Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help > Resolved HJT Threads
res://C:\WINDOWS\system32\shdoclc.dll/navcancl.htm# and more. res://C:\WINDOWS\system32\shdoclc.dll/navcancl.htm# and more.
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

Resolved HJT Threads Resolved spyware and popup issues.

 
 
Thread Tools
Old 10-16-2007, 05:59 PM   #1 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 5
OS: WinXP, SP2


res://C:\WINDOWS\system32\shdoclc.dll/navcancl.htm# and more.
Hi,

My computers had lots of problems. Help would be greatly appreiciated.
Here is my lo file


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:50:24 PM, on 10/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ccmsetup\ccmsetup.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ec36d3bb] rundll32.exe "C:\WINDOWS\system32\ievbqrpb.dll",sitypnow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [SpyShredder] C:\Program Files\SpyShredder\SpyShredder.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: Registration TMNT.LNK = C:\Program Files\Ubisoft\TMNT\Registration\RegistrationReminder.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1153248570553
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = academic.remingtonadmin.edu
O17 - HKLM\Software\..\Telephony: DomainName = academic.remingtonadmin.edu
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O24 - Desktop Component 0: (no name) - http://rds.yahoo.com/_ylt=A0Je5x5bbt...ING/Woman6.jpg

--
End of file - 7795 bytes


------------------------------------------------------------------------
And here is my pandasacn log



Incident Status Location

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\tykgbily.dll
Spyware:spyware/virtumonde Not disinfected Windows Registry
Adware:adware/bravesentry Not disinfected Windows Registry
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Ashley.Traylor\Cookies\ashley.traylor@atwola[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Home\Cookies\home@adrevolver[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Home\Cookies\home@atwola[1].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Home\Cookies\home@bravenet[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Home\Cookies\home@did-it[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\patricia.western\Cookies\patricia.western@ad.yieldmanager[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\patricia.western\Cookies\patricia.western@adrevolver[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\patricia.western\Cookies\patricia.western@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\patricia.western\Cookies\patricia.western@atdmt[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\patricia.western\Cookies\patricia.western@bs.serving-sys[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\patricia.western\Cookies\patricia.western@com[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\patricia.western\Cookies\patricia.western@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\patricia.western\Cookies\patricia.western@fastclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\patricia.western\Cookies\patricia.western@fastclick[3].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\patricia.western\Cookies\patricia.western@mediaplex[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\patricia.western\Cookies\patricia.western@questionmarket[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\patricia.western\Cookies\patricia.western@serving-sys[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\patricia.western\Cookies\patricia.western@tribalfusion[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\patricia.western\Cookies\patricia.western@zedo[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\patricia.western\Cookies\patricia[3].txt
Adware:Adware/VideoPlugin Not disinfected C:\Documents and Settings\patricia.western\Local Settings\Temp\BIT14.tmp[ac8zt2/wmpconf.dll]
Adware:Adware/VideoPlugin Not disinfected C:\Documents and Settings\patricia.western\Local Settings\Temp\BIT1D.tmp[ac8zt2/duocore.dll]
Adware:Adware/VideoPlugin Not disinfected C:\Documents and Settings\patricia.western\Local Settings\Temp\BIT1D.tmp[ac8zt2/wmpconf.dll]
Adware:Adware/SecurityError Not disinfected C:\Documents and Settings\patricia.western\Local Settings\Temp\BIT46.tmp
Adware:Adware/VideoPlugin Not disinfected C:\Documents and Settings\patricia.western\Local Settings\Temp\BIT61.tmp[ac8zt2/wmpconf.dll]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\patricia.western\Local Settings\Temp\Cookies\patricia.western@atwola[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\patricia.western\Local Settings\Temp\Cookies\patricia[7].txt
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Documents and Settings\patricia.western\Local Settings\Temp\NERO13390\Toolbar.exe
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Cookies\patricia.western@apmebf[1].txt
Adware:Adware/VideoPlugin Not disinfected C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Local Settings\Temp\BIT4D.tmp[ac8zt2/duocore.dll]
Adware:Adware/VideoPlugin Not disinfected C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Local Settings\Temp\BIT4D.tmp[ac8zt2/wmpconf.dll]
Adware:Adware/VideoPlugin Not disinfected C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Local Settings\Temp\BIT83.tmp[ac8zt2/wmpconf.dll]
Adware:Adware/VideoPlugin Not disinfected C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Local Settings\Temp\BIT8D.tmp[ac8zt2/wmpconf.dll]
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ghmowtqo.dll
Gamer_zr is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-19-2007, 04:23 PM   #2 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 5
OS: WinXP, SP2


Re: res://C:\WINDOWS\system32\shdoclc.dll/navcancl.htm# and more.
Bump,
Gamer_zr is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-20-2007, 08:01 PM   #3 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,584
OS: Windows XP Pro


Re: res://C:\WINDOWS\system32\shdoclc.dll/navcancl.htm# and more.
Hi and welcome to TSF.

Please subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Add Subscription.

--------------------------------------------------------------
  1. Download combofix.exe to your desktop.
  2. Disconnect from the internet....pull the plug!
  3. Disable your real time protection of your Anti-Virus. Exit the program via the SystemTray icon.
  4. Double click on combofix.exe & follow the prompts. Type "1" and press Enter to begin the scan.
  5. When finished, it shall produce a log for you ( C:\ComboFix.txt ). Post that log in your next reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall

    --------------------------------------------------------------
  6. Re-enable your Anti-Virus if it is not active...a reboot should have re-activated it.
  7. Re-establish an internet connection.
  8. Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

    --------------------------------------------------------------
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-21-2007, 10:09 AM   #4 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 5
OS: WinXP, SP2


Re: res://C:\WINDOWS\system32\shdoclc.dll/navcancl.htm# and more.
here is the combofix log


ComboFix 07-10-21.2 - Patricia.Western 2007-10-21 10:55:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.99 [GMT -5:00]
Running from: C:\Documents and Settings\patricia.western\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\dat.txt
C:\WINDOWS\system32\afoylrmr.dll
C:\WINDOWS\system32\bqevgbrp.dll
C:\WINDOWS\system32\exkgijgy.dll
C:\WINDOWS\system32\igcugkhk.dll
C:\WINDOWS\system32\iueunswt.dll
C:\WINDOWS\system32\jponqygn.dll
C:\WINDOWS\system32\jsvogxoc.dll
C:\WINDOWS\system32\kmybxbaw.dll
C:\WINDOWS\system32\loqss.bak1
C:\WINDOWS\system32\loqss.bak2
C:\WINDOWS\system32\loqss.ini
C:\WINDOWS\system32\loqss.ini2
C:\WINDOWS\system32\loqss.tmp
C:\WINDOWS\system32\mfwfseyh.dll
C:\WINDOWS\system32\mqylgfrr.dll
C:\WINDOWS\system32\mrjwweav.dll
C:\WINDOWS\system32\pvraskis.dll
C:\WINDOWS\system32\quboexno.dll
C:\WINDOWS\system32\sgqatgey.dll
C:\WINDOWS\system32\ssqol.dll
C:\WINDOWS\system32\tqqtdtma.dll
C:\WINDOWS\system32\twumljln.dll
C:\WINDOWS\system32\uitvojwn.dll
C:\WINDOWS\system32\wowxubuq.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-21 to 2007-10-21 )))))))))))))))))))))))))))))))
.

2007-10-21 10:53 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-21 09:42 67,136 --a------ C:\WINDOWS\system32\yfpjanri.dll
2007-10-19 17:18 67,136 --a------ C:\WINDOWS\system32\paxqdpfe.dll
2007-10-18 21:22 83,008 --a------ C:\WINDOWS\system32\vkgdautk.dll
2007-10-18 18:49 <DIR> d-------- C:\ZonedOut
2007-10-18 13:58 83,008 --a------ C:\WINDOWS\system32\buubcgae.dll
2007-10-17 20:30 <DIR> d-------- C:\Program Files\7-Zip
2007-10-17 05:52 <DIR> d-------- C:\ie-spyad_zo
2007-10-15 20:51 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-15 19:38 <DIR> d-------- C:\Program Files\VideoLAN
2007-10-15 18:42 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-10-15 18:27 <DIR> d-------- C:\HJT
2007-10-14 18:39 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-13 14:32 23,126 --a------ C:\WINDOWS\War3Unin.dat
2007-10-13 14:27 <DIR> d-------- C:\Program Files\Warcraft III
2007-10-08 18:03 35,840 --a------ C:\WINDOWS\system32\xxywxwt.dll
2007-10-06 13:23 <DIR> d-------- C:\WINDOWS\Sun
2007-10-06 08:18 <DIR> d-------- C:\Documents and Settings\patricia.western\Application Data\TMNT
2007-10-02 21:19 <DIR> d-------- C:\Documents and Settings\patricia.western\Application Data\DivX
2007-10-02 21:05 <DIR> d-------- C:\Documents and Settings\patricia.western\Application Data\Talkback
2007-10-02 21:04 <DIR> d-------- C:\Program Files\DivX
2007-10-01 18:53 <DIR> d-------- C:\Program Files\directx
2007-09-28 11:08 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-09-28 11:07 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-09-28 11:07 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-09-28 11:07 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-09-28 11:07 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-20 02:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-10-20 01:02 --------- d-----w C:\Documents and Settings\patricia.western\Application Data\MegauploadToolbar
2007-10-16 02:53 --------- d-----w C:\Program Files\MegauploadToolbar
2007-10-16 02:52 --------- d-----w C:\Program Files\Google
2007-10-14 23:07 --------- d-----w C:\Program Files\Java
2007-10-14 05:01 --------- d-----w C:\Documents and Settings\patricia.western\Application Data\dvdcss
2007-10-11 21:49 --------- d-----w C:\Documents and Settings\patricia.western\Application Data\LimeWire
2007-10-06 23:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-25 00:47 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-21 13:31 --------- d-----w C:\Documents and Settings\patricia.western\Application Data\AdobeUM
2007-09-18 10:18 --------- d-----w C:\Documents and Settings\patricia.western\Application Data\IDM
2007-09-18 10:18 --------- d-----w C:\Documents and Settings\patricia.western\Application Data\DMCache
2007-09-16 08:31 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-09-16 07:46 --------- d-----w C:\Program Files\Common Files\AVSMedia
2007-09-16 07:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVS4YOU
2007-09-16 01:59 --------- d-----w C:\Program Files\Common Files\xing shared
2007-09-16 01:59 --------- d-----w C:\Program Files\Common Files\Real
2007-09-16 01:58 --------- d-----w C:\Program Files\Real
2007-09-11 20:35 --------- d-----w C:\Program Files\Xvid
2007-09-11 20:25 --------- d-----w C:\Documents and Settings\patricia.western\Application Data\Media Player Classic
2007-09-11 20:20 --------- d-----w C:\Documents and Settings\patricia.western\Application Data\vlc
2007-09-07 02:44 --------- d-----w C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR
2007-09-06 21:19 --------- d-----w C:\Documents and Settings\patricia.western\Application Data\U3
2007-09-03 01:41 --------- d-----w C:\Documents and Settings\patricia.western\Application Data\Yahoo!
2007-09-01 04:48 223,128 ----a-w C:\WINDOWS\system32\drivers\vaxscsi.sys
2007-09-01 04:41 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-08-29 01:13 --------- d-----w C:\Program Files\Common Files\DirectX
2007-08-25 02:24 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-08-24 18:37 --------- d-----w C:\Documents and Settings\patricia.western\Application Data\SEGA
2007-08-24 03:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-08-24 03:43 33,824 ----a-w C:\WINDOWS\system32\drivers\oreans32.sys
2007-08-23 20:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
2007-08-23 19:00 --------- d-----w C:\Documents and Settings\patricia.western\Application Data\Ahead
2007-08-23 18:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 09:11]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-09-23 12:41]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-13 09:12 C:\WINDOWS\AGRSMMSG.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-20 06:50]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-25 05:32]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-25 05:29]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-25 05:32]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-08-18 08:00]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 03:50]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 09:48]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-04-27 05:33]
"WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [2005-03-09 14:54]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 07:00]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-15 20:58]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"ec36d3bb"="C:\WINDOWS\system32\yfpjanri.dll" [2007-10-21 09:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-07-16 16:17]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" []
"SpyShredder"="C:\Program Files\SpyShredder\SpyShredder.exe" []
"Steam"="C:\Program Files\Valve\Steam\Steam.exe" []

C:\Documents and Settings\patricia.western\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2007-08-16 17:00:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DVD Check.lnk - C:\Program Files\InterVideo\DVD Check\DVDCheck.exe [2006-07-19 11:08:55]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-09-15 20:57:38]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywxwt]
xxywxwt.dll 2007-10-08 18:03 35840 C:\WINDOWS\system32\xxywxwt.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ssqol.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\academic.remingtonadmin.edu\netlogon\AddAdmin.vbs

R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe
R2 ccmsetup;ccmsetup;"C:\WINDOWS\system32\ccmsetup\ccmsetup.exe" /runservice /config:MobileClient.tcf
R2 Wuser32;SMS Remote Control Agent;C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
R3 idisw2km;idisw2km;C:\WINDOWS\system32\DRIVERS\idisw2km.sys
R3 kbstuff;SMS Virtual Keyboard;C:\WINDOWS\system32\DRIVERS\kbstuff5.sys
R3 prepdrvr;SMS Process Event Driver;\??\C:\WINDOWS\system32\CCM\prepdrv.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1697ab20-5cbe-11dc-bf4c-0014a56ef406}]
AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{99824d10-5c07-11dc-bf48-0014a56ef406}]
Auto\command - E:\infrom.exe
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a5bae5b6-7c42-11dc-bfc9-0014a56ef406}]
Auto\command - infrom.exe
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b404d19d-4cf6-11dc-bf0d-0014a56ef406}]
Auto\command - E:\infrom.exe
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-10-21 16:02:49 C:\WINDOWS\Tasks\SDMsgUpdate (TE).job"
- C:\PROGRA~1\SMARTD~1\Messages\SDNotify.exe
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-21 11:03:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\ccmsetup]
"ImagePath"="\"C:\WINDOWS\system32\ccmsetup\ccmsetup.exe\" /runservice /config:MobileClient.tcf"
.
Completion time: 2007-10-21 11:04:59 - machine was rebooted
.
--- E O F ---


------------------------------------------------------------------------
here is the hijackthis log



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:06, on 2007-10-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ccmsetup\ccmsetup.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ec36d3bb] rundll32.exe "C:\WINDOWS\system32\yfpjanri.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpyShredder] C:\Program Files\SpyShredder\SpyShredder.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: Registration TMNT.LNK = C:\Program Files\Ubisoft\TMNT\Registration\RegistrationReminder.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1153248570553
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = academic.remingtonadmin.edu
O17 - HKLM\Software\..\Telephony: DomainName = academic.remingtonadmin.edu
O20 - Winlogon Notify: xxywxwt - C:\WINDOWS\SYSTEM32\xxywxwt.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O24 - Desktop Component 0: (no name) - http://rds.yahoo.com/_ylt=A0Je5x5bbt...ING/Woman6.jpg

--
End of file - 8864 bytes
Gamer_zr is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-21-2007, 11:06 AM   #5 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,584
OS: Windows XP Pro


Re: res://C:\WINDOWS\system32\shdoclc.dll/navcancl.htm# and more.
Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

--------------------------------------------------------------

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist):

MegauploadToolbar
Trymedia

--------------------------------------------------------------

Open notepad and copy/paste the text in the quotebox below into it:

Quote:
KILLALL::

File::
C:\WINDOWS\system32\yfpjanri.dll
C:\WINDOWS\system32\paxqdpfe.dll
C:\WINDOWS\system32\vkgdautk.dll
C:\WINDOWS\system32\buubcgae.dll
C:\WINDOWS\system32\xxywxwt.dll
C:\WINDOWS\system32\tykgbily.dll
C:\WINDOWS\system32\ghmowtqo.dll
C:\Windows\System32\ccPrxy.exe
C:\Windows\ldup.exe
C:\Windows\infrom.dat
E:\infrom.exe

Folder::
C:\Documents and Settings\patricia.western\Application Data\MegauploadToolbar
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR
C:\Documents and Settings\All Users\Application Data\Trymedia

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ec36d3bb"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpyShredder"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywxwt]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{99824d10-5c07-11dc-bf48-0014a56ef406}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a5bae5b6-7c42-11dc-bfc9-0014a56ef406}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b404d19d-4cf6-11dc-bf0d-0014a56ef406}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}]
Save this as CFScript




Refering to the picture above, drag CFScript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

--------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" * The download of the 8 MB Panda's ActiveX control will take place *
Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on then click
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------------

How is your system behaving now?

--------------------------------------------------------------

Please reply back with the following logs:

C:\ComboFix.txt
New HiJackThis log
Panda Online Scan Results
How is your system behaving?
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
Last edited by forhockey : 10-21-2007 at 11:10 AM.
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-21-2007, 02:34 PM   #6 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 5
OS: WinXP, SP2


Re: res://C:\WINDOWS\system32\shdoclc.dll/navcancl.htm# and more.
it seems to be running fine.







hijackthis



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:31, on 2007-10-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ccmsetup\ccmsetup.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - Startup: Registration TMNT.LNK = C:\Program Files\Ubisoft\TMNT\Registration\RegistrationReminder.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1153248570553
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = academic.remingtonadmin.edu
O17 - HKLM\Software\..\Telephony: DomainName = academic.remingtonadmin.edu
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O24 - Desktop Component 0: (no name) - http://rds.yahoo.com/_ylt=A0Je5x5bbt...ING/Woman6.jpg

--
End of file - 8246 bytes


pandascan



Incident Status Location

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Ashley.Traylor\Cookies\ashley.traylor@atwola[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Home\Cookies\home@adrevolver[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Home\Cookies\home@atwola[1].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Home\Cookies\home@bravenet[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Home\Cookies\home@did-it[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\patricia.western\Cookies\patricia.western@com[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\patricia.western\Cookies\patricia.western@fastclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\patricia.western\Cookies\patricia.western@fastclick[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\patricia.western\Cookies\patricia.western@fastclick[4].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\patricia.western\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\patricia.western\Desktop\ComboFix.exe[nircmd.cfexe]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Cookies\patricia.western@apmebf[1].txt
Spyware:Spyware/Virtumonde Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\buubcgae.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\vkgdautk.dll.vir
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe
combofix

ComboFix 07-10-21.2 - Patricia.Western 2007-10-21 13:14:01.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.170 [GMT -5:00]
Running from: C:\Documents and Settings\patricia.western\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\patricia.western\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\Windows\infrom.dat
C:\Windows\ldup.exe
C:\WINDOWS\system32\buubcgae.dll
C:\Windows\System32\ccPrxy.exe
C:\WINDOWS\system32\ghmowtqo.dll
C:\WINDOWS\system32\paxqdpfe.dll
C:\WINDOWS\system32\tykgbily.dll
C:\WINDOWS\system32\vkgdautk.dll
C:\WINDOWS\system32\xxywxwt.dll
C:\WINDOWS\system32\yfpjanri.dll
E:\infrom.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Trymedia
C:\Documents and Settings\All Users\Application Data\Trymedia\data\{20686868-16E2-ADA8-4B81-D33A0C0D6C08}
C:\Documents and Settings\All Users\Application Data\Trymedia\data\{220A5D2D-3680-0548-4F64-1E849C30E89E}
C:\Documents and Settings\All Users\Application Data\Trymedia\data\{5101FF3B-61D0-795F-D8CC-DB273C6F3B81}
C:\Documents and Settings\All Users\Application Data\Trymedia\data\{F68AFF93-E7CF-827D-0ECA-7082A2E03C5E}
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\COMBOSEARCH.acs
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\connect.ico
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\dnload.bmp
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\dnloado.bmp
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\downfile\megauper.zip
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\ErrorPageTemplate.css
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\extend.bmp
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\extendi.bmp
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\extendo.bmp
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\graphred0.bmp
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\graphred0_5.bmp
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\graphred1.bmp
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\graphred1_5.bmp
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\graphred2.bmp
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\graphred2_5.bmp
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\graphred3.bmp
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\graphred3_5.bmp
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\graphred4.bmp
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\graphred4_5.bmp
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\graphred5.bmp
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\happyhour.bmp
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\happyhouri.bmp
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\happyhouro.bmp
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\help.gif
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\ie7tab3.zip
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\info.bmp
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\links.bmp
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\marrow.bmp
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\megauper.exe
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\megauploadtoolbartb0500.cfg
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\NewCfg\megauploadtoolbartb0500.cfg1812606
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\powered_by_yahoo.bmp
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\search.bmp
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\searcho.bmp
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\sinfo.txt
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\slider.bmp
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\tab_icon.png
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\tabdata.js
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\tablib.js
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\tabwelcome.html
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\upload.bmp
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\uploado.bmp
C:\Documents and Settings\patricia.western.RCHOU2LT6030KS8\Application Data\MEGAUPLOADTOOLBAR\yahoo_search.gif
C:\WINDOWS\system32\buubcgae.dll
C:\WINDOWS\system32\paxqdpfe.dll
C:\WINDOWS\system32\vkgdautk.dll
C:\WINDOWS\system32\xxywxwt.dll
C:\WINDOWS\system32\yfpjanri.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-21 to 2007-10-21 )))))))))))))))))))))))))))))))
.

2007-10-21 13:07 <DIR> d-------- C:\Program Files\LimeWire
2007-10-21 12:24 <DIR> d-------- C:\UT2004Demo
2007-10-21 10:53 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-18 18:49 <DIR> d-------- C:\ZonedOut
2007-10-17 20:30 <DIR> d-------- C:\Program Files\7-Zip
2007-10-17 05:52 <DIR> d-------- C:\ie-spyad_zo
2007-10-15 20:51 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-15 19:38 <DIR> d-------- C:\Program Files\VideoLAN
2007-10-15 18:42 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-10-15 18:27 <DIR> d-------- C:\HJT
2007-10-14 18:39 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-13 14:32 23,126 --a------ C:\WINDOWS\War3Unin.dat
2007-10-13 14:27 <DIR> d-------- C:\Program Files\Warcraft III
2007-10-06 13:23 <DIR> d-------- C:\WINDOWS\Sun
2007-10-06 08:18 <DIR> d-------- C:\Documents and Settings\patricia.western\Application Data\TMNT
2007-10-02 21:19 <DIR> d-------- C:\Documents and Settings\patricia.western\Application Data\DivX
2007-10-02 21:05 <DIR> d-------- C:\Documents and Settings\patricia.western\Application Data\Talkback
2007-10-02 21:04 <DIR> d-------- C:\Program Files\DivX
2007-10-01 18:53 <DIR> d-------- C:\Program Files\directx
2007-09-28 11:08 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-09-28 11:07 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-09-28 11:07 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-09-28 11:07 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-09-28 11:07 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-20 02:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-10-16 02:52 --------- d-----w C:\Program Files\Google
2007-10-14 23:07 --------- d-----w C:\Program Files\Java
2007-10-14 05:01 --------- d-----w C:\Documents and Settings\patricia.western\Application Data\dvdcss
2007-10-11 21:49 --------- d-----w C:\Documents and Settings\patricia.western\Application Data\LimeWire
2007-10-06 23:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-25 00:47 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-21 13:31 --------- d-----w C:\Documents and Settings\patricia.western\Application Data\AdobeUM
2007-09-18 10:18 --------- d-----w C:\Documents and Settings\patricia.western\Application Data\IDM
2007-09-18 10:18 --------- d-----w C:\Documents and Settings\patricia.western\Application Data\DMCache
2007-09-16 08:31 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-09-16 07:46 --------- d-----w C:\Program Files\Common Files\AVSMedia
2007-09-16 07:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVS4YOU
2007-09-16 01:59 --------- d-----w C:\Program Files\Common Files\xing shared
2007-09-16 01:59 --------- d-----w C:\Program Files\Common Files\Real
2007-09-16 01:58 --------- d-----w C:\Program Files\Real
2007-09-11 20:35 --------- d-----w C:\Program Files\Xvid
2007-09-11 20:25 --------- d-----w C:\Documents and Settings\patricia.western\Application Data\Media Player Classic
2007-09-11 20:20 --------- d-----w C:\Documents and Settings\patricia.western\Application Data\vlc
2007-09-06 21:19 --------- d-----w C:\Documents and Settings\patricia.western\Application Data\U3
2007-09-03 01:41 --------- d-----w C:\Documents and Settings\patricia.western\Application Data\Yahoo!
2007-09-01 04:48 223,128 ----a-w C:\WINDOWS\system32\drivers\vaxscsi.sys
2007-09-01 04:41 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-08-29 01:13 --------- d-----w C:\Program Files\Common Files\DirectX