Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Possible Trojan - PLS Help!
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 10-04-2007, 01:04 PM   #1 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 8
OS: Win Xp SP2


Possible Trojan - PLS Help!
Hey im not too sure what i have but ive ran ad-aware/spy-bot and have avast! running in the background. Ive ran avast! boot-time scan several times and it has found many files (from the gateways a trojan opened) but I have yet to get rid of it.

It all started on Msn messenger when I accepted a file from my sister that said "Hey have you seen these photos yet?". Stupidly i accepted and my computer went into lock up mode and totally screwed me over. I did have something called UltimateFixer on here (Know spyware) which I think has been removed because I no longer get get notifications.

What I get now our popups during browsing on Internet Explorer and when I'm not. I get 2 specific pop-ups, 1 that says free web cam results and has 20-30 pictures of women on webcams and Live! in the corner. The other one is from makingmoneynetwork.com or something like that. It gives several links, a search bar and this at the bottom:

c)2007 Zenilco Center LTD - MakingMoneyNetwork is a brand of Zenilco Center LTD
Domain Parking Made Easy

Please any help would be appreciated, Ive found a trojan in the past few days with avast but it fails to move it to chest or do anything. I know its working because when I play dota alot of the time I get hardcore lag. Thank-you, Zach.
Nothintolose is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 10-04-2007, 01:45 PM   #2 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 8
OS: Win Xp SP2


Re: Possible Trojan - PLS Help!
It just found this: C:\WINDOWS\Temp\startdrv.exe, Win32:Agent-LAA [Trj], 000778-3, 04/10/2007
Nothintolose is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-04-2007, 08:47 PM   #3 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 8
OS: Win Xp SP2


Re: Possible Trojan - PLS Help!
Bump......
Nothintolose is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-04-2007, 08:55 PM   #4 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,557
OS: WinXP and Vista


Re: Possible Trojan - PLS Help!
Zach--please please follow the instructions in our sticky topic (Updated!) IMPORTANT - Read This Before Posting A Log and post the requested logs in your next reply.


**Please note this section of the forum is very busy, so please familiarize yourself with the Bumping Rules also found in Step 5 of our sticky topic mentioned above.

One of our Analysts will review your log as soon as possible.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-06-2007, 05:07 PM   #5 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 8
OS: Win Xp SP2


Re: Possible Trojan - PLS Help!
Hey i folllowed the steps, the panda scan wouldnt woprk...when I clicked on start it would just turn the eamil box yellow then go nowhere. Heres my log, Zach.

Deckard's System Scanner v20070905.67
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) D CPU 2.80GHz
CPU 1: Intel(R) Pentium(R) D CPU 2.80GHz
Percentage of Memory in Use: 46%
Physical Memory (total/avail): 2046.39 MiB / 1104.84 MiB
Pagefile Memory (total/avail): 3938.1 MiB / 3030.69 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1952.63 MiB

C: is Fixed (NTFS) - 270.94 GiB total, 192.85 GiB free.
D: is Fixed (FAT32) - 8.5 GiB total, 1.04 GiB free.
E: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - Maxtor 6L300S0 - 279.46 GiB - 2 partitions
\PARTITION0 - Unknown - 8.51 GiB - D:
\PARTITION1 (bootable) - Installable File System - 270.94 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

FW: Norton Internet Worm Protection v2006 (Symantec)
AV: Norton AntiVirus v2005 (Symantec Corporation)
AV: avast! antivirus 4.7.1043 [VPS 000778-5] v4.7.1043 (ALWIL Software)

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\DISC\\DISCover.exe"="C:\\Program Files\\DISC\\DISCover.exe:*:Enabled:DISCover Drop & Play System"
"C:\\Program Files\\DISC\\DiscStreamHub.exe"="C:\\Program Files\\DISC\\DiscStreamHub.exe:*:Enabled:DISCover Stream Hub"
"C:\\Program Files\\DISC\\myFTP.exe"="C:\\Program Files\\DISC\\myFTP.exe:*:Enabled:DISCover FTP"
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:Earthlink"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\ICQ\\Icq.exe"="C:\\Program Files\\ICQ\\Icq.exe:*:Enabled:ICQ"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Documents and Settings\\HP_Administrator\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\HP_Administrator\\Desktop\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"="C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Jukebox"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\BitLord\\BitLord.exe"="C:\\Program Files\\BitLord\\BitLord.exe:*:Enabled:BitLord"
"C:\\Program Files\\Bit Lord 1.1\\BitLord.exe"="C:\\Program Files\\Bit Lord 1.1\\BitLord.exe:*:Enabled:BitLord"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\Warcraft III\\Frozen Throne.exe"="C:\\Program Files\\Warcraft III\\Frozen Throne.exe:*:Enabled:Warcraft III - The Frozen Throne"
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"="C:\\Program Files\\Warcraft III\\Warcraft III.exe:*:Enabled:Warcraft III"
"C:\\WINDOWS\\TEMP\\win15.tmp.exe"="C:\\WINDOWS\\TEMP\\win15.tmp.exe:*:Enabled:win15.tmp"
"C:\\Program Files\\Steam\\SteamApps\\mikee_\\counter-strike source\\hl2.exe"="C:\\Program Files\\Steam\\SteamApps\\mikee_\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Warcraft III\\war3.exe"="C:\\Program Files\\Warcraft III\\war3.exe:*:Enabled:Warcraft III"
"C:\\Program Files\\Warcraft III\\Listchecker\\pickup.listchecker.exe"="C:\\Program Files\\Warcraft III\\Listchecker\\pickup.listchecker.exe:*:Enabled:pickup.listchecker"
"C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Enabled:Ares p2p for windows"
"C:\\Program Files\\Steam\\SteamApps\\mikee_\\counter-strike\\hl.exe"="C:\\Program Files\\Steam\\SteamApps\\mikee_\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Microsoft Games\\Age of Mythology\\aomx.exe"="C:\\Microsoft Games\\Age of Mythology\\aomx.exe:*:Enabled:Age of Mythology - The Titans Expansion"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Zach\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-4DACD0EA75
ComSpec=C:\WINDOWS\system32\cmd.exe
DXSDK_DIR=C:\Program Files\Microsoft DirectX SDK (June 2006)\
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Zach
LOGONSERVER=\\YOUR-4DACD0EA75
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;"C:\Program Files\Microsoft DirectX SDK (June 2006)\Utilities\Bin\x86";C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\Python22;;C:\PROGRA~1\COMMON~1\MUVEET~1\030625;C:\PROGRA~1\COMMON~1\MUVEET~1\030625
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 6 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0602
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SonicCentral=c:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Zach\LOCALS~1\Temp
TMP=C:\DOCUME~1\Zach\LOCALS~1\Temp
USERDOMAIN=YOUR-4DACD0EA75
USERNAME=Zach
USERPROFILE=C:\Documents and Settings\Zach
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

HP_Administrator (admin)
Tim (admin)
bobby (admin)
Boreham PC (admin)
Zach (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Creative Installation Information\CREATIVE_MEDIASOURCE_U\Setup.exe" /remove /l0x0009
--> "C:\Program Files\Creative Installation Information\CTCMSGO\Setup.exe" /remove /l0x0009
--> "C:\Program Files\Creative Installation Information\E-CENTER_NET_CONTENT_U\Setup.exe" /remove /l0x0009
--> "C:\Program Files\Creative Installation Information\E-CENTER_PLUGIN_MINIDISC_U\Setup.exe" /remove /l0x0009
--> "C:\Program Files\Creative Installation Information\E-CENTER_PLUGIN_ONLINESTORE_U\Setup.exe" /remove /l0x0009
--> "C:\Program Files\Creative Installation Information\MEDIASOURCE_PLAYER_SKINPACK_U\Setup.exe" /remove /l0x0009
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {F80239D8-7811-4D5E-B033-0D0BBFE32920}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3414C9E5-FCFE-11D8-8469-00D0B726B56E}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9104A09A-EC83-11D8-8469-00D0B726B56E}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9104A09A-EC83-11D8-8469-00D0B726B56E}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9744AE38-1CC6-414F-96CE-0643AEE30A9B}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9744AE38-1CC6-414F-96CE-0643AEE30A9B}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9AB14DF5-3B04-4E3B-9969-695DBA7F2008}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9AB14DF5-3B04-4E3B-9969-695DBA7F2008}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E54F486-CD4A-44A5-B041-16D4E1E56A53}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E54F486-CD4A-44A5-B041-16D4E1E56A53}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D3973D94-316B-44C1-904A-34DB5200EA0D}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D3973D94-316B-44C1-904A-34DB5200EA0D}\setup.exe" -l0x9 /remove
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> MsiExec.exe /X{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Photoshop 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Age of Mythology --> "C:\Microsoft Games\Age of Mythology\UNINSTAL.EXE" /runtemp /addremove
Age of Mythology - The Titans Expansion --> "C:\Microsoft Games\Age of Mythology\UNINSTXP.EXE" /runtemp /addremove
Agere Systems PCI-SV92PP Soft Modem --> agrsmdel
Apple Mobile Device Support --> MsiExec.exe /I{967D588C-9B96-40C9-A222-DCD6922563CA}
Apple Software Update --> MsiExec.exe /I{492724FC-3B26-46B4-824F-3CE2722D9AA0}
Ares 2.0.9 --> "C:\Program Files\Ares\uninstall.exe"
avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
Bioshock Demo --> "C:\Program Files\Steam\steam.exe" steam://uninstall/7710
BitLord 1.1 --> C:\Program Files\BitLord\uninst.exe
Canon Camera Access Library --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CAL\Uninst.ini"
Canon Camera Support Core Library --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CSCLIB\Uninst.ini"
Canon Camera Window DC_DV 5 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC\Uninst.ini"
Canon Camera Window DC_DV 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini"
Canon Camera Window MC 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowMC\Uninst.ini"
Canon RAW Image Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\RAW Image Task\Uninst.ini"
Canon RemoteCapture Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini"
Canon Utilities Digital Photo Professional 2.1 --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\Digital Photo Professional\Uninst.ini"
Canon Utilities EOS Utility --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\EOS Utility\Uninst.ini"
Canon Utilities PhotoStitch --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\PhotoStitch\Uninst.ini"
Canon Utilities ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\Uninst.ini"
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CDBurnerXP --> "C:\Program Files\CDBurnerXP\unins000.exe"
ConvertXtoDVD 2.1.8.191 --> "C:\Program Files\vso\ConvertXtoDVD\unins000.exe"
Counter-Strike --> "C:\Program Files\Steam\steam.exe" steam://uninstall/10
Counter-Strike: Source --> MsiExec.exe /I{9580813D-94B1-4C28-9426-A441E2BB29A5}
Creative Jukebox Driver --> C:\Program Files\Creative\Jukebox 3 Drivers\DrvUnins.exe /s
Creative MediaSource 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BEEFC4F8-2909-48B3-AFAA-55D3533FDEDD}\setup.exe" -l0x9 /remove
Creative Removable Disk Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9 /remove
Creative System Information --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 /remove
Customer Experience Enhancement --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{23012310-3E05-46A5-88A9-C6CBCABCAC79} /l1033
DISCover --> "C:\Program Files\DISC\uninstall.exe"
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Easy Internet Sign-up --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{8105684D-8CA6-440D-8F58-7E5FD67A499D} /l1033
Enhanced Multimedia Keyboard Solution --> C:\HP\KBD\Install.exe /u
Form Fill (Windows Live Toolbar) --> MsiExec.exe /X{F5AF5CDA-76FC-4794-9F28-09B6D54E7431}
FP3 Player --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{44170B31-F47A-4FF9-9D77-382D1FE2A728}
Galactic Magnate v1.1 --> "C:\Program Files\Galactic Magnate\uninst\unins000.exe"
GdiplusUpgrade --> MsiExec.exe /I{5421155F-B033-49DB-9B33-8F80F233D4D5}
GemMaster Mystic --> "C:\Program Files\GemMaster\uninstallgemmaster.exe"
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar3.dll"
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Boot Optimizer --> C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe /uninstall
HP Deskjet 3900 series --> C:\Program Files\HP\Digital Imaging\{3819891A-030B-4a4e-98ED-B28A649E48AB}\setup\hpzscr01.exe -datfile hpfscr05.dat
HP Deskjet Printer Preload --> MsiExec.exe /I{2C5D07FB-31A2-4F2D-9FDA-0B24ACD42BD0}
HP DigitalMedia Archive --> MsiExec.exe /I{F80239D8-7811-4D5E-B033-0D0BBFE32920}
HP Document Viewer 5.3 --> C:\Program Files\HP\Digital Imaging\DocumentViewer\hpzscr01.exe -datfile hpqbud04.dat
HP Extended Capabilities 5.0 --> C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Image Zone 5.3 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Image Zone for Media Center PC --> c:\Program Files\HP\Digital Imaging\bin\mcpc\setupmcl.exe /u
HP Photosmart 330,380,420,470,7800,8000,8200 Series --> C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\setup\hpzscr01.exe -d MsiRollbackUninstaller -datfile hphscr08.dat
HP Photosmart Cameras 5.0 --> C:\Program Files\HP\Digital Imaging\{C83A12B9-B31B-461A-BBD4-CE9B988094F1}\setup\hpzscr01.exe -datfile hpiscr01.dat
HP Photosmart Essential --> MsiExec.exe /X{EB21A812-671B-4D08-B974-2A347F0D8F70}
HP PSC & OfficeJet 5.3.A --> "C:\Program Files\HP\Digital Imaging\{3E386744-10FA-44b2-98C9-DF7A270DECB3}\setup\hpzscr01.exe" -datfile hposcr06.dat
HP PSC & OfficeJet 5.3.B --> "C:\Program Files\HP\Digital Imaging\{5B79CFD1-6845-4158-9D7D-6BE89DF2C135}\setup\hpzscr01.exe" -datfile hposcr07.dat
HP Software Update --> MsiExec.exe /X{ECFDD6BD-E0C0-41CC-A171-E6D6AF4C0E93}
HP Solution Center & Imaging Support Tools 5.3 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
Intel(R) Matrix Storage Manager --> C:\WINDOWS\System32\Imsmudlg.exe
Intel(R) PRO Network Connections Drivers --> Prounstl.exe
Intel(R) Quick Resume Technology Drivers --> MsiExec.exe /I{8C22F265-DE76-44D1-8A79-A71D819137DA}
Intel(R) Quick Resume Technology Drivers --> MsiExec.exe /X{8C22F265-DE76-44D1-8A79-A71D819137DA} /qb!
Intel® Viiv™ Software --> MsiExec.exe /X{27E395E5-EB04-4BFD-96C3-C9A102E97E1B}
InterVideo WinDVD Player --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150050}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Map Button (Windows Live Toolbar) --> MsiExec.exe /X{ECDA9BD9-A54E-462A-8191-A2B569D9AB34}
Microsoft Away Mode -->
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft DirectX SDK (June 2006) --> MsiExec.exe /I{799F774D-7D7B-4B5B-BCA4-E69F5BEEFC7B}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
MSXML4 Parser --> MsiExec.exe /I{01501EBA-EC35-4F9F-8889-3BE346E5DA13}
Mu Gods --> C:\Documents and Settings\HP_Administrator\Desktop\Uninstal.exe
Music MasterWorks v3.81 --> "C:\Program Files\MusicMasterWorks\unins000.exe"
muvee autoProducer 4.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E7137AFD-4E43-47A6-BDC7-533808F72B36}\setup.exe" -l0x9
muvee autoProducer unPlugged 1.2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DFB0FED6-0010-4E9B-A402-E513F2459161}\setup.exe" -l0x9
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
OneCare Advisor (Windows Live Toolbar) --> MsiExec.exe /X{53B2CFE9-A508-4457-B2CA-5D253536BFB7}
Otto --> "C:\Program Files\EnglishOtto\uninstallotto.exe"
PartyPoker --> "C:\Program Files\PartyGaming\PartyPoker\Uninstall.exe" "C:\Program Files\PartyGaming\PartyPoker\install.log"
Popup Blocker (Windows Live Toolbar) --> MsiExec.exe /X{117CD9C0-0F15-4633-93D7-F957B50535A5}
Python 2.2 pywin32 extensions (build 203) --> "C:\Python22\Removepywin32.exe" -u "C:\Python22\pywin32-wininst.log"
Python 2.2.3 --> C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Remove IntelliMover Demo --> c:\hp\bin\cloaker.exe c:\hp\bin\commands.exe /c "C:\Program Files\IntelliMoverDemo\clean.bat"
Rogers Self Healing Software (remove only) --> "C:\Program Files\Rogers\SelfHealing\uninst.exe"
Royale Remixed Theme --> MsiExec.exe /I{54EF43F4-99D8-4FF8-B9FE-AC893A83B84E}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
SigmaTel MSCN Audio Player --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8E240C1C-25D0-4248-BC6C-ACC3472E35CE}\setup.exe" -l0x9
Smart Menus (Windows Live Toolbar) --> MsiExec.exe /X{95FC661A-A0C5-4B18-92CE-90347DA79CC9}
Sonic Express Labeler --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic MyDVD Plus --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic RecordNow Audio --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic RecordNow Copy --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic RecordNow Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Steam --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
Update Rollup 2 for Windows XP Media Center Edition 2005 -->
USB PC VoiceCam(SN9C103) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2AE0FF32-51B3-4868-9A8E-B7BFA929BA32}\Setup.exe" -l0x9
UseNeXT --> "C:\Program Files\UseNeXT\unins000.exe"
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
VideoEgg Publisher --> C:\Program Files\VideoEgg\Uninstall.exe
VideoLAN VLC media player 0.8.1 --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Warcraft III: All Products --> C:\WINDOWS\War3Unin.exe C:\WINDOWS\War3Unin.dat
WC3Banlist --> "C:\Program Files\WC3Banlist\unins000.exe"
Windows Live Favorites for Windows Live Toolbar --> MsiExec.exe /X{DCE65B11-710D-4C54-9DE5-1A6A0BD2186B}
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Outlook Toolbar (Windows Live Toolbar) --> MsiExec.exe /X{A40D6757-B145-4FE7-B694-89180A9F3F64}
Windows Live Sign-in Assistant --> MsiExec.exe /I{F652D238-5F29-42D5-BAF3-0115EF977EC2}
Windows Live Toolbar --> "C:\Program Files\Windows Live Toolbar\UnInstall.exe" {9DA72A9F-4246-4C10-B0FA-D8C1037D45F8}
Windows Live Toolbar --> MsiExec.exe /X{9DA72A9F-4246-4C10-B0FA-D8C1037D45F8}
Windows Live Toolbar Extension (Windows Live Toolbar) --> MsiExec.exe /X{3727B920-F5A3-46A4-AC02-94F421A039C7}
Windows Live Toolbar Feed Detector (Windows Live Toolbar) --> MsiExec.exe /X{38024121-D084-4E7D-B1A2-1A04CB5C4CF3}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB925766 --> "C:\WINDOWS\$NtUninstallKB925766$\spuninst\spuninst.exe"
WinPcap 3.1 --> C:\Program Files\WinPcap\uninstall.exe
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe
Xilisoft 3GP Video Converter --> C:\Program Files\Xilisoft\3GP Video Converter 3\Uninstall.exe
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe
Zen Micro Media Explorer (for PlaysForSure devices) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3414C9E5-FCFE-11D8-8469-00D0B726B56E}\setup.exe" -l0x9 /remove


-- Application Event Log -------------------------------------------------------

Event Record #/Type31508 / Error
Event Submitted/Written: 10/06/2007 0210 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16512, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type31507 / Error
Event Submitted/Written: 10/06/2007 06:37:00 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16512, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x000118d0.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type31459 / Success
Event Submitted/Written: 10/03/2007 05:10:21 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type31247 / Success
Event Submitted/Written: 09/28/2007 08:33:43 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type31239 / Success
Event Submitted/Written: 09/28/2007 05:47:52 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type71810 / Warning
Event Submitted/Written: 10/05/2007 11:36:00 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type71809 / Warning
Event Submitted/Written: 10/05/2007 06:46:39 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type71807 / Warning
Event Submitted/Written: 10/04/2007 05:00:21 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type71800 / Warning
Event Submitted/Written: 10/03/2007 11:05:38 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type71796 / Error
Event Submitted/Written: 10/03/2007 05:10:01 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {0002DF01-0000-0000-C000-000000000046} did not register with DCOM within the required timeout.



-- End of Deckard's System Scanner: finished at 2007-10-06 18:46:28 ------------
Nothintolose is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-06-2007, 07:52 PM   #6 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,557
OS: WinXP and Vista


Re: Possible Trojan - PLS Help!
Hello Zach,
Quote:
Deckard's System Scanner v20070905.67
Extra logfile - please post this as an attachment with your post.
What you've posted is the extra.txt.

Please navigate to C:\Deckard\System Scanner\ and post the main.txt.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-07-2007, 01:12 PM   #7 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 8
OS: Win Xp SP2


Re: Possible Trojan - PLS Help!
Hey Ried, you're awesome! Thanks for the help, I really appreciate it. Posted the Main.txt as an attachment.

Deckard's System Scanner v20070905.67
Run by Zach on 2007-10-06 18:43:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
84: 2007-10-06 22:43:33 UTC - RP480 - Deckard's System Scanner Restore Point
83: 2007-10-06 22:39:37 UTC - RP479 - Software Distribution Service 3.0
82: 2007-10-05 21:10:58 UTC - RP478 - System Checkpoint
81: 2007-10-04 20:27:01 UTC - RP477 - System Checkpoint
80: 2007-10-03 10:34:59 UTC - RP476 - System Checkpoint


-- First Restore Point --
1: 2007-07-08 22:20:30 UTC - RP397 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-10-06 18:45:44
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16512)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WC3Banlist\WC3Banlist.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wbem\csrss.exe
C:\WINDOWS\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Zach\Local Settings\Temporary Internet Files\Content.IE5\3FE0Z7Y1\dss[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rogers.yahoo.com
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {38D55A70-E975-996F-2411-01092EBA6C2B} - C:\Program Files\Pfpkguqy\ytuluoee.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: H - {5C2290D4-C3F1-4bb5-91E6-D0B806A8663A} - parety.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: 0 - {ED12044A-04F8-44BF-A394-8D4D04B2F93D} - (no file)
O2 - BHO: CBho Class - {F369DA09-FADE-44CB-987F-E2E0DEF51BCA} - C:\WINDOWS\system32\pgd.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar3.dll
O4 - HKEY_LOCAL_MACHINE\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKEY_LOCAL_MACHINE\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKEY_LOCAL_MACHINE\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKEY_LOCAL_MACHINE\..\Run: [Microsoft Visual Application] winsyshp.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [iss7328] c:\ebmno.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [vsnwnqtm] rundll32.exe "C:\Program Files\qnanojwt\uvihgbsp.dll",Init
O4 - HKEY_LOCAL_MACHINE\..\Run: [ykmyegiy] C:\Program Files\Qoswziws\ykmyegiy.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [ifkfaxix] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ifkfaxix.dll"
O4 - HKEY_LOCAL_MACHINE\..\Run: [odqjsnab] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\odqjsnab.dll"
O4 - HKEY_LOCAL_MACHINE\..\Run: [btmnixix] C:\Program Files\Gwzlwfym\btmnixix.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [xyryhirs] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\xyryhirs.dll"
O4 - HKEY_LOCAL_MACHINE\..\Run: [dcadqtgp] C:\Program Files\Bhmoxunj\dcadqtgp.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKEY_LOCAL_MACHINE\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [csrss] C:\WINDOWS\system32\wbem\csrss.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [svchost] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://trymedia.com (HKEY_LOCAL_MACHINE)
O15 - Trusted Zone: https://trymedia.com (HKEY_LOCAL_MACHINE)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} () - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by115w.bay115.mail.live.com/m...s/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1154570740090
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by123fd.bay123.hotmail.msn.co...x/HMAtchmt.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O20 - Winlogon Notify: winjcr32 - C:\WINDOWS\system32\
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\system32\WRLogonNTF.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Microsoft ASPI Manager (aspimgr) - Unknown owner - C:\WINDOWS\system32\aspimgr.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - "C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe"
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - "C:\Program Files\Common Files\LightScribe\LSSrvc.exe"
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccess.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini"
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - "C:\Program Files\Viewpoint\Common\ViewpointService.exe"


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 ELhid - c:\windows\system32\drivers\elhid.sys <Not Verified; Intel Corporation; Intel(R) Quick Resume Technology>
R1 ELkbd - c:\windows\system32\drivers\elkbd.sys <Not Verified; Intel Corporation; Intel(R) Quick Resume Technology>
R1 ELmon - c:\windows\system32\drivers\elmon.sys <Not Verified; Intel Corporation; Intel(R) Quick Resume Technology>
R1 ELmou - c:\windows\system32\drivers\elmou.sys <Not Verified; Intel Corporation; Intel(R) Quick Resume Technology>
R3 NPF (NetGroup Packet Filter Driver) - c:\windows\system32\drivers\npf.sys <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver>
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>

S3 EraserUtilRebootDrv - c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys (file missing)
S3 GENERICDRV - c:\docume~1\hp_adm~1\locals~1\temp\pftf9.tmp\amifldrv.sys (file missing)
S3 Ip6Fw (IPv6 Windows Firewall Driver) - c:\windows\system32\drivers\ip6fw.sys (file missing)
S3 StMp3Rec (Player Recovery Device Control Driver) - c:\windows\system32\drivers\stmp3rec.sys <Not Verified; Microsoft Corporation; >


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "c:\program files\winpcap\rpcapd.exe" -d -f "c:\program files\winpcap\rpcapd.ini" <Not Verified; CACE Technologies; Remote Packet Capture Daemon>
S4 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
S4 AresChatServer (Ares Chatroom server) - c:\program files\ares\chatserver.exe <Not Verified; Ares Development Group; Ares Chat Server>
S4 aspimgr (Microsoft ASPI Manager) - c:\windows\system32\aspimgr.exe (file missing)
S4 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >
S4 ELService (Intel® Quick Resume Technology Drivers) - "c:\program files\intel\inteldh\intel(r) quick resume technology\elservice.exe" <Not Verified; Intel Corporation; Intel(R) Quick Resume Technology>
S4 NMSAccess - c:\program files\cdburnerxp\nmsaccess.exe
S4 NtmlSvc -
S4 Pml Driver HPZ12 - \systemroot\c:\windows\system32\hpzipm12.exe (file missing)
S4 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\88E67C11D800
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\88E67C11D800
Service: NIC1394

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Wireless LAN PCI 802.11 b/g adapter WN5301A
Device ID: PCI\VEN_168C&DEV_001B&SUBSYS_500111AD&REV_01\4&1AF1648C&0&20F0
Manufacturer: Liteon
Name: Wireless LAN PCI 802.11 b/g adapter WN5301A
PNP Device ID: PCI\VEN_168C&DEV_001B&SUBSYS_500111AD&REV_01\4&1AF1648C&0&20F0
Service: WN5301


-- Scheduled Tasks -------------------------------------------------------------

2007-10-05 11:04:03 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-09-24 00:00:28 288 --ah----- C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job


-- Files created between 2007-09-06 and 2007-10-06 -----------------------------

2007-10-06 18:39:39 0 d-------- C:\WINDOWS\LastGood
2007-09-30 14:26:54 33792 --a------ C:\WINDOWS\svchost.exe
2007-09-30 06:29:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-25 03:23:59 18944 --a------ C:\WINDOWS\system32\pgd.dll <Not Verified; ; popupbho Module>
2007-09-16 01:26:31 0 d-------- C:\Program Files\Microsoft IntelliPoint
2007-09-16 01:22:23 0 d-------- C:\Program Files\Microsoft IntelliType Pro
2007-09-16 00:46:57 0 d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2007-09-07 23:55:16 41984 -----n--- C:\WINDOWS\Ctregrun.exe <Not Verified; Creative Technology Ltd; Creative On-line Registration System>
2007-09-07 23:31:15 149504 --a------ C:\WINDOWS\UNWISE.EXE
2007-09-07 23:01:37 0 d-------- C:\Documents and Settings\Zach\Application Data\Creative
2007-09-07 22:59:24 25088 -----n--- C:\WINDOWS\system32\CTSVCCTL.EXE <Not Verified; Creative Technology Ltd; Creative Service Control>
2007-09-07 22:59:23 44032 -----n--- C:\WINDOWS\system32\CTSVCCDA.EXE <Not Verified; Creative Technology Ltd; Creative Service for CDROM Access>
2007-09-07 22:58:59 0 d-------- C:\Program Files\Common Files\Creative
2007-09-07 22:58:58 0 d--h----- C:\Program Files\Creative Installation Information
2007-09-07 22:58:31 0 d-------- C:\Program Files\Creative
2007-09-06 19:18:59 0 d-------- C:\Documents and Settings\Zach\Application Data\Google
2007-09-06 18:03:28 0 d-------- C:\Program Files\Common Files\xing shared
2007-09-06 18:03:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2007-09-06 18:00:22 0 d-------- C:\My Downloads
2007-09-06 17:37:58 0 d-------- C:\Program Files\QuickTime
2007-09-06 17:37:54 0 d-------- C:\Program Files\Xilisoft
2007-09-06 17:22:51 0 d-------- C:\Program Files\Avex


-- Find3M Report ---------------------------------------------------------------

2007-10-06 17:36:42 0 d-------- C:\Program Files\Warcraft III
2007-10-06 16:14:28 0 d-------- C:\Program Files\Rogers
2007-10-03 23:08:20 0 d-------- C:\Program Files\World of Warcraft
2007-10-02 11:08:59 18991 --a------ C:\WINDOWS\system32\k.dat
2007-09-30 23:47:35 0 d-------- C:\Program Files\Steam
2007-09-30 07:27:33 0 d-------- C:\Program Files\Common Files
2007-09-28 15:47:16 0 d-------- C:\Program Files\Tyzhnddw
2007-09-28 15:42:25 0 d-------- C:\Program Files\Qoswziws
2007-09-28 15:42:24 0 d-------- C:\Program Files\Pfpkguqy
2007-09-28 15:27:03 0 d-------- C:\Program Files\Isebbczd
2007-09-28 15:22:56 0 d-------- C:\Program Files\Gwzlwfym
2007-09-28 15:19:13 0 d-------- C:\Program Files\Bhmoxunj
2007-09-23 21:56:56 0 d-------- C:\Program Files\BitLord
2007-09-12 22:02:11 0 d-------- C:\Program Files\MSN Messenger
2007-09-08 22:22:13 0 d-------- C:\Program Files\WC3Banlist
2007-09-07 23:57:14 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-09-06 18:09:27 0 d-------- C:\Documents and Settings\Zach\Application Data\Real
2007-09-06 18:03:24 0 d-------- C:\Program Files\Common Files\Real
2007-09-06 18:03:08 0 d-------- C:\Program Files\Google
2007-08-29 14:02:10 0 d-------- C:\Program Files\Alwil Software
2007-08-29 13:38:07 1 --a------ C:\WINDOWS\system32\boa.dat
2007-08-24 04:58:00 0 d-------- C:\Program Files\SecCenter
2007-08-23 10:29:12 0 d-------- C:\Program Files\Movie Maker
2007-08-23 10:15:13 0 d-------- C:\Program Files\Messenger
2007-08-23 08:40:25 77312 --a------ C:\WINDOWS\ua2.dll
2007-08-23 08:34:55 0 d-------- C:\Program Files\qnanojwt
2007-08-23 08:34:51 245 --a------ C:\WINDOWS\tmp246890.bat
2007-08-23 04:13:49 2 --a------ C:\1383251974
2007-08-15 18:03:47 0 d-------- C:\Documents and Settings\Zach\Application Data\Apple Computer
2007-08-15 18:02:21 0 d-------- C:\Program Files\Apple Software Update
2007-08-15 18:01:40 0 d-------- C:\Program Files\Common Files\Apple
2007-07-28 14:22:47 196 --a------ C:\Documents and Settings\Zach\Application Data\G-Force Prefs (WindowsMediaPlayer).txt
2007-07-15 03:21:10 196608 --a------ C:\BNCSutil.dll <Not Verified; ionws.com; BNCSutil Logon Library>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{38D55A70-E975-996F-2411-01092EBA6C2B}]
C:\Program Files\Pfpkguqy\ytuluoee.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C2290D4-C3F1-4bb5-91E6-D0B806A8663A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ED12044A-04F8-44BF-A394-8D4D04B2F93D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F369DA09-FADE-44CB-987F-E2E0DEF51BCA}]
25/09/2007 03:23 AM 18944 --a------ C:\WINDOWS\system32\pgd.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [04/11/2005 07:03 PM]
"nwiz"="nwiz.exe" []
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [04/11/2005 07:03 PM]
"Microsoft Visual Application"="winsyshp.exe" []
"iss7328"="c:\ebmno.exe" []
"vsnwnqtm"="C:\Program Files\qnanojwt\uvihgbsp.dll" [23/08/2007 08:34 AM]
"ykmyegiy"="C:\Program Files\Qoswziws\ykmyegiy.exe" []
"ifkfaxix"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\ifkfaxix.dll" []
"odqjsnab"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\odqjsnab.dll" []
"btmnixix"="C:\Program Files\Gwzlwfym\btmnixix.exe" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [06/09/2007 06:06 AM]
"xyryhirs"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\xyryhirs.dll" []
"dcadqtgp"="C:\Program Files\Bhmoxunj\dcadqtgp.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [06/09/2007 06:03 PM]
"itype"="c:\Program Files\Microsoft IntelliType Pro\itype.exe" [21/11/2006 05:08 PM]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [05/02/2007 03:52 PM]
"csrss"="C:\WINDOWS\system32\wbem\csrss.exe" [06/10/2007 03:47 AM]
"svchost"="C:\WINDOWS\svchost.exe" [06/10/2007 02:06 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [10/08/2004 01:00 AM]
"msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [19/01/2007 12:54 PM]
"ares"="C:\Program Files\Ares\Ares.exe" [07/05/2007 11:48 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07/09/2007 11:04 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Scbu"="C:\WINDOWS\system32\YMANTE~1\spoolsv.exe" -vt yazb

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Movie Maker\rtemelo.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjcr32]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
ARPWRMSG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"C:\Program Files\Ares\Ares.exe" -h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover]
"C:\Program Files\DISC\DISCover.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscUpdateManager]
"C:\Program Files\DISC\DiscUpdateMgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\HP\HP Software Update\HPwuSchd2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
"c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
"C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet /keeploaded /nodetect

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNPSTD2]
C:\WINDOWS\vsnpstd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpamBlocker]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSP Notifier]
"C:\Program Files\Fisher-Price\FP3 Player\sspnotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program Files\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ultimate Fixer]
"C:\Program Files\Ultimate Fixer\UltimateFixer.exe" hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IAANTMON"=2 (0x2)
"CCALib8"=2 (0x2)
"iPodService"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"Pml Driver HPZ12"=0 (0x0)
"NVSvc"=2 (0x2)
"NMSAccess"=2 (0x2)
"MDM"=2 (0x2)
"LightScribeService"=2 (0x2)
"ELService"=2 (0x2)
"AresChatServer"=3 (0x3)
"NtmlSvc"=2 (0x2)
"aspimgr"=2 (0x2)
"Apple Mobile Device"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a9d64ac-94fd-11da-88a6-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d5ada57c-3471-11db-a4cb-806d6172696f}]
AutoRun\command- E:\autoplay.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 hityou.com
127.0.0.1 www.hityou.com
127.0.0.1 180searchassistant.com
127.0.0.1 www.180searchassistant.com
127.0.0.1 180solutions.com
127.0.0.1 www.180solutions.com
127.0.0.1 bis.180solutions.com
127.0.0.1 config.180solutions.com
127.0.0.1 cts.180solutions.com
127.0.0.1 downloads.180solutions.com

6621 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2007-10-06 18:46:28 ------------
Attached Files
File Type: txt main.txt (28.9 KB, 1 views)
Last edited by Ried; 10-07-2007 at 09:55 PM.
Nothintolose is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-07-2007, 10:16 PM   #8 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,557
OS: WinXP and Vista


Re: Possible Trojan - PLS Help!
Hello,

Move dss.exe out of your temp directory and to your desktop as the instructions stated. We'll be cleaning the temp directory and you'll lose the program.

You also did not allow dss.exe to download the HijackThis program when you were prompted, so all we have is the clone version which cannot be used to fix any entries.

It's very important that you follow all instructions in their entirety, and as given.


Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

***************************************************


*Download MsnCleaner_eng.zip to your desktop, but don't use it yet.
(Copy/Paste the download link in the url window or use "Save Target As")


*Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

--------------------------------------------------------------------

Double-click MsnCleaner_eng.exe to run it.
  • Click the Analyze button.
  • A report will be created once after you finish scan.
  • If it finds an infection, click the Deleted button.
  • Now, please reboot back to normal mode.
  • I'll need the contents of C:\MsnCleaner.txt in your next reply.
--------------------------------------------------------------------

From Normal Mode:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we can continue cleaning the system.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

--------------------------------------------------------------------

*Please download HijackThis to your desktop.

Double-click on the file you just downloaded.
Click on the "Install" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Upon install, HijackThis should open for you.

Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe
  • If it gives you an intro screen, just choose 'Do a system scan and save a log file'.
  • If not, run a scan and save the log file.
--------------------------------------------------------------------

Please copy/paste the following into your next reply, in the order listed:

MsnCleaner.txt
C:\ComboFix.txt
HijackThis log

**Do not attach any logs unless requested to do so.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-07-2007, 11:33 PM   #9 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 8
OS: Win Xp SP2


Re: Possible Trojan - PLS Help!
Here it is Reid, thanks again.

- Logfile MSNCleaner 1.4.2 by www.forospyware.com
- Created Logfile: 08/10/2007 on 1:10:16 AM
- Operative System: Windows XP
- Boot mode: Safe mode
_________________________________________

Detected files: 2
Deleted file: 2
Undeleted Files: 0

C:\log.txt <--- Deleted
C:\WINDOWS\svchost.exe <--- Deleted

Host file Restored

++++++++++++++++++++++++++++++++++++++++++++++++++++++++


ComboFix 07-10-08.3 - Zach 2007-10-08 1:20:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1580 [GMT -4:00]
Running from: C:\Documents and Settings\Zach\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Application Data\install.dat
C:\Documents and Settings\LocalService\Application Data\install.dat
C:\Documents and Settings\NetworkService\Application Data\install.dat
C:\Documents and Settings\NetworkService\Application Data\install.dat
C:\Documents and Settings\Zach\Local Settings\Application Data.\n.ini
C:\Program Files\Movie Maker\rtemelo.html
C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4.exe
C:\Program Files\SecCenter\scprot4.exe.bak
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\g32.txt
C:\WINDOWS\IA
C:\WINDOWS\IA\KE.vbs
C:\WINDOWS\s32.txt
C:\WINDOWS\system32\boa.dat
C:\WINDOWS\system32\drivers\runtime2.sys
C:\WINDOWS\system32\f06WtR
C:\WINDOWS\system32\help.txt
C:\WINDOWS\system32\k.dat
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\n.ini
C:\WINDOWS\system32\n2.ini
C:\WINDOWS\system32\ymante~1
C:\WINDOWS\system32\ymante~1\?ymantec\
C:\WINDOWS\system32\Z1
C:\WINDOWS\ws386.ini
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_ASC3550P
-------\LEGACY_ASPIMGR
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_NTIO256
-------\LEGACY_NTMLSVC
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\LEGACY_SMTPDRV
-------\aspimgr
-------\NtmlSvc


((((((((((((((((((((((((( Files Created from 2007-09-08 to 2007-10-08 )))))))))))))))))))))))))))))))
.

2007-10-08 01:19 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-08 01:09 <DIR> d-------- C:\BackUpMSNCleaner
2007-10-06 18:43 <DIR> d-------- C:\Deckard
2007-09-30 06:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-25 03:23 18,944 --a------ C:\WINDOWS\system32\pgd.dll
2007-09-16 01:26 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint
2007-09-16 01:22 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro
2007-09-16 00:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-08 01:06 --------- d-------- C:\Program Files\Warcraft III
2007-10-06 16:14 --------- d-------- C:\Program Files\Rogers
2007-10-03 23:08 --------- d-------- C:\Program Files\World of Warcraft
2007-09-30 23:47 --------- d-------- C:\Program Files\Steam
2007-09-28 15:47 --------- d-------- C:\Program Files\Tyzhnddw
2007-09-28 15:42 --------- d-------- C:\Program Files\Qoswziws
2007-09-28 15:42 --------- d-------- C:\Program Files\Pfpkguqy
2007-09-28 15:27 --------- d-------- C:\Program Files\Isebbczd
2007-09-28 15:22 --------- d-------- C:\Program Files\Gwzlwfym
2007-09-28 15:19 --------- d-------- C:\Program Files\Bhmoxunj
2007-09-23 21:56 --------- d-------- C:\Program Files\BitLord
2007-09-12 22:02 --------- d-------- C:\Program Files\MSN Messenger
2007-09-08 22:22 --------- d-------- C:\Program Files\WC3Banlist
2007-09-07 23:57 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-07 23:57 --------- d-------- C:\Program Files\Creative
2007-09-07 23:20 --------- d-------- C:\Documents and Settings\Zach\Application Data\Creative
2007-09-07 22:58 --------- d--h----- C:\Program Files\Creative Installation Information
2007-09-07 22:58 --------- d-------- C:\Program Files\Common Files\Creative
2007-09-06 19:19 --------- d-------- C:\Documents and Settings\Zach\Application Data\Google
2007-09-06 18:09 --------- d-------- C:\Documents and Settings\Zach\Application Data\Real
2007-09-06 18:03 --------- d-------- C:\Program Files\Google
2007-09-06 18:03 --------- d-------- C:\Program Files\Common Files\xing shared
2007-09-06 18:03 --------- d-------- C:\Program Files\Common Files\Real
2007-09-06 18:03 --------- d-------- C:\Documents and Settings\All Users\Application Data\Google
2007-09-06 17:37 --------- d-------- C:\Program Files\Xilisoft
2007-09-06 17:37 --------- d-------- C:\Program Files\QuickTime
2007-09-06 17:22 --------- d-------- C:\Program Files\Avex
2007-09-06 06:05 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 06:05 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 06:03 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 06:02 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 06:00 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-29 14:02 --------- d-------- C:\Program Files\Alwil Software
2007-08-23 10:24 --------- d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-08-23 08:40 77312 --a------ C:\WINDOWS\ua2.dll
2007-08-23 08:34 --------- d-------- C:\Program Files\qnanojwt
2007-08-23 08:32 111 --a------ C:\WINDOWS\system32\drivers\fee
2007-08-15 18:03 --------- d-------- C:\Documents and Settings\Zach\Application Data\Apple Computer
2007-08-15 18:02 --------- d-------- C:\Program Files\Apple Software Update
2007-08-15 18:01 --------- d-------- C:\Program Files\Common Files\Apple
2007-08-15 18:01 --------- d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-07-15 03:21 196608 --a------ C:\BNCSutil.dll
2006-03-06 05:03 456 --a------ C:\Program Files\INSTALL.LOG
2006-02-04 01:49 251 --a------ C:\Program Files\wt3d.ini
2006-02-03 22:23:15 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{38D55A70-E975-996F-2411-01092EBA6C2B}]
C:\Program Files\Pfpkguqy\ytuluoee.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C2290D4-C3F1-4bb5-91E6-D0B806A8663A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ED12044A-04F8-44BF-A394-8D4D04B2F93D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F369DA09-FADE-44CB-987F-E2E0DEF51BCA}]
2007-09-25 03:23 18944 --a------ C:\WINDOWS\system32\pgd.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-04 19:03]
"nwiz"="nwiz.exe" []
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-11-04 19:03]
"iss7328"="c:\ebmno.exe" []
"ykmyegiy"="C:\Program Files\Qoswziws\ykmyegiy.exe" []
"btmnixix"="C:\Program Files\Gwzlwfym\btmnixix.exe" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 06:06]
"dcadqtgp"="C:\Program Files\Bhmoxunj\dcadqtgp.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-06 18:03]
"itype"="c:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 17:08]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 15:52]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 01:00]
"msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ares"="C:\Program Files\Ares\Ares.exe" [2007-05-07 23:48]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-07 23:04]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Scbu"="C:\WINDOWS\system32\YMANTE~1\spoolsv.exe" -vt yazb

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjcr32]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
ARPWRMSG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"C:\Program Files\Ares\Ares.exe" -h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover]
"C:\Program Files\DISC\DISCover.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscUpdateManager]
"C:\Program Files\DISC\DiscUpdateMgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\HP\HP Software Update\HPwuSchd2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
"c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
"C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet /keeploaded /nodetect

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNPSTD2]
C:\WINDOWS\vsnpstd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpamBlocker]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSP Notifier]
"C:\Program Files\Fisher-Price\FP3 Player\sspnotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program Files\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ultimate Fixer]
"C:\Program Files\Ultimate Fixer\UltimateFixer.exe" hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IAANTMON"=2 (0x2)
"CCALib8"=2 (0x2)
"iPodService"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"Pml Driver HPZ12"=0 (0x0)
"NVSvc"=2 (0x2)
"NMSAccess"=2 (0x2)
"MDM"=2 (0x2)
"LightScribeService"=2 (0x2)
"ELService"=2 (0x2)
"AresChatServer"=3 (0x3)
"NtmlSvc"=2 (0x2)
"aspimgr"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

R3 CXFALCON;Conexant Falcon II NTSC Video Capture;C:\WINDOWS\system32\drivers\cxfalcon.sys
S3 GENERICDRV;GENERICDRV;\??\C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\pftF9.tmp\amifldrv.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S3 snpstd2;USB PC Camera (SN9C103);C:\WINDOWS\system32\DRIVERS\snpstd2.sys
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys
S3 WN5301;LIteon Wireless PCI Network Adapter Service;C:\WINDOWS\system32\DRIVERS\wn5301.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-05 15:04:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-09-24 04:00:28 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-08 01:24:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-08 1:26:17 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-08 01:26
.
--- E O F ---

++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:30:43 AM, on 08/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rogers.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {38D55A70-E975-996F-2411-01092EBA6C2B} - C:\Program Files\Pfpkguqy\ytuluoee.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: H - {5C2290D4-C3F1-4bb5-91E6-D0B806A8663A} - parety.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: 0 - {ED12044A-04F8-44BF-A394-8D4D04B2F93D} - (no file)
O2 - BHO: CBho Class - {F369DA09-FADE-44CB-987F-E2E0DEF51BCA} - C:\WINDOWS\system32\pgd.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iss7328] c:\ebmno.exe
O4 - HKLM\..\Run: [ykmyegiy] C:\Program Files\Qoswziws\ykmyegiy.exe
O4 - HKLM\..\Run: [btmnixix] C:\Program Files\Gwzlwfym\btmnixix.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [dcadqtgp] C:\Program Files\Bhmoxunj\dcadqtgp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [Scbu] "C:\WINDOWS\system32\YMANTE~1\spoolsv.exe" -vt yazb (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Scbu] "C:\WINDOWS\system32\YMANTE~1\spoolsv.exe" -vt yazb (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by115w.bay115.mail.live.com/m...s/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1154570740090
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by123fd.bay123.hotmail.msn.co...x/HMAtchmt.ocx
O20 - Winlogon Notify: winjcr32 - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 9247 bytes
Nothintolose is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-08-2007, 08:29 AM   #10 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,557
OS: WinXP and Vista


Re: Possible Trojan - PLS Help!
Hi,

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

*Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% -(Drive that contains the Windows Directory, typically C:\SDFix). Do not run it yet.

--------------------------------------------------------------------

1) Restart your computer into Safe Mode.
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

--------------------------------------------------------------------

Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt I'll need that in your next reply.
--------------------------------------------------------------------

From Normal Mode...

Open notepad and copy/paste the text in the quotebox below into it:

Quote:
File::
C:\WINDOWS\system32\pgd.dll
C:\WINDOWS\system32\drivers\fee

Folder::
C:\Program Files\Tyzhnddw
C:\Program Files\Qoswziws
C:\Program Files\Pfpkguqy
C:\Program Files\Isebbczd
C:\Program Files\Gwzlwfym
C:\Program Files\Bhmoxunj
C:\Program Files\qnanojwt

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{38D55A70-E975-996F-2411-01092EBA6C2B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C2290D4-C3F1-4bb5-91E6-D0B806A8663A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ED12044A-04F8-44BF-A394-8D4D04B2F93D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F369DA09-FADE-44CB-987F-E2E0DEF51BCA}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iss7328"=-
"ykmyegiy"=-
"btmnixix"=-
"dcadqtgp"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Scbu"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjcr32]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ultimate Fixer]
Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------------

We'll need to run an online scan to search for any remnants that may be lurking about. Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.



  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------------------

Please include the following in your next reply:

C:\SDFix\Report.txt
C:\ComboFix.txt
Kaspersky results
Update on system behavior
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-08-2007, 06:15 PM   #11 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 8
OS: Win Xp SP2


Re: Possible Trojan - PLS Help!
Hey Ried, here it all is.

SDFix: Version 1.107

Run by Zach on 08/10/2007 at 05:37 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Service asc3550v - Deleted after Reboot

Normal Mode:
Checking Files:

Trojan Files Found:

C:\138325~1 - Deleted
C:\WINDOWS\system32\drivers\etc\BackupHosts.bak - Deleted
C:\WINDOWS\system32\drivers\fee - Deleted
C:\WINDOWS\system32\n.ini - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Warcraft III\\war3.exe"="C:\\Program Files\\Warcraft III\\war3.exe:*:Enabled:Warcraft III"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Messenger"
"C:\\Program Files\\Warcraft III\\Listchecker\\pickup.listchecker.exe"="C:\\Program Files\\Warcraft III\\Listchecker\\pickup.listchecker.exe:*:Enabled:pickup.listchecker"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Fri 3 Feb 2006 211 A.SHR --- "C:\BOOT.BAK"
Fri 3 Feb 2006 22 A.SH. --- "C:\WINDOWS\SMINST\HPCD.sys"
Mon 21 Feb 2005 2,535,424 A..H. --- "C:\Program Files\CDBurnerXP\libs\NCTAudioCompress3.dll"
Tue 1 Feb 2005 90,112 A..H. --- "C:\Program Files\CDBurnerXP\libs\NCTAudioFormatSettings3.dll"
Sat 2 Jun 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Thu 23 Aug 2007 0 A.SH. --- "C:\Deckard\System Scanner\backup\WINDOWS\temp\$b17a2e8.tmp"
Mon 8 Oct 2007 5,946 A.SH. --- "C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE1.tmp"
Mon 10 Sep 2007 215,040 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Zach\LOCALS~1\Temp\~24.tmp"
Fri 31 Aug 2007 214,528 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Zach\LOCALS~1\Temp\~3D.tmp"
Fri 14 Sep 2007 215,040 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Zach\LOCALS~1\Temp\~F6.tmp"

Finished!


File::
C:\WINDOWS\system32\pgd.dll
C:\WINDOWS\system32\drivers\fee

Folder::
C:\Program Files\Tyzhnddw
C:\Program Files\Qoswziws
C:\Program Files\Pfpkguqy
C:\Program Files\Isebbczd
C:\Program Files\Gwzlwfym
C:\Program Files\Bhmoxunj
C:\Program Files\qnanojwt

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{38D55A70-E975-996F-2411-01092EBA6C2B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C2290D4-C3F1-4bb5-91E6-D0B806A8663A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ED12044A-04F8-44BF-A394-8D4D04B2F93D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F369DA09-FADE-44CB-987F-E2E0DEF51BCA}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iss7328"=-
"ykmyegiy"=-
"btmnixix"=-
"dcadqtgp"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Scbu"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjcr32]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ultimate Fixer]




-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, October 08, 2007 8:13:21 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/10/2007
Kaspersky Anti-Virus database records: 429449
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 107432
Number of viruses found: 9
Number of infected objects: 50
Number of suspicious objects: 0
Duration of the scan process: 01:39:01

Infected Object Name / Virus Name / Last Action
C:\BackUpMSNCleaner\svchost.exe.vir Infected: Trojan-Downloader.Win32.Agent.cbn skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\dscrp\Sample_Picture01.jpg.41b2cd64.mpd Object is locked skipped
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\dscrp\Sample_Picture02.jpg.41b2cd64.mpd Object is locked skipped
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\dscrp\Sample_Picture03.jpg.41b2cd64.mpd Object is locked skipped
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\dscrp\Sample_Picture04.jpg.41b2cd62.mpd Object is locked skipped
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\dscrp\Sample_Picture05.jpg.41b2cd64.mpd Object is locked skipped
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\dscrp\Sample_Picture06.jpg.41b2cd64.mpd Object is locked skipped
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\dscrp\Sample_Picture07.jpg.41b2cd64.mpd Object is locked skipped
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\dscrp\Sample_Picture08.jpg.41b2cd64.mpd Object is locked skipped
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\dscrp\Sample_Picture09.jpg.41b2cd64.mpd Object is locked skipped
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\dscrp\Sample_Picture10.jpg.41b2cd64.mpd Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\064B1B8C.exe Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\136E0916.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1C8D4D0D.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1CAB46ED.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1CCB6AC9.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1CE964A8.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1D065E88.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1D270264.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1D447C44.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1D617623.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1D7F7003.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1D9C69E3.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1DBA63C2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1DD75DA2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1DF45782.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1E125161.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1E32753D.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1E506F1D.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1E6D68FD.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1E8B62DC.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1EA85CBC.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1EC5569C.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1EE3507B.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1F004A5B.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1F1E443B.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1F3B3E1A.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1F5C61F6.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1F7C05D3.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1F9A7FB2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1FB77992.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1FD47371.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1FF26D51.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2012112D.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\20300B0D.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\204D04ED.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\206B7ECC.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\208878AC.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\20A5728B.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\20C36C6B.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\20E0664B.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\20FE602A.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\211E0407.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\213C7DE6.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\215977C6.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\217671A5.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\21946B85.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\21B16565.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\21CF5F44.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\21EC5924.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\22095304.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\22274CE3.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\224446C3.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\226240A3.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2282647F.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\22A05E5E.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\22BD583E.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\22DA521E.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\22F84BFD.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\231545DD.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\233669B9.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\23536399.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\23715D78.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\238E5758.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\23AB5138.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\23C94B17.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\23E96EF4.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\240768D3.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\24270CAF.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2445068F.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2462006F.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\24807A4E.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\249D742E.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\24BE180A.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\24DB11EA.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\24F80BC9.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\25192FA5.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\25362985.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\25542365.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\25711D44.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\258F1724.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\25AC1104.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\25C90AE3.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\25E704C3.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\26047EA3.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\26227882.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\26421C5E.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2660163E.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\26803A1A.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\269E33FA.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\26BB2DD9.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\26DC51B5.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\26F94B95.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\271D196E.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\273A134D.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\275B3729.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\277C5B05.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\279954E5.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\27B74EC5.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\27D448A4.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\27F14284.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\280F3C64.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\282C3643.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4B79007E.tmp Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_1383251974_1900544_12101 Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{041ACD1F-F231-4A16-90E1-806C748DFB33}.TmpSBE Object is locked skipped
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Zach\Application Data\Microsoft\MSNLiveFav\LiveFavorites.xml Object is locked skipped
C:\Documents and Settings\Zach\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Zach\Local Settings\Application Data\Ares\My Shared Folder\___ARESTRA___04-bloody well right-supertramp.mp3 Object is locked skipped
C:\Documents and Settings\Zach\Local Settings\Application Data\Ares\My Shared Folder\___ARESTRA___106-bloody_well_right-dgn.mp3 Object is locked skipped
C:\Documents and Settings\Zach\Local Settings\Application Data\Ares\My Shared Folder\___ARESTRA___dave chappelle - block party [ptii](3).avi Object is locked skipped
C:\Documents and Settings\Zach\Local Settings\Application Data\Ares\My Shared Folder\___ARESTRA___dave chappelle's block party(5)(2).mpg Object is locked skipped
C:\Documents and Settings\Zach\Local Settings\Application Data\Ares\My Shared Folder\___ARESTRA___david guetta - love is gone (new single 2007) (radio fg)(2).mp3 Object is locked skipped
C:\Documents and Settings\Zach\Local Settings\Application Data\Ares\My Shared Folder\___ARESTRA___like_this_(remix).mp3 Object is locked skipped
C:\Documents and Settings\Zach\Local Settings\Application Data\Ares\My Shared Folder\___ARESTRA___soldier boy- crank that soldier boy(2)(2).mp3 Object is locked skipped
C:\Documents and Settings\Zach\Local Settings\Application Data\Ares\My Shared Folder\___ARESTRA___soldier boy- crank that soldier boy(2).mp3 Object is locked skipped
C:\Documents and Settings\Zach\Local Settings\Application Data\Ares\My Shared Folder\___ARESTRA___supertramp - bloody well right(2).mp3 Object is locked skipped
C:\Documents and Settings\Zach\Local Settings\Application Data\Ares\My Shared Folder\___ARESTRA___supertramp - bloody well right.mp3 Object is locked skipped
C:\Documents and Settings\Zach\Local Settings\Application Data\Ares\My Shared Folder\___ARESTRA___supertramp - supertramp - bloody well right.mp3 Object is locked skipped
C:\Documents and Settings\Zach\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Zach\Local Settings\Application Data\Microsoft\Messenger\zachary__@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Zach\Local Settings\Application Data\Microsoft\Messenger\zachary__@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Zach\Local Settings\Application Data\Microsoft\Messenger\zachary__@hotmail.com\SharingMetadata\Working\database_CEB_38CE_5272_C006\dfsr.db Object is locked skipped
C:\Documents and Settings\Zach\Local Settings\Application Data\Microsoft\Messenger\zachary__@hotmail.com\SharingMetadata\Working\database_CEB_38CE_5272_C006\fsr.log Object is locked skipped
C:\Documents and Settings\Zach\Local Settings\Application Data\Microsoft\Messenger\zachary__@hotmail.com\SharingMetadata\Working\database_CEB_38CE_5272_C006\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Zach\Local Settings\Application Data\Microsoft\Messenger\zachary__@hotmail.com\SharingMetadata\Working\database_CEB_38CE_5272_C006\tmp.edb Object is locked skipped
C:\Documents and Settings\Zach\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Zach\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Zach\Local Settings\Application Data\Microsoft\Windows Live Contacts\zachary__@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Zach\Local Settings\Application Data\Microsoft\Windows Live Contacts\zachary__@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Zach\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Zach\Local Settings\History\History.IE5\MSHist012007100820071009\index.dat Object is locked skipped
C:\Documents and Settings\Zach\Local Settings\Temp\~DF8977.tmp Object is locked skipped
C:\Documents and Settings\Zach\Local Settings\Temp\~DF8984.tmp Object is locked skipped
C:\Documents and Settings\Zach\Local Settings\Temp\~DF95CF.tmp Object is locked skipped
C:\Documents and Settings\Zach\Local Settings\Temp\~DF95DB.tmp Object is locked skipped
C:\Documents and Settings\Zach\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Zach\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Zach\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Zach\ntuser.dat.LOG Object is locked skipped
C:\hp\bin\KillWind.exe Infected: not-a-virus:RiskTool.Win32.PsKill.p skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\HP\Digital Imaging\bin\hpqmif08.dll Object is locked skipped
C:\qoobox\Quarantine\C\Program Files\qnanojwt\uvihgbsp.dll.vir Infected: Trojan.Win32.Agent.ayn skipped
C:\qoobox\Quarantine\C\Program Files\SecCenter\scprot4.exe.bak.vir Infected: Trojan.Win32.Agent.ayp skipped
C:\qoobox\Quarantine\C\Program Files\SecCenter\scprot4.exe.vir Infected: Trojan.Win32.Agent.ayp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\runtime2.sys.vir Infected: Rootkit.Win32.Agent.ey skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\pgd.dll.vir Infected: Trojan.Win32.BHO.gv skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00000004.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00000005.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00000006.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00000007.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00000008.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00000009.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00000010.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00000011.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00000012.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00000104.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00000105.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00000106.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00000107.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00000108.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00000109.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00000110.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00000111.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00000112.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00000113.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00000206.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00000207.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00100006.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00100007.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00100008.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00100009.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00100010.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00100106.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00100107.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00100108.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00100109.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00100110.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00100111.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00100112.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00100113.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00100114.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00100115.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00100206.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00100207.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00100208.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00200006.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00200007.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00200008.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00200107.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00200207.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00300007.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00300207.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00300208.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00300506.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00300507.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00300508.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00300509.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00300510.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00300606.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00300607.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00400007.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00400206.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00400207.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00400208.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00500007.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00600006.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00600007.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00600106.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00600107.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\00600207.map Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\Aimbot NG Lite\Aimbot NG Lite.exe Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\Aimbot NG Lite\hook.dll Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\Aimbot NG Lite\Read Me.txt Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\error.txt Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\Ic.Inf Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\IP LIST\fg Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\IP LIST\Gameworld RPG Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\Patch.exe Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\Tibia.cfg Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\Tibia.dat Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\Tibia.exe Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\Tibia.pic Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\Tibia.spr Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\Tibia.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\unins000.dat Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc19\unins000.exe Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Community\Photos.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Entertainment\Astrology.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Entertainment\Entertainment.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Entertainment\Games.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Entertainment\Movies.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Entertainment\Music.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Entertainment\TV Coverage.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Home & Living\Autos.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Home & Living\Careers.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Home & Living\Coupons.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Home & Living\Family Accounts.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Home & Living\Get Local.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Home & Living\Health.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Home & Living\Personals.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Home & Living\Pets.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Home & Living\Real Estate.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Home & Living\Yahooligans!.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Information Management\Address Book.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Information Management\Bookmarks.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Information Management\Briefcase.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Information Management\Calendar.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Information Management\Family Accounts.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Information Management\My Yahoo!.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Information Management\Notepad.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Information Management\Postal Center.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Information Management\Toolbar.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\News\Alerts.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\News\Buzz Index.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\News\Lottery Results.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\News\News Front Page.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\News\News Full Coverage.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\News\Weather.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Personal Finance\Bill Pay.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Personal Finance\Finance.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Personal Publishing\Domains.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Personal Publishing\GeoCities.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Personal Publishing\Photos.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Personal Publishing\Picture Gallery.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Shopping\Auctions.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Shopping\Autos.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Shopping\Classifieds.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Shopping\Coupons.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Shopping\Points.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Shopping\Real Estate.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Shopping\Shopping.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Shopping\Wallet.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Shopping\Yellow Pages.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Sports & Outdoors\Fantasy Sports.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Sports & Outdoors\Ski & Snow.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Sports & Outdoors\Sports.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Tools for Business\Marketing Tools.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Tools for Business\Small Business.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Tools for Business\Sponsor Listings.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Tools for Business\Web Hosting.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Tools for Business\Yahoo! Express.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Travel & Transportation\Lodging.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Travel & Transportation\Maps & Driving Directions.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Travel & Transportation\Restaurants.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc20\Travel & Transportation\Travel.url Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc5\dazed and comfused.dvd Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc6\JACKET_P\J00___5L.MP2 Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc6\JACKET_P\J00___5M.MP2 Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc6\JACKET_P\J00___5S.MP2 Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc6\Sources\Menus\SPU_EApgc_NGsf.spu Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc6\Sources\Menus\SPU_HApgc_RGsf.spu Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc6\Sources\Menus\Video_EApgc_NGsf.mpg Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc6\Sources\Menus\Video_HApgc_RGsf.mpg Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc6\Sources\thumb2_73216908.bmp Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc6\Sources\thumb3_73217007.bmp Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc6\Sources\thumb4_73217168.bmp Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc6\Sources\thumb5_73217352.bmp Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc6\Sources\thumb6_73217494.bmp Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc6\Sources\thumb7_73217628.bmp Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc6\Sources\thumb8_73217750.bmp Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc6\Sources\Video\J00___5L.M2V Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc6\Sources\Video\J00___5M.M2V Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc6\Sources\Video\J00___5S.M2V Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc6\Sources\Videomp24x3NTSC720x480.mpg Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc6\Untitled.dvd Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc7\Harry P.dvd Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc7\JACKET_P\J00___5L.MP2 Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc7\JACKET_P\J00___5M.MP2 Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc7\JACKET_P\J00___5S.MP2 Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc7\Sources\Menus\SPU_IApgc_DHsf.spu Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc7\Sources\Menus\SPU_NApgc_JHsf.spu Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc7\Sources\Menus\Video_IApgc_DHsf.mpg Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc7\Sources\Menus\Video_NApgc_JHsf.mpg Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc7\Sources\Video\J00___5L.M2V Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc7\Sources\Video\J00___5M.M2V Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc7\Sources\Video\J00___5S.M2V Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc7\Sources\Videomp24x3NTSC720x480.mpg Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc8\burn.dvd Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc8\JACKET_P\J00___5L.MP2 Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc8\JACKET_P\J00___5M.MP2 Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc8\JACKET_P\J00___5S.MP2 Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc8\Sources\Menus\SPU_EApgc_LGsf.spu Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc8\Sources\Menus\Video_EApgc_LGsf.mpg Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc8\Sources\Video\J00___5L.M2V Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc8\Sources\Video\J00___5M.M2V Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc8\Sources\Video\J00___5S.M2V Object is locked skipped
C:\RECYCLER\S-1-5-21-792437745-2077084420-1174288204-1008\Dc8\Sources\Videomp24x3NTSC720x480.mpg Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP434\A0207854.exe Infected: Trojan.Win32.Patched.aa skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP434\A0207856.exe Infected: Trojan.Win32.Patched.aa skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP434\A0207857.exe Infected: Trojan.Win32.Patched.aa skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP434\A0207858.exe Infected: Trojan.Win32.Patched.aa skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP434\A0207859.exe Infected: Trojan.Win32.Patched.aa skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP434\A0207862.exe Infected: Trojan.Win32.Patched.aa skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP436\A0211825.exe Infected: Trojan-Downloader.Win32.Agent.cbn skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP437\A0214825.exe Infected: Email-Worm.Win32.Nulprot.b skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP437\A0216825.exe Infected: Trojan-Downloader.Win32.Agent.cbn skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP437\A0216826.exe Infected: Trojan.Win32.Agent.app skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP468\A0228603.exe Infected: Trojan-Downloader.Win32.Agent.cbn skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP469\A0228676.exe Infected: Trojan-Downloader.Win32.Agent.cbn skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP469\A0229532.exe Infected: Trojan.Win32.Agent.app skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP469\A0229537.exe Infected: Trojan-Downloader.Win32.Agent.cbn skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP470\A0229552.exe Infected: Trojan.Win32.Agent.app skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP470\A0229612.exe Infected: Trojan-Downloader.Win32.Agent.cbn skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP471\A0229616.exe Infected: Trojan-Downloader.Win32.Agent.cbn skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP471\A0229617.exe Infected: Trojan.Win32.Agent.app skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP472\A0229635.exe Infected: Trojan.Win32.Agent.app skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP472\A0229666.exe Infected: Trojan-Downloader.Win32.Agent.cbn skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP473\A0229686.exe Infected: Trojan.Win32.Agent.app skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP473\A0229687.exe Infected: Trojan-Downloader.Win32.Agent.cbn skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP474\A0229795.exe Infected: Trojan-Downloader.Win32.Agent.cbn skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP474\A0229796.exe Infected: Trojan.Win32.Agent.app skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP475\A0229806.exe Infected: Trojan-Downloader.Win32.Agent.cbn skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP475\A0229807.exe Infected: Trojan.Win32.Agent.app skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP476\A0229821.exe Infected: Trojan.Win32.Agent.app skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP476\A0230682.exe Infected: Trojan-Downloader.Win32.Agent.cbn skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP476\A0230689.exe Infected: Trojan.Win32.Agent.app skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP477\A0230701.exe Infected: Trojan.Win32.Agent.app skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP477\A0230702.exe Infected: Trojan-Downloader.Win32.Agent.cbn skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP478\A0230711.exe Infected: Trojan-Downloader.Win32.Agent.cbn skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP478\A0230712.exe Infected: Trojan.Win32.Agent.app skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP480\A0230734.exe Infected: Trojan.Win32.Agent.app skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP480\A0230741.exe Infected: Trojan-Downloader.Win32.Agent.cbn skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP481\A0230751.exe Infected: Trojan-Downloader.Win32.Agent.cbn skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP481\A0230752.exe Infected: Trojan.Win32.Agent.app skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP481\A0230758.exe Infected: Trojan-Downloader.Win32.Agent.cbn skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP482\A0230771.exe Infected: Trojan.Win32.Agent.ayp skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP482\A0230789.sys Infected: Rootkit.Win32.Agent.ey skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP483\A0230875.dll Infected: Trojan.Win32.Agent.ayn skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP483\A0230877.dll Infected: Trojan.Win32.BHO.gv skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP483\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{F9A4931B-1923-4CF9-8B09-D458266D2465}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\IntelDH.evt Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\hpzjrd01.dll Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\csrss.exe Infected: Trojan.Win32.Agent.app skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_604.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP483\change.log Object is locked skipped

Scan process completed.




As for system behaviour. I don't get the usual pop-ups I was getting when I brose on Internet Explorer and I haven't recieved any noticable exstensive lag while playing games. Thanks again for all the help, get back to me when you can. Zach
Nothintolose is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-08-2007, 10:49 PM   #12 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,557
OS: WinXP and Vista


Re: Possible Trojan - PLS Help!
Hi Zach,

Did you create the CFScript.txt and drag it into ComboFix.exe as instructed in my last post? It would have produced a log at C:\ComboFix.txt--please post that here.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-08-2007, 11:13 PM   #13 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 8
OS: Win Xp SP2


Re: Possible Trojan - PLS Help!
This it? Sorry.

ComboFix 07-10-08.3 - Zach 2007-10-08 17:52:07.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1521 [GMT -4:00]
Running from: C:\Documents and Settings\Zach\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Zach\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\drivers\fee
C:\WINDOWS\system32\pgd.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Bhmoxunj
C:\Program Files\Gwzlwfym
C:\Program Files\Isebbczd
C:\Program Files\Pfpkguqy
C:\Program Files\qnanojwt
C:\Program Files\qnanojwt\uvihgbsp.dll
C:\Program Files\Qoswziws
C:\Program Files\Tyzhnddw
C:\WINDOWS\system32\n.ini
C:\WINDOWS\system32\pgd.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-08 to 2007-10-08 )))))))))))))))))))))))))))))))
.

2007-10-08 17:36 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-08 01:30 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-08 01:19 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-08 01:09 <DIR> d-------- C:\BackUpMSNCleaner
2007-10-06 18:43 <DIR> d-------- C:\Deckard
2007-09-30 06:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-16 01:26 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint
2007-09-16 01:22 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro
2007-09-16 00:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-08 11:42 --------- d-------- C:\Program Files\Warcraft III
2007-10-06 16:14 --------- d-------- C:\Program Files\Rogers
2007-10-03 23:08 --------- d-------- C:\Program Files\World of Warcraft
2007-09-30 23:47 --------- d-------- C:\Program Files\Steam
2007-09-23 21:56 --------- d-------- C:\Program Files\BitLord
2007-09-12 22:02 --------- d-------- C:\Program Files\MSN Messenger
2007-09-08 22:22 --------- d-------- C:\Program Files\WC3Banlist
2007-09-07 23:57 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-07 23:57 --------- d-------- C:\Program Files\Creative
2007-09-07 23:20 --------- d-------- C:\Documents and Settings\Zach\Application Data\Creative
2007-09-07 22:58 --------- d--h----- C:\Program Files\Creative Installation Information
2007-09-07 22:58 --------- d-------- C:\Program Files\Common Files\Creative
2007-09-06 19:19 --------- d-------- C:\Documents and Settings\Zach\Application Data\Google
2007-09-06 18:09 --------- d-------- C:\Documents and Settings\Zach\Application Data\Real
2007-09-06 18:03 --------- d-------- C:\Program Files\Google
2007-09-06 18:03 --------- d-------- C:\Program Files\Common Files\xing shared
2007-09-06 18:03 --------- d-------- C:\Program Files\Common Files\Real
2007-09-06 18:03 --------- d-------- C:\Documents and Settings\All Users\Application Data\Google
2007-09-06 17:37 --------- d-------- C:\Program Files\Xilisoft
2007-09-06 17:37 --------- d-------- C:\Program Files\QuickTime
2007-09-06 17:22 --------- d-------- C:\Program Files\Avex
2007-09-06 06:05 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 06:05 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 06:03 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 06:02 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 06:00 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-29 14:02 --------- d-------- C:\Program Files\Alwil Software
2007-08-23 10:24 --------- d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-08-23 08:40 77312 --a------ C:\WINDOWS\ua2.dll
2007-08-15 18:03 --------- d-------- C:\Documents and Settings\Zach\Application Data\Apple Computer
2007-08-15 18:02 --------- d-------- C:\Program Files\Apple Software Update
2007-08-15 18:01 --------- d-------- C:\Program Files\Common Files\Apple
2007-08-15 18:01 --------- d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-07-15 03:21 196608 --a------ C:\BNCSutil.dll
2006-03-06 05:03 456 --a------ C:\Program Files\INSTALL.LOG
2006-02-04 01:49 251 --a------ C:\Program Files\wt3d.ini
2006-02-03 22:23:15 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( snapshot@2007-10-08_ 1.25.52.99 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 163,328 2007-09-28 02:03:23 C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
----a-w 4,038,656 2007-10-08 21:36:17 C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
----a-w 143,360 2007-10-08 21:36:18 C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
----a-w 163,328 2007-09-28 02:03:23 C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
----a-w 4,038,656 2007-10-08 21:36:16 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
----a-w 143,360 2007-10-08 21:36:16 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
----atw 16,384 2007-10-08 21:54:44 C:\WINDOWS\Temp\Perflib_Perfdata_604.dat
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-04 19:03]
"nwiz"="nwiz.exe" []
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-11-04 19:03]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 06:06]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-06 18:03]
"itype"="c:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 17:08]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 15:52]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 01:00]
"msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ares"="C:\Program Files\Ares\Ares.exe" [2007-05-07 23:48]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-07 23:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
ARPWRMSG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"C:\Program Files\Ares\Ares.exe" -h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover]
"C:\Program Files\DISC\DISCover.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscUpdateManager]
"C:\Program Files\DISC\DiscUpdateMgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\HP\HP Software Update\HPwuSchd2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
"c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
"C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet /keeploaded /nodetect

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNPSTD2]
C:\WINDOWS\vsnpstd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpamBlocker]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSP Notifier]
"C:\Program Files\Fisher-Price\FP3 Player\sspnotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program Files\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IAANTMON"=2 (0x2)
"CCALib8"=2 (0x2)
"iPodService"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"Pml Driver HPZ12"=0 (0x0)
"NVSvc"=2 (0x2)
"NMSAccess"=2 (0x2)
"MDM"=2 (0x2)
"LightScribeService"=2 (0x2)
"ELService"=2 (0x2)
"AresChatServer"=3 (0x3)
"NtmlSvc"=2 (0x2)
"aspimgr"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

R3 CXFALCON;Conexant Falcon II NTSC Video Capture;C:\WINDOWS\system32\drivers\cxfalcon.sys
S3 GENERICDRV;GENERICDRV;\??\C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\pftF9.tmp\amifldrv.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S3 snpstd2;USB PC Camera (SN9C103);C:\WINDOWS\system32\DRIVERS\snpstd2.sys
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys
S3 WN5301;LIteon Wireless PCI Network Adapter Service;C:\WINDOWS\system32\DRIVERS\wn5301.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-05 15:04:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-09-24 04:00:28 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-08 17:56:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\tcpip_patcher]
"ImagePath"="\??\C:\Program Files\Ares\tcpip_patcher.sys"
.
Completion time: 2007-10-08 17:58:08 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-08 17:58
C:\ComboFix2.txt ... 2007-10-08 01:26
.
--- E O F ---
Nothintolose is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-09-2007, 11:15 AM   #14 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,557
OS: WinXP and Vista


Re: Possible Trojan - PLS Help!
Yes, that's the one.

Using 'My Computer', navigate to and delete the following File

C:\WINDOWS\system32\wbem\ csrss.exe

----------------------------------------------------------------

Your logs are coming back clean. If there aren't any more problems, the following procedure will clear out the tools we've used as well as the backups and quarantines created by the fixes. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
  • It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.


Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 09:24 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85