----- c:\documents and settings\Debbie\Application Data\SecuROM
2008-12-25 20:43 . 2009-01-02 09:57 1,026 --a------ c:\windows\system32\ealregsnapshot1.reg
2008-12-24 17:27 . 2007-08-01 22:47 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-12-23 22:30 . 2008-12-23 22:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATI
2008-12-23 22:26 . 2008-12-23 22:30 <DIR> d-------- c:\program files\ATI
2008-12-23 22:25 . 2008-12-23 22:26 <DIR> d-------- c:\program files\ATI Technologies
2008-12-23 22:25 . 2008-12-01 14:35 593,920 --a------ c:\windows\system32\ati2sgag.exe
2008-12-23 22:24 . 2008-12-23 22:24 <DIR> d-------- C:\ATI
2008-12-23 22:16 . 2008-12-23 22:16 <DIR> d-------- c:\windows\system32\XPSViewer
2008-12-23 22:16 . 2008-12-23 22:16 <DIR> d-------- c:\program files\MSBuild
2008-12-23 22:15 . 2008-12-23 22:16 <DIR> d-------- C:\0fa6b3ced8c5037d5b915dbf00429a8c
2008-12-23 21:57 . 2008-12-23 21:57 10 --a------ c:\windows\WININIT.INI
2008-12-23 21:48 . 2008-12-23 22:00 <DIR> d-------- c:\windows\SxsCaPendDel
2008-12-17 22:15 . 2008-12-17 22:15 0 --a------ c:\windows\ativpsrm.bin
2008-12-16 13:18 . 2008-12-16 13:18 <DIR> d-------- c:\documents and settings\Debbie\Application Data\World-LooM
2008-12-08 11:19 . 2008-12-08 11:21 <DIR> d-------- c:\documents and settings\user\Application Data\Juniper Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-05 00:40 --------- d-----w c:\documents and settings\user\Application Data\Skype
2009-01-02 15:08 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-25 05:07 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-25 04:20 --------- d-----w c:\documents and settings\All Users\Application Data\BigFishGamesCache
2008-12-18 17:26 --------- d-----w c:\program files\Mystery Case Files - Huntsville
2008-12-12 13:21 --------- d-----w c:\program files\Java
2008-12-07 02:44 --------- d-----w c:\program files\Common Files\Adobe
2008-12-07 02:44 --------- d-----w c:\documents and settings\user\Application Data\AdobeUM
2008-12-04 20:51 --------- d-----w c:\program files\Restaurant Rush
2008-12-01 22:13 3,452,928 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2008-12-01 19:51 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2008-11-29 15:07 --------- d-----w c:\program files\Logitech
2008-11-29 15:07 --------- d-----w c:\program files\Common Files\Remote Control Software Common
2008-11-29 15:06 127,034 ------r c:\windows\bwUnin-8.1.1.50-8876480SL.exe
2008-11-29 15:06 --------- d-----w c:\program files\Common Files\Remote Control USB Driver
2008-11-27 13:45 --------- d-----w c:\program files\Microsoft Silverlight
2008-11-10 05:50 --------- d-----w c:\program files\Google
2008-11-09 16:41 --------- d-----w c:\program files\ReflexiveArcade
2008-11-08 16:11 --------- d-----w c:\documents and settings\Debbie\Application Data\GameHouse
2008-11-08 16:03 --------- d-----w c:\program files\GameHouse
2008-11-08 05:39 --------- d-----w c:\program files\Shockwave.com
2008-11-07 01:51 --------- d-----w c:\program files\bfgclient
2007-11-22 22:06 32 ----a-r c:\documents and settings\All Users\hash.dat
2004-07-19 02:27 372,736 ----a-w c:\program files\putty.exe
2009-01-02 04:51 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-01-02 04:51 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-02 04:51 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-01-02 04:51 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-01-02 04:51 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2007-12-05 18:35 88 --sha-r c:\windows\system32\575DF840AB.sys
2007-12-05 18:35 2,828 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [email protected]_10.44.04.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-31 15:22:49 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-05 03:07:40 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-31 15:22:49 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-05 03:07:40 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-11-10 13:08:50 24,064 ----a-w c:\windows\system32\drivers\ATITool.sys
- 2008-12-31 15:37:08 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_1f4.dat
+ 2009-01-05 04:11:29 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_1f4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"autochk"="c:\docume~1\NETWOR~1\protect.dll" [2008-12-31 21504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-06-07 9129984]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\2\printray.exe" [2001-03-27 36864]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"autochk"="c:\windows\system32\autochk.dll" [2009-01-04 21504]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 c:\windows\LOGI_MWX.EXE]

c:\documents and settings\user\Start Menu\Programs\Startup\
ChkDisk.dll [2009-01-04 21504]
ChkDisk.lnk - c:\windows\system32\rundll32.exe [2006-03-15 33280]
Wallpaper Changer.lnk - c:\program files\WallpaperToy\Wallpapertoy.Exe [2007-09-02 110592]

c:\documents and settings\Debbie\Start Menu\Programs\Startup\
ChkDisk.dll [2009-01-04 21504]
ChkDisk.lnk - c:\windows\system32\rundll32.exe [2006-03-15 33280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-11-29 67128]
VPN Client.lnk - c:\windows\Installer\{176130BC-99A1-41FE-A78B-56045E33AD70}\Icon3E5562ED7.ico [2007-03-05 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.mpng"= c:\program files\[email protected]\0.956\686\tabdec.dll
"vidc.mjpg"= c:\program files\[email protected]\0.956\686\tabdec.dll
"vidc.mvjp"= c:\program files\[email protected]\0.956\686\tabdec.dll
"vidc.444p"= c:\program files\[email protected]\0.956\686\tabdec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\FileZilla\\FileZilla.exe"=
"c:\\ftp\\WS_FTP32.EXE"=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"c:\\Program Files\\Macromedia\\Flash MX\\Flash.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Railroads!\\RailRoads.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.
Contents of the 'Scheduled Tasks' folder

2008-12-30 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-12-30 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.15westbellamy.com/home/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

c:\windows\Downloaded Program Files\stg_drm.ocx - c:\windows\Downloaded Program Files\CONFLICT.1\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.2\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.3\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.4\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.5\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.6\stg_drm.ocx
O16 -: {149E45D8-163E-4189-86FC-45022AB2B6C9}
file://c:\program files\Jewelleria\Images\stg_drm.ocx
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\p0xsdzkl.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-04 23:11:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-117609710-1547161642-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Electronic Arts\S*NULL*P*NULL*O*NULL*R*NULL*E*NULL*"!]
"Order"=hex:08,00,00,00,02,00,00,00,76,02,00,00,01,00,00,00,05,00,00,00,78,00,\
00,00,00,00,00,00,6a,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,58,00,32,\
00,46,08,00,00,22,3a,4e,7a,20,00,45,41,48,45,4c,50,7e,31,2e,4c,4e,4b,00,00,\
2e,00,03,00,04,00,ef,be,22,3a,4e,7a,22,3a,4e,7a,14,00,00,00,45,00,41,00,20,\
00,48,00,65,00,6c,00,70,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,\
0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,78,00,00,00,01,00,00,\
00,6a,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,58,00,32,00,be,05,00,00,\
22,3a,4e,7a,20,00,52,45,41,44,4d,45,7e,31,2e,4c,4e,4b,00,00,2e,00,03,00,04,\
00,ef,be,22,3a,4e,7a,22,3a,4e,7a,14,00,00,00,52,00,65,00,61,00,64,00,20,00,\
4d,00,65,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,\
00,00,00,1c,00,00,00,00,00,00,00,00,00,7c,00,00,00,02,00,00,00,6e,00,00,00,\
41,75,67,4d,02,00,00,00,01,00,00,00,5c,00,32,00,6d,06,00,00,22,3a,4e,7a,20,\
00,53,50,4f,52,45,43,7e,31,2e,4c,4e,4b,00,00,32,00,03,00,04,00,ef,be,22,3a,\
4e,7a,22,3a,4e,7a,14,00,00,00,53,00,70,00,6f,00,72,00,65,00,2e,00,63,00,6f,\
00,6d,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,\
00,00,1c,00,00,00,00,00,00,00,00,00,74,00,00,00,03,00,00,00,66,00,00,00,41,\
75,67,4d,02,00,00,00,01,00,00,00,54,00,32,00,58,07,00,00,22,3a,4e,7a,20,00,\
53,50,4f,52,45,7e,31,2e,4c,4e,4b,00,2c,00,03,00,04,00,ef,be,22,3a,4e,7a,22,\
3a,4e,7a,14,00,00,00,53,00,50,00,4f,00,52,00,45,00,22,21,2e,00,6c,00,6e,00,\
6b,00,00,00,1a,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1a,00,00,00,00,00,00,\
00,00,00,8a,00,00,00,04,00,00,00,7c,00,00,00,41,75,67,4d,02,00,00,00,01,00,\
00,00,6a,00,32,00,d3,07,00,00,22,3a,4e,7a,20,00,55,4e,49,4e,53,54,7e,31,2e,\
4c,4e,4b,00,00,40,00,03,00,04,00,ef,be,22,3a,4e,7a,22,3a,4e,7a,14,00,00,00,\
55,00,6e,00,69,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,20,00,53,00,50,00,4f,\
00,52,00,45,00,22,21,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,\
ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00

[HKEY_USERS\S-1-5-21-117609710-1547161642-725345543-1003\Software\SecuROM\License information*NULL*]
"datasecu"=hex:81,45,95,ec,93,9c,9e,10,b7,5f,c4,6e,9f,7d,d8,b1,cc,b7,05,af,f5,\
e7,85,1d,7b,cf,ad,b7,df,b6,08,1d,4e,ca,8b,c4,91,a7,f8,99,bb,84,29,a6,80,47,\
52,6f,46,4a,c5,83,65,a4,0c,07,e7,ca,ff,97,98,d1,83,26,bd,ee,02,b7,70,0b,6d,\
0b,76,99,2a,c0,95,b3,62,e5,12,70,5f,26,2e,55,e8,2c,71,a0,a6,f0,ae,b4,8c,54,\
80,72,3a,8e,40,99,41,94,a8,ba,4d,67,38,54,11,42,51,58,8b,f6,4d,90,ba,66,50,\
e5,3e,3a,e5,a0,3b,89,69,7e,a7,b1,06,ef,d3,8e,74,41,2e,94,6b,b6,e3,f7,e7,ce,\
8b,95,5f,c2,0a,59,82,76,1f,5e,d3,08,28,08,b5,43,48,44,94,6e,2e,c2,80,ff,a5,\
34,97,c1,16,e4,80,d8,f3,c3,5b,41,62,c8,5e,9e,99,2e,97,63,3b,2e,de,7c,44,d0,\
2d,c5,42,4e,e7,49,c8,6f,3a,10,bb,97,d7,c2,53,8b,bc,cf,6b,fc,66,35,e4,47,30,\
b0,b6,9f,8b,31,c1,e3,67,b7,dc,39,a5,0c,ea,0b,7e,d7,8a,5b,3a,2f,0b,05,90,26,\
ea,5b,21,20,1c,6c,66,ef,9f,ce,21,b8,3c,0d,9f,67,8c,9c,02,92,18,de,23,d6,90,\
f2,42,33,bc,4e,0b,96,2e,ea,79,79,21,cc,e0,74,9c,bd,b8,74,b0,ef,3b,c5,3e,f0,\
65,3e,8e,fa,7c,32,a4,d4,b8,31,91,e9,90,b2,06,89,64,ad,2d,cb,d5,cc,07,6f,9e,\
f2,c9,01,c5,71,19,c6,f2,d2,45,f0,6e,f4,bf,30,0b,ad,e8,47,a6,e0,cc,53,f3,8a,\
7e,7e,66,4b,27,dc,54,80,4a,1f,18,aa,4d,1a,fa,ab,62,71,39,9d,5a,c6,67,2b,c0,\
58,07,f6,61,a7,1d,3f,95,89,37,91,ce,88,ca,e7,f4,07,79,fb,fc,07,56,31,1e,21,\
18,be,cd,3d,df,31,d3,4d,09,71,4f,43,01,da,04,c2,6b,0e,d4,d4,60,81,5b,6c,c2,\
84,1c,9b,3d,87,3c,32,b5,f6,db,0f,f6,02,04,e2,0d,39,83,d7,62,a8,5a,41,38,5f,\
4f,d9,f9,4c,4b,78,bb,60,65,21,89,ad,b4,92,4f,6f,88,e7,f3,7f,9f,6c,80,42,1c,\
3e,ce,88,0a,78,23,ab,28,7d,15,8d,06,bc,35,21,7e,f9,85,f3,42,e9,27,a3,52,4f,\
04,2e,1f,eb,92,51,04,b0,d5,65,1d,2c,31,6d,8a,27,38,f9,ef,02,bb,e1,ae,a5,77,\
22,14,fd,d8,3e,e6,05,25,58,16,90,d0,10,e4,ea,fa,f1,0b,3a,8e,04,a2,2d,b2,e3,\
74,17,2c,e0,70,09,b3,e4,8b,16,5a,32,a8,c5,2e,7d,25,11,33,ab,f4,1b,5c,55,55,\
ce,f7,3c,77,af,cf,27,9d,20,1a,40,38,81,54,e6,ca,e1,63,f6,f3,01,20,d4,b7,3d,\
6f,78,c7,9d,34,6a,ce,c3,7c,0f,cf,14,4b,ff,ec,c2,53,13,3c,a5,5d,fa,05,98,ad,\
86,01,0c,26,b1,b5,3f,ca,62,34,83,a3,aa,18,3b,92,9d,28,ed,84,dc,d6,36,8d,2e,\
b4,93,1e,05,d1,df,d2,d6,05,c8,07,46,b3,1a,df,ce,fe,b5,bc,48,95,95,ff,82,59,\
1d,68,be,4f,83,3f,08,ff,70,44,84,95,72,8f,d7,c0,32,03,29,43,13,01,cd,a3,45,\
bc,d2,cc,b1,db,69,5b,8b,be,bd,3f,35,6b,1d,6e,2c,09,16,5e,43,8a,87,1f,52,f7,\
be,73,c9,0a,a9,23,ad,4a,57,26,bf,48,4a,9b,19,07,82,c0,04,53,ef,c3,5b,b9,49,\
24,9e,99,aa,bf,e7,8a,45,03,5c,28,3b,c9,01,0f,03,dd,01,4f,64,32,55,f3,a6,ba,\
35,9f,78,38,49,c9,43,d4,17,4e,81,d5,fd,cd,b1,7e,9f,3f,77,df,b0,a0,21,1c,3a,\
3b,8a,fb,d7,8d,d0,eb,cb,e6,cd,a1,92,2e,35,da,26,6a,1d,0d,de,a5,94,c6,46,bd,\
67,e5,b4,b4,68,ac,bd,bb,7b,87,24,ba,fe,c1,12,a9,cd,a5,51,7d,79,d0,73,75,d1,\
d1,b9,23,0d,1e,8b,23,71,7c,11,72,76,04,55,39,c4,bc,b5,f6,6f,34,6f,eb,5a,b4,\
f5,d8,33,a6,2a,59,2b,7f,d4,7c,5c,51,8d,b5,2e,b1,e7,4d,12,b5,9b,78,54,7d,10,\
65,83,6c,7a,c1,4e,65,e8,31,85,29,6c,9f,b6,cb,93,26,ae,83,e8,c3,a9,fc,25,79,\
c5,4d,31,4b,a8,60,e3,ea,d6,4e,d4,4f,91,7b,48,10,11,27,0a,46,3b,b2,40,99,12,\
c1,da,76,52,54,d8,72,92,4f,e8,79,4a,6e,7b,fa,79,62,18,87,5e,44,c9,81,c2,71,\
89,5f,6f,1c,f7,56,f6,9e,84,ec,02,5d,96,fb,93,a7,b0,88,5d,c9,34,73,d8,34,11,\
55,92,73,c0,bf,67,7e,1f,5e,99,6e,d6,bd,5e,fe,67,1c,b9,13,09,4a,88,0d,bb,10,\
c7,39,7b,f2,fb,0d,45,cc,13,e6,1c,69,3e,b4,dc,f0,87,dc,c2,b2,3d,37,e5,29,44,\
bf,0f,91,1a,9d,00,53,5d,8b,90,37,e5,d6,fb,ad,f4,40,8f,b5,9c,be,7c,cf,d3,8f,\
32,81,41,9b,99,1f,96,a8,14,34,78,83,8f,ce,59,e7,f8,a8,90,4e,51,bb,d4,f4,df,\
1c,ad,17,d7,6b,a2,5d,fc,44,37,b2,2d,3b,55,f4,cb,46,9f,43,5f,eb,9f,45,28,a1,\
c9,62,d7,e9,fe,ff,c3,c2,20,e1,09,f2,98,b5,1f,79,54,09,3d,5b,08,2c,91,2e,34,\
48,cb,10,90,fe,81,62,0c,f7,21,cf,f2,d7,48,a8,d0,a4,a8,b5,47,55,ab,73,41,f0,\
5b,65,30,f4,fe,97,35,5d,8b,51,89,79,63,d4,41,3c,a6,d4,02,bb,9f,56,60,40,f1,\
6b,be,1d,87,f7,41,90,49,23,5e,13,a5,93,d3,64,d6,5e,1d,c7,8c,05,9c,d1,c2,6d,\
06,72,1f,ad,bb,10,49,c6,1b,25,17,15,7e,34,6a,9a,a8,f4,a8,c8,42,33,22,5b,25,\
07,98,f2,8f,42,61,b2,de,e1,78,b6,23,cf,b1,36,9e,a4,fc,b5,7b,f3,00,3c,5b,51,\
83,6d,89,ba,b9,12,20,e4,1e,64,c5,c3,2a,59,a9,80,81,37,72,31,e2,11,fe,fa,48,\
50,16,6b,e3,1d,8a,00,fd,00,82,c8,76,25,0b,f4,01,74,eb,2e,90,13,59,86,02,5c,\
66,6d,dc,9d,9e,fc,cd,65,ac,44,80,10,53,e5,0e,c8,53,78,2d,a1,cb,c2,d8,43,53,\
f6,0a,4c,ce,c5,63,c4,5c,3e,81,dc,d7,ae,e4,46,0b,52,7d,cc,44,54,2e,47,22,47,\
5e,dc,b9,50,c3,17,73,82,4c,ca,62,90,d9,d0,dc,8d,8b,a5,d8,cc,da,cc,d5,c6,ff,\
cf,c1,df,b9,aa,03,99,77,62,67,fe,04,26,9e,a7,3b,a9,65,ca,5b,96,e8,ff,7b,2c,\
90,c2,1f,f2,c8,39,7a,4f,dd,aa,f3,ff,0d,d5,de,99,20,29,64,ca,cf,86,cf,e3,0a,\
9d,32,19,53,22,9d,6a,cd,df,46,71,26,bb,27,6c,9d,d9,4c,56,8a,43,a2,53,ec,8a,\
fd,78,79,1f,44,29,26,6f,10,ad,9e,c0,44,2d,3d,57,63,7f,96,61,52,46,c0,02,a7,\
3d,f9,e3,0d,b0,77,fa,6c,61,b0,50,a8,65,0b,d6,98,6c,dd,a7,fb,b3,23,43,ef,60,\
23,35,b2,6e,0b,83,9e,de,47,b7,ab,16,3c,f8,70,6b,c0,41,97,1b,d6,bd,33,db,6e,\
ef,44,c9,1a,e6,a9,54,ff,8a,0a,ee,66,1d,5e,fd,dc,fb,9f,6a,ca,a3,46,39,e5,7c,\
d7,16,f6,81,1d,fb,76,e0,78,ad,20,58,66,3f,a2,50,37,99,a0,6a,04,e1,e5,07,e3,\
aa,ba,8b,f4,c0,10,13,19,d3,02,a2,c2,80,0e,22,64,29,09,fb,01,5f,d9,52,e5,04,\
b9,d7,68,b7,4c,b7,85,97,a8,42,69,6f,49,33,a0,38,02,86,09,a6,bf,af,9c,c5,e6,\
9f,1f,11,d1,2a,13,e0,b3,51,fa,e5,7c,4f,e5,8c,ea,81,4c,a0,84,24,ef,73,ae,6c,\
7a,58,9f,b6,92,9c,7a,7d,8e,2b,6d,39,3a,c9,c1,21,f6,df,3e,ab,c1,ea,61,7d,a2,\
3c,92,6c,7c,48,3c,a8,21,ee,3b,7a,56,38,40,f8,51,00,6f,cf,19,1d,8d,c4,fa,8b,\
84,66,7d,28,dc,fa,88,56,35,d4,95,f8,d6,6e,91,27,69,1f,fb,b4,49,c0,25,2c,bf,\
2e,25,24,14,8b,3a,47,24,60,20,34,9b,e9,60,99,6c,28,e7,47,06,76,10,72,ff,5a,\
32,da,02,c2,2a,fc,9a,e7,4e,4c,1d,8f,7b,a2,c9,7a,19,2f,8b,71,d5,f9,7b,f2,6b,\
91,db,2b,15,07,ea,20,17,db,8a,9f,36,c7,ba,9a,d9,ca,f1,52,99,26,41,cd,34,90,\
75,0e,db,dc,1e,f7,c5,6a,83,a3,05,b5,b8,47,cd,78,23,bc,ad,d5,3d,ba,42,d6,20,\
06,02,e2,d2,19,c6,2e,20,be,14,77,d3,ea,81,b6,71,1b,2d,d5,5f,ec,93,de,15,12,\
cb,e8,3c,5c,a5,7c,76,57,51,2c,22,d2,a8,b5,ff,09,26,07,10,b4,eb,02,e6,c5,b8,\
12,c3,8f,79,5a,15,45,14,a9,da,31,37,16,e8,32,7f,3a,b1,c8,ce,21,67,f0,7a,2f,\
91,27,81,62,c2,6b,d1,4a,1f,74,9e,02,2f,6d,6e,5d,43,f8,3d,a4,a7,a8,8e,2f,44,\
c0,a2,75,bd,6e,e0,fb,83,ef,45,89,5f,14,a3,e8,4c,b1,1e,97,60,e8,69,8d,95,06,\
10,95,9d,3e,10,9d
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1012)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\LexBceS.exe
c:\windows\system32\Lexpps.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\program files\McAfee\VirusScan\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\PSIService.exe
c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-01-04 23:17:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-05 04:17:24
ComboFix2.txt 2009-01-02 04:43:57
ComboFix3.txt 2008-12-31 17:43:12
ComboFix4.txt 2008-12-31 15:45:06

Pre-Run: 112,227,164,160 bytes free
Post-Run: 112,275,386,368 bytes free

351 --- E O F --- 2008-12-22 03:48:51
  • 0

#14
thisisaperson

thisisaperson

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
PROBLEM SOLVED!!!

My brother examined the system and managed to get rid of the offending files. We had to boot the system with a boot disk, and then remove three filenames:
chkdisk.dll
autochk.dll
protect.dll
All three were 21KB in size.

There were several copies of each in several places, so it was a matter of finding all three in all their locations. But once we got them all and ran a registry cleaner, all the problems appear to be gone.

greyknight, I sincerely appreciate all your help with this. Hopefully the above information can be useful to others dealing with this bug.

Thanks!!!
  • 0

#15
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
No problem. I'm glad you guys figured out the files responsible for this mess. Do you or your brother remember where they were located? They usually like to hide in the Windows or system32 folder, but sometimes they find another area to prevent us from finding it.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP