HijackThis Log - completed 5 steps

brandeewyne · 01-09-2008, 01:16 PM

Hello and thank you for any help you may be able to give. I've gone through the five required steps before posting my logs for help.

I've run Spybot, Adaware and SuperAntiSpyware and can't seem to clear up whatever the issue is.

Following are the required log files (as well as the "extra" text file attached):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:06:02 PM, on 1/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\vtsphlxp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli .exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro .exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
C:\Program Files\Windows Media Player\WMPNSCFG .exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli .exe
C:\Program Files\ATI Technologies\ATI.ACE\cli .exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
F3 - REG:win.ini: load=C:\WINDOWS\system32\vturo.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [1c2fb1de] rundll32.exe "C:\WINDOWS\system32\buekatpl.dll",b
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {339234B4-4E14-4280-B8B4-8BAE5AF99063} (Chess Object) - http://zone.msn.com/bingame/zpagames...p.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-48.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.co...veX/winrep.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/re...s/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab55579.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124628481531
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.geni.com/ImageUploader4.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://brandeewynne.spaces.live.com/...d/MsnPUpld.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames...z.cab55579.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by141fd.bay141.hotmail.msn.co...x/HMAtchmt.ocx
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\vtsphlxp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 9205 bytes

Incident Status Location

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\buekatpl.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\vtsphlxp.exe
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Brandee\Cookies\brandee@advertising[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Brandee\Cookies\brandee@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Brandee\Cookies\brandee@doubleclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Brandee\Cookies\brandee@mediaplex[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Brandee\Cookies\brandee@tribalfusion[2].txt
Virus:W32/P2PSimple.C.worm Disinfected C:\Documents and Settings\Brandee\Desktop\Programs\setup.exe
Virus:W32/P2PSimple.C.worm Disinfected C:\Documents and Settings\Brandee\Local Settings\Temp\TMPD8.tmp
Virus:Trj/Downloader.MDW Disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.dll
Virus:W32/P2PSimple.C.worm Disinfected C:\WINDOWS\Fonts\a.zip[Setup.exe]
Virus:W32/P2PSimple.C.worm Disinfected C:\WINDOWS\Fonts\Setup.exe
Virus:W32/P2PSimple.C.worm Disinfected C:\WINDOWS\Fonts\svchost .exe
Hacktool:Hacktool/Passview.T Not disinfected C:\winlogon.exe

Deckard's System Scanner v20071014.68
Run by Brandee on 2008-01-09 14:27:56
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
163: 2008-01-09 19:28:10 UTC - RP563 - Deckard's System Scanner Restore Point
162: 2008-01-09 19:11:12 UTC - RP562 - Software Distribution Service 3.0
161: 2008-01-03 18:17:15 UTC - RP561 - Last known good configuration
160: 2008-01-03 18:17:10 UTC - RP560 - Restore Operation
159: 2008-01-03 18:17:09 UTC - RP559 - Last known good configuration

-- First Restore Point --
1: 2008-01-03 18:16:44 UTC - RP401 - Windows Defender Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Brandee.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:33:41 PM, on 1/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\vtsphlxp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro .exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
C:\Program Files\Windows Media Player\WMPNSCFG .exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli .exe
C:\Program Files\ATI Technologies\ATI.ACE\cli .exe
C:\Documents and Settings\Brandee\Local Settings\Temporary Internet Files\Content.IE5\RE3GWM9Z\dss[1].exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Brandee.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
F3 - REG:win.ini: load=C:\WINDOWS\system32\vturo.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {57D9BFE8-ABD8-4C93-AA6D-A5D987BFE8DA} - C:\WINDOWS\system32\vturo.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: {d7b97e11-e80d-3269-7554-07e79aecd398} - {893dcea9-7e70-4557-9623-d08e11e79b7d} - C:\WINDOWS\system32\kfhncrmw.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {90F825DF-46E7-497A-A2A3-129741C57B72} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {CC738E39-6CA3-4AC5-804F-3E3BEAAD6320} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [1c2fb1de] rundll32.exe "C:\WINDOWS\system32\amlhvqvf.dll",b
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {339234B4-4E14-4280-B8B4-8BAE5AF99063} (Chess Object) - http://zone.msn.com/bingame/zpagames...p.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-48.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.co...veX/winrep.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/re...s/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab55579.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124628481531
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.geni.com/ImageUploader4.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://brandeewynne.spaces.live.com/...d/MsnPUpld.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames...z.cab55579.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by141fd.bay141.hotmail.msn.co...x/HMAtchmt.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\vtsphlxp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 10598 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080108-130018-982 F3 - REG:win.ini: load=C:\WINDOWS\system32\vturo.exe
backup-20080108-130313-326 O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\WINDOWS\system32\shdocvw.dll
backup-20080108-130313-931 O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.6\webbuying.exe
backup-20080108-130313-964 F3 - REG:win.ini: load=C:\WINDOWS\system32\vturo.exe
backup-20080108-130314-532 O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\WINDOWS\system32\shdocvw.dll
backup-20080108-130314-663 O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
backup-20080108-130314-803 O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
backup-20080108-130314-877 O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\WINDOWS\system32\shdocvw.dll
backup-20080108-130314-985 O16 - DPF: {47A0FEE1-62CF-4ED7-9880-157EA709A651} (YouBet Product Viewer) - http://racing.youbet.com/wr_5_0/controls/ybpv.cab
backup-20080108-130315-489 O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet.com/wr_5_2/controls/ybrequest.cab
backup-20080108-130315-991 O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
backup-20080108-130316-119 O16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://racing.youbet.com/wr_5_0/controls/YBUICtrl.cab

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S1 Cdralw2k - c:\windows\system32\drivers\cdralw2k.sys <Not Verified; Roxio; Roxio's CDRAL>
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 SABProcEnum - c:\program files\internet explorer\sabprocenum.sys (file missing)
S3 SDTHOOK - c:\windows\system32\drivers\sdthook.sys <Not Verified; Panda Software; Panda® Antivirus>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 DomainService - c:\windows\system32\vtsphlxp.exe /service <Not Verified; ; DDC>

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E968-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) 82845G/GL/GE/PE/GV Graphics Controller
Device ID: PCI\VEN_8086&DEV_2562&SUBSYS_01601028&REV_01\3&172E68DD&0&10
Manufacturer: Intel Corporation
Name: Intel(R) 82845G/GL/GE/PE/GV Graphics Controller
PNP Device ID: PCI\VEN_8086&DEV_2562&SUBSYS_01601028&REV_01\3&172E68DD&0&10
Service: ialm

Class GUID: {4D36E96D-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) 537EP V9x DF PCI Modem
Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&3B1CAF2B&0&28F0
Manufacturer: Intel Corporation
Name: Intel(R) 537EP V9x DF PCI Modem
PNP Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&3B1CAF2B&0&28F0
Service: Modem

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Broadcom 440x 10/100 Integrated Controller
Device ID: PCI\VEN_14E4&DEV_4401&SUBSYS_81271028&REV_01\4&3B1CAF2B&0&48F0
Manufacturer: Broadcom
Name: Broadcom 440x 10/100 Integrated Controller
PNP Device ID: PCI\VEN_14E4&DEV_4401&SUBSYS_81271028&REV_01\4&3B1CAF2B&0&48F0
Service: bcm4sbxp

-- Scheduled Tasks -------------------------------------------------------------

2007-04-19 21:00:24 442 --a------ C:\WINDOWS\Tasks\RegCure Program Check.job
2006-12-05 10:31:28 376 --a------ C:\WINDOWS\Tasks\RegCure.job

-- Files created between 2007-12-09 and 2008-01-09 -----------------------------

2008-01-09 14:22:00 338944 --a------ C:\WINDOWS\system32\vturo.exe
2008-01-09 14:06:57 0 d-------- C:\ie-spyad_zo
2008-01-09 14:03:25 90176 --a------ C:\WINDOWS\system32\amlhvqvf.dll
2008-01-09 14:00:25 79936 --a------ C:\WINDOWS\system32\kfhncrmw.dll
2008-01-09 13:57:25 74304 --a------ C:\WINDOWS\system32\uvtqplit.exe <Not Verified; ; DDC>
2008-01-08 16:54:18 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2008-01-08 16:54:17 0 d-------- C:\Program Files\SpywareBlaster
2008-01-08 14:04:12 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-01-08 13:26:37 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-01-08 12:18:01 335360 -----n--- C:\WINDOWS\system32\vturo.dll
2008-01-08 11:56:39 77888 --a------ C:\WINDOWS\system32\fxibhuxd.dll
2008-01-08 11:53:39 74304 --a------ C:\WINDOWS\system32\vtsphlxp.exe <Not Verified; ; DDC>
2008-01-07 22:03:14 0 d-------- C:\Program Files\Trend Micro
2008-01-06 22:07:19 0 d-------- C:\VundoFix Backups
2008-01-04 11:32:47 0 d-------- C:\Documents and Settings\Administrator.BRAN\Application Data\Lavasoft
2008-01-04 11:25:02 0 dr-h----- C:\Documents and Settings\Administrator.BRAN\SendTo
2008-01-04 11:25:02 0 dr-h----- C:\Documents and Settings\Administrator.BRAN\Recent
2008-01-04 11:25:02 0 d--h----- C:\Documents and Settings\Administrator.BRAN\PrintHood
2008-01-04 11:25:02 0 d--h----- C:\Documents and Settings\Administrator.BRAN\NetHood
2008-01-04 11:25:02 0 dr------- C:\Documents and Settings\Administrator.BRAN\My Documents
2008-01-04 11:25:02 0 d--h----- C:\Documents and Settings\Administrator.BRAN\Local Settings
2008-01-04 11:25:02 0 dr------- C:\Documents and Settings\Administrator.BRAN\Favorites
2008-01-04 11:25:02 0 d-------- C:\Documents and Settings\Administrator.BRAN\Desktop
2008-01-04 11:25:02 0 d--hs---- C:\Documents and Settings\Administrator.BRAN\Cookies
2008-01-04 11:25:02 0 dr-h----- C:\Documents and Settings\Administrator.BRAN\Application Data
2008-01-04 11:25:02 0 d-------- C:\Documents and Settings\Administrator.BRAN\Application Data\Sun
2008-01-04 11:25:02 0 d-------- C:\Documents and Settings\Administrator.BRAN\Application Data\Real
2008-01-04 11:25:02 0 d---s---- C:\Documents and Settings\Administrator.BRAN\Application Data\Microsoft
2008-01-04 11:25:02 0 d-------- C:\Documents and Settings\Administrator.BRAN\Application Data\Jasc Software Inc
2008-01-04 11:25:02 0 d-------- C:\Documents and Settings\Administrator.BRAN\Application Data\Identities
2008-01-04 11:25:02 0 d-------- C:\Documents and Settings\Administrator.BRAN\Application Data\Gtek
2008-01-04 11:25:01 0 d--h----- C:\Documents and Settings\Administrator.BRAN\Templates
2008-01-04 11:25:01 0 dr------- C:\Documents and Settings\Administrator.BRAN\Start Menu
2008-01-04 11:25:01 2097152 --ah----- C:\Documents and Settings\Administrator.BRAN\NTUSER.DAT
2008-01-04 11:01:45 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-01-04 11:01:33 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-01-03 12:23:03 6291456 --a------ C:\Documents and Settings\Brandee\ntuser.dat
2008-01-03 12:22:11 340875 --ahs---- C:\WINDOWS\system32\orutv.ini2
2008-01-03 12:20:33 0 d-------- C:\Program Files\Temporary
2008-01-03 12:20:33 0 d-------- C:\Program Files\kernel
2008-01-03 12:20:19 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2008-01-03 12:17:37 134 --a------ C:\n.bat
2008-01-03 12:17:32 0 d--hs---- C:\WINDOWS\SHVnaCBTdHVsbA
2008-01-03 12:17:28 0 --a------ C:\x.dat
2008-01-03 12:17:23 0 --a------ C:\z.dat
2008-01-03 12:17:15 172032 --a------ C:\winlogon.exe
2008-01-03 12:17:13 0 d-------- C:\WINDOWS\system32\z9
2008-01-03 12:17:13 0 d-------- C:\WINDOWS\system32\z1
2008-01-03 12:17:13 0 d-------- C:\WINDOWS\system32\mr9
2008-01-03 12:17:13 0 d-------- C:\WINDOWS\system32\aj2
2008-01-03 12:17:06 0 d-------- C:\WINDOWS\system32\ardCo18
2008-01-01 14:52:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-12-31 13:21:20 53760 --a------ C:\WINDOWS\b122.exe
2007-12-30 17:05:28 0 d-------- C:\Program Files\abrViewer.NET
2007-12-27 00:09:38 0 d-------- C:\Program Files\High-Logic
2007-12-27 00:09:38 0 d-------- C:\Documents and Settings\Brandee\Application Data\FontCreator
2007-12-26 03:37:33 0 d-------- C:\Documents and Settings\Guest\Application Data\ATI
2007-12-26 01:15:40 0 d-------- C:\Documents and Settings\Brandee\Application Data\ATI
2007-12-26 01:12:48 0 d-------- C:\Program Files\Common Files\ATI Technologies
2007-12-26 01:03:43 520192 -----n--- C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2007-12-26 01:03:08 0 d-------- C:\Program Files\ATI Technologies
2007-12-26 01:01:26 0 d-------- C:\Diamond
2007-12-25 11:30:45 0 d-------- C:\Documents and Settings\Brandee\Application Data\U3
2007-12-20 01:46:17 0 d-------- C:\Documents and Settings\Brandee\Application Data\Mozilla
2007-12-20 01:45:43 0 d-------- C:\Documents and Settings\Brandee\Application Data\SecondLife
2007-12-20 01:45:09 0 d-------- C:\Program Files\SecondLife
2007-12-20 01:23:37 0 d-------- C:\Documents and Settings\Brandee\Application Data\Move Networks

-- Find3M Report ---------------------------------------------------------------

2008-01-09 14:22:40 0 d-------- C:\Program Files\QuickTime
2008-01-09 14:21:54 466944 --a------ C:\WINDOWS\system32\hkcmd.exe <Not Verified; Intel Corporation; Intel(R) Common User Interface>
2008-01-09 14:21:52 495616 --a------ C:\WINDOWS\system32\igfxtray.exe <Not Verified; Intel Corporation; Intel(R) Common User Interface>
2008-01-09 14:21:49 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-01-08 15:29:01 0 d-------- C:\Program Files\Palm
2008-01-08 15:23:44 0 d-------- C:\Program Files\MSN Messenger
2008-01-08 15:23:32 0 d-------- C:\Program Files\Last.fm
2008-01-08 15:17:52 0 d-------- C:\Program Files\Google
2008-01-07 21:50:34 0 d-------- C:\Documents and Settings\Brandee\Application Data\Adobe
2008-01-03 13:26:43 0 d-------- C:\Program Files\Messenger
2008-01-01 14:47:50 0 d-------- C:\Program Files\Common Files\Adobe
2008-01-01 14:47:41 0 d-------- C:\Documents and Settings\Brandee\Application Data\AdobeUM
2007-12-28 13:36:41 0 d-------- C:\Documents and Settings\Brandee\Application Data\OpenOffice.org2
2007-12-26 01:03:23 0 d--h----- C:\Program Files\InstallShield Installation Information

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{57D9BFE8-ABD8-4C93-AA6D-A5D987BFE8DA}]
01/08/2008 12:18 PM 335360 --------- C:\WINDOWS\system32\vturo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{893dcea9-7e70-4557-9623-d08e11e79b7d}]
01/09/2008 02:00 PM 79936 --a------ C:\WINDOWS\system32\kfhncrmw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{90F825DF-46E7-497A-A2A3-129741C57B72}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC738E39-6CA3-4AC5-804F-3E3BEAAD6320}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [01/09/2008 02:21 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [01/09/2008 02:21 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [01/09/2008 02:21 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [01/09/2008 02:22 PM]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [01/09/2008 02:21 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/09/2008 02:22 PM]
"1c2fb1de"="C:\WINDOWS\system32\amlhvqvf.dll" [01/09/2008 02:03 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [01/09/2008 02:21 PM]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [01/09/2008 02:21 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [01/09/2008 02:21 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [01/09/2008 02:21 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\Brandee\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 9:00:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 9:00:00 AM]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [6/9/2004 2:27:34 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 05/23/2007 05:46 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vturo

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
path=
backup=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpcmpmgr]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McUpdate]
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\realsched]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
%systemroot%\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pml Driver HPZ12"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a

-- End of Deckard's System Scanner: finished at 2008-01-09 14:34:56 ------------

brandeewyne · 01-12-2008, 10:06 AM

bump

anyone?

tetonbob · 01-12-2008, 12:04 PM

Hello, and Welcome to TSF.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

You have the latest version of the Vundo infection. It is a file infector, and replaces many legit exe files in startup. It's possible these applications will need to be reinstalled.

You have no AntiVirus application installed on this machine. Why is that? AntiSpyware applications do not protect in the same way. We'll address that in the course of this fix.

---------------------------------------------------------------------------------------------

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

brandeewyne · 01-12-2008, 02:51 PM

First and foremost, thank you a great deal for your assistance.

I ran the combofix utility as instructed. The logfile follows, as well as the new hjt log.

ComboFix 08-01-13.1 - Brandee 2008-01-12 16:05:03.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.378 [GMT -5:00]
Running from: C:\Documents and Settings\Brandee\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\pos10.tmp
C:\pos100.tmp
C:\pos101.tmp
C:\pos102.tmp
C:\pos103.tmp
C:\pos104.tmp
C:\pos105.tmp
C:\pos106.tmp
C:\pos107.tmp
C:\pos108.tmp
C:\pos109.tmp
C:\pos10A.tmp
C:\pos10B.tmp
C:\pos10C.tmp
C:\pos10D.tmp
C:\pos10E.tmp
C:\pos10F.tmp
C:\pos11.tmp
C:\pos110.tmp
C:\pos111.tmp
C:\pos112.tmp
C:\pos113.tmp
C:\pos114.tmp
C:\pos115.tmp
C:\pos116.tmp
C:\pos117.tmp
C:\pos118.tmp
C:\pos119.tmp
C:\pos11A.tmp
C:\pos11B.tmp
C:\pos11C.tmp
C:\pos11D.tmp
C:\pos11E.tmp
C:\pos11F.tmp
C:\pos120.tmp
C:\pos121.tmp
C:\pos122.tmp
C:\pos123.tmp
C:\pos124.tmp
C:\pos125.tmp
C:\pos126.tmp
C:\pos127.tmp
C:\pos128.tmp
C:\pos129.tmp
C:\pos12A.tmp
C:\pos12B.tmp
C:\pos12C.tmp
C:\pos12D.tmp
C:\pos12E.tmp
C:\pos12F.tmp
C:\pos130.tmp
C:\pos131.tmp
C:\pos132.tmp
C:\pos133.tmp
C:\pos134.tmp
C:\pos135.tmp
C:\pos136.tmp
C:\pos137.tmp
C:\pos138.tmp
C:\pos139.tmp
C:\pos13A.tmp
C:\pos13B.tmp
C:\pos13C.tmp
C:\pos13D.tmp
C:\pos13E.tmp
C:\pos13F.tmp
C:\pos14.tmp
C:\pos140.tmp
C:\pos141.tmp
C:\pos142.tmp
C:\pos143.tmp
C:\pos144.tmp
C:\pos145.tmp
C:\pos146.tmp
C:\pos147.tmp
C:\pos148.tmp
C:\pos149.tmp
C:\pos14A.tmp
C:\pos14B.tmp
C:\pos14C.tmp
C:\pos14D.tmp
C:\pos14E.tmp
C:\pos14F.tmp
C:\pos15.tmp
C:\pos150.tmp
C:\pos151.tmp
C:\pos152.tmp
C:\pos153.tmp
C:\pos154.tmp
C:\pos155.tmp
C:\pos156.tmp
C:\pos157.tmp
C:\pos158.tmp
C:\pos159.tmp
C:\pos15A.tmp
C:\pos15B.tmp
C:\pos15C.tmp
C:\pos15D.tmp
C:\pos15E.tmp
C:\pos15F.tmp
C:\pos16.tmp
C:\pos160.tmp
C:\pos161.tmp
C:\pos162.tmp
C:\pos163.tmp
C:\pos164.tmp
C:\pos165.tmp
C:\pos166.tmp
C:\pos167.tmp
C:\pos168.tmp
C:\pos169.tmp
C:\pos16A.tmp
C:\pos16B.tmp
C:\pos16C.tmp
C:\pos16D.tmp
C:\pos16E.tmp
C:\pos16F.tmp
C:\pos17.tmp
C:\pos170.tmp
C:\pos171.tmp
C:\pos172.tmp
C:\pos173.tmp
C:\pos174.tmp
C:\pos175.tmp
C:\pos176.tmp
C:\pos177.tmp
C:\pos178.tmp
C:\pos179.tmp
C:\pos17A.tmp
C:\pos17B.tmp
C:\pos17C.tmp
C:\pos17D.tmp
C:\pos17E.tmp
C:\pos17F.tmp
C:\pos18.tmp
C:\pos180.tmp
C:\pos181.tmp
C:\pos182.tmp
C:\pos183.tmp
C:\pos184.tmp
C:\pos185.tmp
C:\pos186.tmp
C:\pos187.tmp
C:\pos188.tmp
C:\pos189.tmp
C:\pos18A.tmp
C:\pos18B.tmp
C:\pos18C.tmp
C:\pos18D.tmp
C:\pos18E.tmp
C:\pos18F.tmp
C:\pos19.tmp
C:\pos190.tmp
C:\pos191.tmp
C:\pos192.tmp
C:\pos193.tmp
C:\pos194.tmp
C:\pos195.tmp
C:\pos196.tmp
C:\pos197.tmp
C:\pos198.tmp
C:\pos199.tmp
C:\pos19A.tmp
C:\pos19B.tmp
C:\pos19C.tmp
C:\pos19D.tmp
C:\pos19E.tmp
C:\pos19F.tmp
C:\pos1A.tmp
C:\pos1A0.tmp
C:\pos1A1.tmp
C:\pos1A2.tmp
C:\pos1A3.tmp
C:\pos1A4.tmp
C:\pos1A5.tmp
C:\pos1A6.tmp
C:\pos1A7.tmp
C:\pos1A8.tmp
C:\pos1A9.tmp
C:\pos1AA.tmp
C:\pos1AB.tmp
C:\pos1AC.tmp
C:\pos1AD.tmp
C:\pos1AE.tmp
C:\pos1AF.tmp
C:\pos1B.tmp
C:\pos1B0.tmp
C:\pos1B1.tmp
C:\pos1B2.tmp
C:\pos1B3.tmp
C:\pos1B4.tmp
C:\pos1B5.tmp
C:\pos1B6.tmp
C:\pos1B7.tmp
C:\pos1B8.tmp
C:\pos1B9.tmp
C:\pos1BA.tmp
C:\pos1BB.tmp
C:\pos1BC.tmp
C:\pos1BD.tmp
C:\pos1BE.tmp
C:\pos1BF.tmp
C:\pos1C.tmp
C:\pos1C0.tmp
C:\pos1C1.tmp
C:\pos1C2.tmp
C:\pos1C3.tmp
C:\pos1C4.tmp
C:\pos1C5.tmp
C:\pos1C6.tmp
C:\pos1C7.tmp
C:\pos1C8.tmp
C:\pos1C9.tmp
C:\pos1CA.tmp
C:\pos1CB.tmp
C:\pos1CC.tmp
C:\pos1CD.tmp
C:\pos1CE.tmp
C:\pos1CF.tmp
C:\pos1D.tmp
C:\pos1D0.tmp
C:\pos1D1.tmp
C:\pos1D2.tmp
C:\pos1D3.tmp
C:\pos1D4.tmp
C:\pos1D5.tmp
C:\pos1D6.tmp
C:\pos1D7.tmp
C:\pos1D8.tmp
C:\pos1D9.tmp
C:\pos1DA.tmp
C:\pos1DB.tmp
C:\pos1DC.tmp
C:\pos1DD.tmp
C:\pos1DE.tmp
C:\pos1DF.tmp
C:\pos1E.tmp
C:\pos1E0.tmp
C:\pos1E1.tmp
C:\pos1E2.tmp
C:\pos1E3.tmp
C:\pos1E4.tmp
C:\pos1E5.tmp
C:\pos1E6.tmp
C:\pos1E7.tmp
C:\pos1E8.tmp
C:\pos1E9.tmp
C:\pos1EA.tmp
C:\pos1EB.tmp
C:\pos1EC.tmp
C:\pos1ED.tmp
C:\pos1EE.tmp
C:\pos1EF.tmp
C:\pos1F.tmp
C:\pos1F0.tmp
C:\pos1F1.tmp
C:\pos1F2.tmp
C:\pos1F3.tmp
C:\pos1F4.tmp
C:\pos1F5.tmp
C:\pos1F6.tmp
C:\pos1F7.tmp
C:\pos1F8.tmp
C:\pos1F9.tmp
C:\pos1FA.tmp
C:\pos1FB.tmp
C:\pos1FC.tmp
C:\pos1FD.tmp
C:\pos1FE.tmp
C:\pos1FF.tmp
C:\pos20.tmp
C:\pos200.tmp
C:\pos201.tmp
C:\pos202.tmp
C:\pos203.tmp
C:\pos204.tmp
C:\pos205.tmp
C:\pos206.tmp
C:\pos207.tmp
C:\pos208.tmp
C:\pos209.tmp
C:\pos20A.tmp
C:\pos20B.tmp
C:\pos20C.tmp
C:\pos20D.tmp
C:\pos20E.tmp
C:\pos20F.tmp
C:\pos21.tmp
C:\pos210.tmp
C:\pos211.tmp
C:\pos212.tmp
C:\pos213.tmp
C:\pos214.tmp
C:\pos215.tmp
C:\pos216.tmp
C:\pos217.tmp
C:\pos218.tmp
C:\pos219.tmp
C:\pos21A.tmp
C:\pos21B.tmp
C:\pos21C.tmp
C:\pos21D.tmp
C:\pos21E.tmp
C:\pos21F.tmp
C:\pos22.tmp
C:\pos220.tmp
C:\pos221.tmp
C:\pos222.tmp
C:\pos223.tmp
C:\pos224.tmp
C:\pos225.tmp
C:\pos226.tmp
C:\pos227.tmp
C:\pos228.tmp
C:\pos229.tmp
C:\pos22A.tmp
C:\pos22B.tmp
C:\pos22C.tmp
C:\pos22D.tmp
C:\pos22E.tmp
C:\pos22F.tmp
C:\pos23.tmp
C:\pos230.tmp
C:\pos231.tmp
C:\pos232.tmp
C:\pos234.tmp
C:\pos235.tmp
C:\pos236.tmp
C:\pos237.tmp
C:\pos238.tmp
C:\pos239.tmp
C:\pos23A.tmp
C:\pos23B.tmp
C:\pos23C.tmp
C:\pos23D.tmp
C:\pos23E.tmp
C:\pos23F.tmp
C:\pos24.tmp
C:\pos240.tmp
C:\pos241.tmp
C:\pos242.tmp
C:\pos243.tmp
C:\pos244.tmp
C:\pos245.tmp
C:\pos246.tmp
C:\pos249.tmp
C:\pos24A.tmp
C:\pos24B.tmp
C:\pos24D.tmp
C:\pos24E.tmp
C:\pos24F.tmp
C:\pos25.tmp
C:\pos250.tmp
C:\pos251.tmp
C:\pos254.tmp
C:\pos255.tmp
C:\pos256.tmp
C:\pos257.tmp
C:\pos258.tmp
C:\pos259.tmp
C:\pos25A.tmp
C:\pos25B.tmp
C:\pos25C.tmp
C:\pos25D.tmp
C:\pos25F.tmp
C:\pos26.tmp
C:\pos262.tmp
C:\pos263.tmp
C:\pos264.tmp
C:\pos265.tmp
C:\pos266.tmp
C:\pos267.tmp
C:\pos268.tmp
C:\pos269.tmp
C:\pos26B.tmp
C:\pos26C.tmp
C:\pos26D.tmp
C:\pos27.tmp
C:\pos270.tmp
C:\pos271.tmp
C:\pos272.tmp
C:\pos273.tmp
C:\pos274.tmp
C:\pos275.tmp
C:\pos276.tmp
C:\pos277.tmp
C:\pos278.tmp
C:\pos279.tmp
C:\pos27A.tmp
C:\pos27C.tmp
C:\pos27D.tmp
C:\pos28.tmp
C:\pos280.tmp
C:\pos281.tmp
C:\pos282.tmp
C:\pos283.tmp
C:\pos284.tmp
C:\pos285.tmp
C:\pos286.tmp
C:\pos287.tmp
C:\pos289.tmp
C:\pos28A.tmp
C:\pos28B.tmp
C:\pos28C.tmp
C:\pos28D.tmp
C:\pos28E.tmp
C:\pos28F.tmp
C:\pos29.tmp
C:\pos290.tmp
C:\pos291.tmp
C:\pos292.tmp
C:\pos293.tmp
C:\pos294.tmp
C:\pos295.tmp
C:\pos296.tmp
C:\pos297.tmp
C:\pos299.tmp
C:\pos29B.tmp
C:\pos29C.tmp
C:\pos29D.tmp
C:\pos29E.tmp
C:\pos29F.tmp
C:\pos2A.tmp
C:\pos2A0.tmp
C:\pos2A2.tmp
C:\pos2A3.tmp
C:\pos2A4.tmp
C:\pos2A5.tmp
C:\pos2A6.tmp
C:\pos2A7.tmp
C:\pos2A8.tmp
C:\pos2A9.tmp
C:\pos2AA.tmp
C:\pos2AB.tmp
C:\pos2AC.tmp
C:\pos2AD.tmp
C:\pos2AE.tmp
C:\pos2B.tmp
C:\pos2B1.tmp
C:\pos2B2.tmp
C:\pos2B3.tmp
C:\pos2B4.tmp
C:\pos2B5.tmp
C:\pos2B7.tmp
C:\pos2B8.tmp
C:\pos2B9.tmp
C:\pos2BA.tmp
C:\pos2BB.tmp
C:\pos2BE.tmp
C:\pos2BF.tmp
C:\pos2C.tmp
C:\pos2C0.tmp
C:\pos2C1.tmp
C:\pos2C2.tmp
C:\pos2C3.tmp
C:\pos2C4.tmp
C:\pos2C5.tmp
C:\pos2C7.tmp
C:\pos2C8.tmp
C:\pos2C9.tmp
C:\pos2CA.tmp
C:\pos2CB.tmp
C:\pos2CC.tmp
C:\pos2CD.tmp
C:\pos2CF.tmp
C:\pos2D.tmp
C:\pos2D0.tmp
C:\pos2D1.tmp
C:\pos2D2.tmp
C:\pos2D3.tmp
C:\pos2D4.tmp
C:\pos2D5.tmp
C:\pos2D6.tmp
C:\pos2D7.tmp
C:\pos2D8.tmp
C:\pos2D9.tmp
C:\pos2DA.tmp
C:\pos2DB.tmp
C:\pos2DC.tmp
C:\pos2DD.tmp
C:\pos2DE.tmp
C:\pos2DF.tmp
C:\pos2E.tmp
C:\pos2E0.tmp
C:\pos2E1.tmp
C:\pos2E2.tmp
C:\pos2E3.tmp
C:\pos2E4.tmp
C:\pos2E5.tmp
C:\pos2E6.tmp
C:\pos2E7.tmp
C:\pos2E8.tmp
C:\pos2E9.tmp
C:\pos2EA.tmp
C:\pos2EB.tmp
C:\pos2EC.tmp
C:\pos2ED.tmp
C:\pos2EE.tmp
C:\pos2EF.tmp
C:\pos2F.tmp
C:\pos2F0.tmp
C:\pos2F1.tmp
C:\pos2F2.tmp
C:\pos2F3.tmp
C:\pos2F4.tmp
C:\pos2F5.tmp
C:\pos2F6.tmp
C:\pos2F7.tmp
C:\pos2F8.tmp
C:\pos2F9.tmp
C:\pos2FA.tmp
C:\pos2FB.tmp
C:\pos2FC.tmp
C:\pos2FD.tmp
C:\pos2FE.tmp
C:\pos2FF.tmp
C:\pos3.tmp
C:\pos30.tmp
C:\pos300.tmp
C:\pos301.tmp
C:\pos302.tmp
C:\pos303.tmp
C:\pos304.tmp
C:\pos305.tmp
C:\pos306.tmp
C:\pos307.tmp
C:\pos308.tmp
C:\pos309.tmp
C:\pos30A.tmp
C:\pos30B.tmp
C:\pos30C.tmp
C:\pos30D.tmp
C:\pos30E.tmp
C:\pos30F.tmp
C:\pos31.tmp
C:\pos310.tmp
C:\pos311.tmp
C:\pos312.tmp
C:\pos313.tmp
C:\pos314.tmp
C:\pos315.tmp
C:\pos316.tmp
C:\pos317.tmp
C:\pos318.tmp
C:\pos319.tmp
C:\pos31A.tmp
C:\pos31B.tmp
C:\pos31C.tmp
C:\pos31D.tmp
C:\pos31E.tmp
C:\pos31F.tmp
C:\pos32.tmp
C:\pos320.tmp
C:\pos321.tmp
C:\pos322.tmp
C:\pos323.tmp
C:\pos324.tmp
C:\pos325.tmp
C:\pos326.tmp
C:\pos327.tmp
C:\pos328.tmp
C:\pos329.tmp
C:\pos32A.tmp
C:\pos32B.tmp
C:\pos32C.tmp
C:\pos32D.tmp
C:\pos32E.tmp
C:\pos32F.tmp
C:\pos33.tmp
C:\pos330.tmp
C:\pos331.tmp
C:\pos332.tmp
C:\pos333.tmp
C:\pos334.tmp
C:\pos335.tmp
C:\pos336.tmp
C:\pos337.tmp
C:\pos338.tmp
C:\pos339.tmp
C:\pos33A.tmp
C:\pos33B.tmp
C:\pos33C.tmp
C:\pos33D.tmp
C:\pos33E.tmp
C:\pos33F.tmp
C:\pos34.tmp
C:\pos340.tmp
C:\pos341.tmp
C:\pos342.tmp
C:\pos343.tmp
C:\pos344.tmp
C:\pos345.tmp
C:\pos346.tmp
C:\pos347.tmp
C:\pos348.tmp
C:\pos349.tmp
C:\pos34A.tmp
C:\pos34B.tmp
C:\pos34C.tmp
C:\pos34D.tmp
C:\pos34E.tmp
C:\pos34F.tmp
C:\pos35.tmp
C:\pos350.tmp
C:\pos351.tmp
C:\pos352.tmp
C:\pos353.tmp
C:\pos354.tmp
C:\pos355.tmp
C:\pos356.tmp
C:\pos357.tmp
C:\pos358.tmp
C:\pos359.tmp
C:\pos35A.tmp
C:\pos35B.tmp
C:\pos35C.tmp
C:\pos35D.tmp
C:\pos35E.tmp
C:\pos35F.tmp
C:\pos36.tmp
C:\pos360.tmp
C:\pos361.tmp
C:\pos362.tmp
C:\pos363.tmp
C:\pos364.tmp
C:\pos365.tmp
C:\pos366.tmp
C:\pos367.tmp
C:\pos368.tmp
C:\pos369.tmp
C:\pos36A.tmp
C:\pos36B.tmp
C:\pos36C.tmp
C:\pos36D.tmp
C:\pos36E.tmp
C:\pos36F.tmp
C:\pos37.tmp
C:\pos370.tmp
C:\pos371.tmp
C:\pos372.tmp
C:\pos373.tmp
C:\pos374.tmp
C:\pos375.tmp
C:\pos376.tmp
C:\pos377.tmp
C:\pos378.tmp
C:\pos379.tmp
C:\pos37A.tmp
C:\pos37B.tmp
C:\pos37C.tmp
C:\pos37D.tmp
C:\pos37E.tmp
C:\pos37F.tmp
C:\pos38.tmp
C:\pos380.tmp
C:\pos381.tmp
C:\pos382.tmp
C:\pos383.tmp
C:\pos384.tmp
C:\pos385.tmp
C:\pos386.tmp
C:\pos387.tmp
C:\pos388.tmp
C:\pos389.tmp
C:\pos38A.tmp
C:\pos38B.tmp
C:\pos38C.tmp
C:\pos38D.tmp
C:\pos38E.tmp
C:\pos38F.tmp
C:\pos39.tmp
C:\pos390.tmp
C:\pos391.tmp
C:\pos392.tmp
C:\pos393.tmp
C:\pos394.tmp
C:\pos395.tmp
C:\pos396.tmp
C:\pos397.tmp
C:\pos398.tmp
C:\pos399.tmp
C:\pos39A.tmp
C:\pos39B.tmp
C:\pos39C.tmp
C:\pos39D.tmp
C:\pos39E.tmp
C:\pos39F.tmp
C:\pos3A.tmp
C:\pos3A0.tmp
C:\pos3A1.tmp
C:\pos3A2.tmp
C:\pos3A3.tmp
C:\pos3A4.tmp
C:\pos3A5.tmp
C:\pos3A6.tmp
C:\pos3A7.tmp
C:\pos3A8.tmp
C:\pos3A9.tmp
C:\pos3AA.tmp
C:\pos3AB.tmp
C:\pos3AC.tmp
C:\pos3AD.tmp
C:\pos3AE.tmp
C:\pos3AF.tmp
C:\pos3B.tmp
C:\pos3B0.tmp
C:\pos3B1.tmp
C:\pos3B2.tmp
C:\pos3B3.tmp
C:\pos3B4.tmp
C:\pos3B5.tmp
C:\pos3B6.tmp
C:\pos3B7.tmp
C:\pos3B8.tmp
C:\pos3B9.tmp
C:\pos3BA.tmp
C:\pos3BB.tmp
C:\pos3BC.tmp
C:\pos3BD.tmp
C:\pos3BE.tmp
C:\pos3BF.tmp
C:\pos3C.tmp
C:\pos3C0.tmp
C:\pos3C1.tmp
C:\pos3C2.tmp
C:\pos3C3.tmp
C:\pos3C4.tmp
C:\pos3C5.tmp
C:\pos3C6.tmp
C:\pos3C7.tmp
C:\pos3C8.tmp
C:\pos3C9.tmp
C:\pos3CA.tmp
C:\pos3CB.tmp
C:\pos3CC.tmp
C:\pos3CD.tmp
C:\pos3CE.tmp
C:\pos3CF.tmp
C:\pos3D.tmp
C:\pos3D0.tmp
C:\pos3D1.tmp
C:\pos3D2.tmp
C:\pos3D3.tmp
C:\pos3D4.tmp
C:\pos3D5.tmp
C:\pos3D6.tmp
C:\pos3D7.tmp
C:\pos3D8.tmp
C:\pos3D9.tmp
C:\pos3DA.tmp
C:\pos3DB.tmp
C:\pos3DC.tmp
C:\pos3DD.tmp
C:\pos3DE.tmp
C:\pos3DF.tmp
C:\pos3E.tmp
C:\pos3E0.tmp
C:\pos3E1.tmp
C:\pos3E2.tmp
C:\pos3E3.tmp
C:\pos3E4.tmp
C:\pos3E5.tmp
C:\pos3E6.tmp
C:\pos3E7.tmp
C:\pos3E8.tmp
C:\pos3E9.tmp
C:\pos3EA.tmp
C:\pos3EB.tmp
C:\pos3EC.tmp
C:\pos3ED.tmp
C:\pos3EE.tmp
C:\pos3EF.tmp
C:\pos3F.tmp
C:\pos3F0.tmp
C:\pos3F1.tmp
C:\pos3F2.tmp
C:\pos3F3.tmp
C:\pos3F4.tmp
C:\pos3F5.tmp
C:\pos3F6.tmp
C:\pos3F7.tmp
C:\pos3F8.tmp
C:\pos3F9.tmp
C:\pos3FA.tmp
C:\pos3FB.tmp
C:\pos3FC.tmp
C:\pos3FD.tmp
C:\pos3FE.tmp
C:\pos3FF.tmp
C:\pos4.tmp
C:\pos40.tmp
C:\pos400.tmp
C:\pos401.tmp
C:\pos402.tmp
C:\pos403.tmp
C:\pos404.tmp
C:\pos405.tmp
C:\pos406.tmp
C:\pos407.tmp
C:\pos41.tmp
C:\pos42.tmp
C:\pos43.tmp
C:\pos44.tmp
C:\pos45.tmp
C:\pos46.tmp
C:\pos47.tmp
C:\pos48.tmp
C:\pos49.tmp
C:\pos4A.tmp
C:\pos4B.tmp
C:\pos4C.tmp
C:\pos4D.tmp
C:\pos4E.tmp
C:\pos4F.tmp
C:\pos5.tmp
C:\pos50.tmp
C:\pos51.tmp
C:\pos52.tmp
C:\pos53.tmp
C:\pos54.tmp
C:\pos55.tmp
C:\pos56.tmp
C:\pos57.tmp
C:\pos58.tmp
C:\pos59.tmp
C:\pos5A.tmp
C:\pos5B.tmp
C:\pos5C.tmp
C:\pos5D.tmp
C:\pos5E.tmp
C:\pos5F.tmp
C:\pos6.tmp
C:\pos60.tmp
C:\pos61.tmp
C:\pos62.tmp
C:\pos63.tmp
C:\pos64.tmp
C:\pos65.tmp
C:\pos66.tmp
C:\pos67.tmp
C:\pos68.tmp
C:\pos69.tmp
C:\pos6A.tmp
C:\pos6B.tmp
C:\pos6C.tmp
C:\pos6D.tmp
C:\pos6E.tmp
C:\pos6F.tmp
C:\pos70.tmp
C:\pos71.tmp
C:\pos72.tmp
C:\pos73.tmp
C:\pos74.tmp
C:\pos75.tmp
C:\pos76.tmp
C:\pos77.tmp
C:\pos78.tmp
C:\pos79.tmp
C:\pos7A.tmp
C:\pos7B.tmp
C:\pos7C.tmp
C:\pos7D.tmp
C:\pos7E.tmp
C:\pos7F.tmp
C:\pos8.tmp
C:\pos80.tmp
C:\pos81.tmp
C:\pos82.tmp
C:\pos83.tmp
C:\pos84.tmp
C:\pos85.tmp
C:\pos86.tmp
C:\pos87.tmp
C:\pos88.tmp
C:\pos89.tmp
C:\pos8A.tmp
C:\pos8B.tmp
C:\pos8C.tmp
C:\pos8D.tmp
C:\pos8E.tmp
C:\pos8F.tmp
C:\pos9.tmp
C:\pos90.tmp
C:\pos91.tmp
C:\pos92.tmp
C:\pos93.tmp
C:\pos94.tmp
C:\pos95.tmp
C:\pos96.tmp
C:\pos97.tmp
C:\pos98.tmp
C:\pos99.tmp
C:\pos9A.tmp
C:\pos9B.tmp
C:\pos9C.tmp
C:\pos9D.tmp
C:\pos9E.tmp
C:\pos9F.tmp
C:\posA.tmp
C:\posA0.tmp
C:\posA1.tmp
C:\posA2.tmp
C:\posA3.tmp
C:\posA4.tmp
C:\posA5.tmp
C:\posA6.tmp
C:\posA7.tmp
C:\posA8.tmp
C:\posA9.tmp
C:\posAA.tmp
C:\posAB.tmp
C:\posAC.tmp
C:\posAD.tmp
C:\posAE.tmp
C:\posAF.tmp
C:\posB.tmp
C:\posB0.tmp
C:\posB1.tmp
C:\posB2.tmp
C:\posB3.tmp
C:\posB4.tmp
C:\posB5.tmp
C:\posB6.tmp
C:\posB7.tmp
C:\posB8.tmp
C:\posB9.tmp
C:\posBA.tmp
C:\posBB.tmp
C:\posBC.tmp
C:\posBD.tmp
C:\posBE.tmp
C:\posBF.tmp
C:\posC.tmp
C:\posC0.tmp
C:\posC1.tmp
C:\posC2.tmp
C:\posC3.tmp
C:\posC4.tmp
C:\posC5.tmp
C:\posC6.tmp
C:\posC7.tmp
C:\posC8.tmp
C:\posC9.tmp
C:\posCA.tmp
C:\posCB.tmp
C:\posCC.tmp
C:\posCD.tmp
C:\posCE.tmp
C:\posCF.tmp
C:\posD.tmp
C:\posD0.tmp
C:\posD1.tmp
C:\posD2.tmp
C:\posD3.tmp
C:\posD4.tmp
C:\posD5.tmp
C:\posD6.tmp
C:\posD7.tmp
C:\posD8.tmp
C:\posD9.tmp
C:\posDA.tmp
C:\posDB.tmp
C:\posDC.tmp
C:\posDD.tmp
C:\posDE.tmp
C:\posDF.tmp
C:\posE.tmp
C:\posE0.tmp
C:\posE1.tmp
C:\posE2.tmp
C:\posE3.tmp
C:\posE4.tmp
C:\posE5.tmp
C:\posE6.tmp
C:\posE7.tmp
C:\posE8.tmp
C:\posE9.tmp
C:\posEA.tmp
C:\posEB.tmp
C:\posEC.tmp
C:\posED.tmp
C:\posEE.tmp
C:\posEF.tmp
C:\posF.tmp
C:\posF0.tmp
C:\posF1.tmp
C:\posF2.tmp
C:\posF3.tmp
C:\posF4.tmp
C:\posF5.tmp
C:\posF6.tmp
C:\posF7.tmp
C:\posF8.tmp
C:\posF9.tmp
C:\posFA.tmp
C:\posFB.tmp
C:\posFC.tmp
C:\posFD.tmp
C:\posFE.tmp
C:\posFF.tmp
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\kernel
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Temporary
C:\Program Files\Temporary\kernInstall.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\b122.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\system32\amlhvqvf.dll
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\dslnjfsm.dll
C:\WINDOWS\SYSTEM32\fvqvhlma.ini
C:\WINDOWS\system32\fxibhuxd.dll
C:\WINDOWS\system32\hgxfdsxp.dll
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\kfhncrmw.dll
C:\WINDOWS\system32\lgenbhsb.dll
C:\WINDOWS\SYSTEM32\lptakeub.ini
C:\WINDOWS\SYSTEM32\mbipjnps.ini
C:\WINDOWS\SYSTEM32\orutv.ini
C:\WINDOWS\SYSTEM32\orutv.ini2
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\SYSTEM32\pxsdfxgh.ini
C:\WINDOWS\system32\sosndqby.exe
C:\WINDOWS\system32\taesrpqq.dll
C:\WINDOWS\system32\tvnannxg.exe
C:\WINDOWS\system32\urjkxhng.dll
C:\WINDOWS\system32\urjkxhng.dllbox
C:\WINDOWS\system32\uvtqplit.exe
C:\WINDOWS\system32\vtsphlxp.exe
C:\WINDOWS\system32\vturo.dll
C:\WINDOWS\system32\vturo.exe
C:\WINDOWS\system32\windows
C:\WINDOWS\SYSTEM32\ymxysckb.ini
C:\WINDOWS\system32\z1
C:\WINDOWS\system32\z9
C:\winlogon.exe
C:\x.dat
C:\z.dat

Code:

 <pre>
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe ---> Reader_sl.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli .exe ---> cli.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe ---> GoogleToolbarNotifier.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe ---> jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe ---> SUPERAntiSpyware.exe
C:\Program Files\Windows Media Player\WMPNSCFG .exe ---> WMPNSCFG.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro .exe ---> FreeRAM XP Pro.exe
C:\WINDOWS\SYSTEM32\hkcmd .exe ---> hkcmd.exe
C:\WINDOWS\SYSTEM32\igfxtray .exe ---> igfxtray.exe
</pre>

.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-12 16:01 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-09 14:27 . 2008-01-09 14:27 <DIR> d-------- C:\Deckard
2008-01-09 14:06 . 2008-01-09 14:06 <DIR> d-------- C:\ie-spyad_zo
2008-01-08 16:54 . 2008-01-08 16:54 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-08 16:54 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\SYSTEM32\MSSTDFMT.DLL
2008-01-08 14:04 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SDTHOOK.SYS
2008-01-08 13:26 . 2008-01-08 15:53 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2008-01-08 13:26 . 2008-01-08 13:26 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2008-01-08 13:26 . 2008-01-08 13:26 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2008-01-08 13:26 . 2008-01-08 13:26 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2008-01-07 22:03 . 2008-01-07 22:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-06 22:07 . 2008-01-06 22:07 <DIR> d-------- C:\VundoFix Backups
2008-01-04 11:32 . 2008-01-04 11:32 <DIR> d-------- C:\Documents and Settings\Administrator.BRAN\Application Data\Lavasoft
2008-01-04 11:25 . 2004-04-23 10:41 <DIR> d-------- C:\Documents and Settings\Administrator.BRAN\Application Data\Jasc Software Inc
2008-01-04 11:25 . 2005-05-26 08:59 <DIR> d-------- C:\Documents and Settings\Administrator.BRAN\Application Data\Gtek
2008-01-03 15:58 . 2008-01-04 10:37 696 --a------ C:\WINDOWS\wininit.ini
2008-01-03 13:18 . 2008-01-12 15:17 155,648 --a------ C:\WINDOWS\SYSTEM32\igfxtray.exe
2008-01-03 13:18 . 2008-01-12 15:17 126,976 --a------ C:\WINDOWS\SYSTEM32\hkcmd.exe
2008-01-03 12:20 . 2008-01-03 12:20 147,456 --a------ C:\WINDOWS\SYSTEM32\vbzip10.dll
2008-01-03 12:18 . 2008-01-04 10:41 379,904 --a------ C:\WINDOWS\mrofinu1000106.exe.tmp
2008-01-03 12:17 . 2008-01-04 14:15 <DIR> d-------- C:\WINDOWS\SYSTEM32\mr9
2008-01-03 12:17 . 2008-01-04 14:15 <DIR> d-------- C:\WINDOWS\SYSTEM32\ardCo18
2008-01-03 12:17 . 2008-01-04 14:15 <DIR> d-------- C:\WINDOWS\SYSTEM32\aj2
2008-01-03 12:17 . 2008-01-04 14:15 <DIR> d--hs---- C:\WINDOWS\SHVnaCBTdHVsbA
2008-01-03 12:17 . 2008-01-03 12:17 <DIR> d-------- C:\temp\cEeer12
2008-01-03 12:17 . 2008-01-03 12:17 166,945 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\core.cache(2).dsk
2008-01-03 12:17 . 2008-01-03 12:17 134 --a------ C:\n.bat
2007-12-30 17:05 . 2007-12-30 17:05 <DIR> d-------- C:\Program Files\abrViewer.NET
2007-12-28 13:11 . 2003-12-12 16:06 1,693,696 --a------ C:\WINDOWS\SYSTEM32\ltclr13n.dll
2007-12-28 13:11 . 2003-11-04 15:11 155,648 --a------ C:\WINDOWS\SYSTEM32\lftif13n.dll
2007-12-28 13:11 . 2003-11-04 15:10 98,304 --a------ C:\WINDOWS\SYSTEM32\lffax13n.dll
2007-12-28 13:11 . 2003-05-22 16:31 55,808 --a------ C:\WINDOWS\SYSTEM32\lfpsd13n.dll
2007-12-27 00:09 . 2007-12-27 00:09 <DIR> d-------- C:\Program Files\High-Logic
2007-12-27 00:09 . 2007-12-27 00:10 <DIR> d-------- C:\Documents and Settings\Brandee\Application Data\FontCreator
2007-12-27 00:09 . 2008-01-07 19:04 147 --a------ C:\WINDOWS\fcp5.cfg
2007-12-26 03:37 . 2007-12-26 03:37 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\ATI
2007-12-26 01:15 . 2007-12-26 01:15 <DIR> d-------- C:\Documents and Settings\Brandee\Application Data\ATI
2007-12-26 01:12 . 2007-12-26 01:12 <DIR> d-------- C:\Program Files\Common Files\ATI Technologies
2007-12-26 01:03 . 2007-12-26 01:09 <DIR> d-------- C:\Program Files\ATI Technologies
2007-12-26 01:03 . 2006-05-03 11:57 520,192 --a------ C:\WINDOWS\SYSTEM32\ati2sgag.exe
2007-12-26 01:02 . 2005-10-14 07:10 58,560 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ativckxx.vp
2007-12-26 01:02 . 2006-05-03 10:09 28,080 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ativvpxx.vp
2007-12-26 01:02 . 2006-01-25 17:48 6,005 --a------ C:\WINDOWS\SYSTEM32\atifglpf.xml
2007-12-26 01:02 . 2006-02-08 13:44 929 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ativcaxx.vp
2007-12-25 11:30 . 2007-12-25 14:13 <DIR> d-------- C:\Documents and Settings\Brandee\Application Data\U3
2007-12-25 11:30 . 2004-08-04 02:08 26,496 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\usbstor.sys
2007-12-20 01:45 . 2007-12-20 01:45 <DIR> d-------- C:\Program Files\SecondLife
2007-12-20 01:45 . 2007-12-20 02:21 <DIR> d-------- C:\Documents and Settings\Brandee\Application Data\SecondLife
2007-12-20 01:23 . 2007-12-20 01:23 <DIR> d-------- C:\Documents and Settings\Brandee\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-13 21:29 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-01-13 21:25 --------- d-----w C:\Program Files\QuickTime
2008-01-08 20:29 --------- d-----w C:\Program Files\Palm
2008-01-08 20:23 --------- d-----w C:\Program Files\MSN Messenger
2008-01-08 20:23 --------- d-----w C:\Program Files\Last.fm
2008-01-08 20:17 --------- d-----w C:\Program Files\Google
2008-01-05 16:13 --------- d-----w C:\Documents and Settings\Guest\Application Data\OpenOffice.org2
2008-01-01 19:47 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-01 19:47 --------- d-----w C:\Documents and Settings\Brandee\Application Data\AdobeUM
2007-12-28 18:36 --------- d-----w C:\Documents and Settings\Brandee\Application Data\OpenOffice.org2
2007-12-26 06:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-12 15:18 68856]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2008-01-12 15:18 1591808]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-01-12 15:18 1318912]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-12 15:18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-01-12 15:17 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-01-12 15:17 126976]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-01-12 15:17 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2008-01-12 15:17 45056]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 15:17 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 20:34 5419008]

C:\Documents and Settings\Guest\Start Menu\Programs\Startup\
OpenOffice.org 2.1.lnk - C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 16:45:48]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 14:27:34]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2007-05-23 17:46 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
path=
backup=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpcmpmgr]
--a------ 2008-01-12 15:17 126976 C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a--c--- 2003-09-03 20:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McUpdate]
--a--c--- 2003-09-03 20:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-05-29 20:34 5419008 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\realsched]
--a------ 2006-12-30 12:31 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-12-30 12:31 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pml Driver HPZ12"=3 (0x3)

R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-28 21:59]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-04-20 02:00:24 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2006-12-05 15:31:28 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 16:30:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-13 16:38:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-13 21:38:50
.
2007-12-13 08:05:03 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:40:41 PM, on 1/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {339234B4-4E14-4280-B8B4-8BAE5AF99063} (Chess Object) - http://zone.msn.com/bingame/zpagames...p.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-48.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.co...veX/winrep.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/re...s/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab55579.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124628481531
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.geni.com/ImageUploader4.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://brandeewynne.spaces.live.com/...d/MsnPUpld.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames...z.cab55579.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by141fd.bay141.hotmail.msn.co...x/HMAtchmt.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 9240 bytes

brandeewyne · 01-12-2008, 02:56 PM

I just saw the warning, "WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!" on the logfile.

The file icon is on my desktop and I have the disk burned as it suggested.

I'm not sure if I've done something improperly with that file.

tetonbob · 01-12-2008, 02:56 PM

Hi brandeewyne -

I see that you did not install the Recovery Console. Does this mean you have no Windows XP CD?

Did you create a bootable disk, NTFS4FreeDos, from the link provided?

tetonbob · 01-12-2008, 02:57 PM

We cross posted.

Recovery Console is a bit different. If you created the NTFSFreeDOS bootable CD, that will suffice.

brandeewyne · 01-12-2008, 02:59 PM

Then I believe I've burned the proper disk.

I used the following link to save the file to my desktop and burn a disk...

If you do not have the Windows CD, then you can download and burn the following file to a CD.

NTFS4FreeDos ISO Download Link

Is that correct?

tetonbob · 01-12-2008, 03:00 PM

That's great. It is a recovery access CD every Windows user should have.

I'll be back in a short while with the next instructions.

brandeewyne · 01-12-2008, 03:03 PM

Okay, good. That means I've not screwed up so far.

Thank you, I'll check back periodically.

tetonbob · 01-12-2008, 03:08 PM

One or more of the identified infections steal information. That includes all passwords, log ins to forums and your email details & other websites and most of all your Bank, Credit card or Paypal details. If this system is used for web based email, online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. It also seems to be able to steal all your emails so anything you have emailed to anybody is no longer confidential.

I suggest that you read this article too.

---------------------------------------------------------------------------------------------

It appears as though the files which usually contain this info for the badguys to harvest were 0 byte files, meaning they contained no data. It would still be prudent to follow the previous steps.

---------------------------------------------------------------------------------------------

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

File::
C:\WINDOWS\mrofinu1000106.exe.tmp
C:\WINDOWS\SYSTEM32\DRIVERS\core.cache(2).dsk
C:\n.bat

Folder::
C:\VundoFix Backups
C:\WINDOWS\SYSTEM32\mr9
C:\WINDOWS\SYSTEM32\ardCo18
C:\WINDOWS\SYSTEM32\aj2
C:\WINDOWS\SHVnaCBTdHVsbA
C:\temp\cEeer12

Save this as CScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

---------------------------------------------------------------------------------------------

brandeewyne · 01-12-2008, 03:31 PM

As a precaution I will change all passwords from a clean computer and notify all my financial institutions first thing Monday. Thank you for the heads up on that. Hopefully no damage was done, but you're right, it's best to be safe.

I saved the text file as "CFScript.txt" and drug it into the "combofix" icon on my desktop as suggested and following is the updated logfile.

ComboFix 08-01-13.1 - Brandee 2008-01-13 17:12:53.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.311 [GMT -5:00]
Running from: C:\Documents and Settings\Brandee\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Brandee\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\n.bat
C:\WINDOWS\mrofinu1000106.exe.tmp
C:\WINDOWS\SYSTEM32\DRIVERS\core.cache(2).dsk
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\n.bat
C:\temp\cEeer12
C:\temp\cEeer12\skAt.log
C:\VundoFix Backups
C:\WINDOWS\mrofinu1000106.exe.tmp
C:\WINDOWS\SHVnaCBTdHVsbA
C:\WINDOWS\SYSTEM32\aj2
C:\WINDOWS\SYSTEM32\ardCo18
C:\WINDOWS\SYSTEM32\DRIVERS\core.cache(2).dsk
C:\WINDOWS\SYSTEM32\mr9

.
((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-12 16:01 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-09 14:27 . 2008-01-09 14:27 <DIR> d-------- C:\Deckard
2008-01-09 14:06 . 2008-01-09 14:06 <DIR> d-------- C:\ie-spyad_zo
2008-01-08 16:54 . 2008-01-08 16:54 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-08 16:54 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\SYSTEM32\MSSTDFMT.DLL
2008-01-08 14:04 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SDTHOOK.SYS
2008-01-08 13:26 . 2008-01-08 15:53 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2008-01-08 13:26 . 2008-01-08 13:26 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2008-01-08 13:26 . 2008-01-08 13:26 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2008-01-08 13:26 . 2008-01-08 13:26 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2008-01-07 22:03 . 2008-01-07 22:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-04 11:32 . 2008-01-04 11:32 <DIR> d-------- C:\Documents and Settings\Administrator.BRAN\Application Data\Lavasoft
2008-01-04 11:25 . 2004-04-23 10:41 <DIR> d-------- C:\Documents and Settings\Administrator.BRAN\Application Data\Jasc Software Inc
2008-01-04 11:25 . 2005-05-26 08:59 <DIR> d-------- C:\Documents and Settings\Administrator.BRAN\Application Data\Gtek
2008-01-03 15:58 . 2008-01-04 10:37 696 --a------ C:\WINDOWS\wininit.ini
2008-01-03 13:18 . 2008-01-12 15:17 155,648 --a------ C:\WINDOWS\SYSTEM32\igfxtray.exe
2008-01-03 13:18 . 2008-01-12 15:17 126,976 --a------ C:\WINDOWS\SYSTEM32\hkcmd.exe
2008-01-03 12:20 . 2008-01-03 12:20 147,456 --a------ C:\WINDOWS\SYSTEM32\vbzip10.dll
2007-12-30 17:05 . 2007-12-30 17:05 <DIR> d-------- C:\Program Files\abrViewer.NET
2007-12-28 13:11 . 2003-12-12 16:06 1,693,696 --a------ C:\WINDOWS\SYSTEM32\ltclr13n.dll
2007-12-28 13:11 . 2003-11-04 15:11 155,648 --a------ C:\WINDOWS\SYSTEM32\lftif13n.dll
2007-12-28 13:11 . 2003-11-04 15:10 98,304 --a------ C:\WINDOWS\SYSTEM32\lffax13n.dll
2007-12-28 13:11 . 2003-05-22 16:31 55,808 --a------ C:\WINDOWS\SYSTEM32\lfpsd13n.dll
2007-12-27 00:09 . 2007-12-27 00:09 <DIR> d-------- C:\Program Files\High-Logic
2007-12-27 00:09 . 2007-12-27 00:10 <DIR> d-------- C:\Documents and Settings\Brandee\Application Data\FontCreator
2007-12-27 00:09 . 2008-01-07 19:04 147 --a------ C:\WINDOWS\fcp5.cfg
2007-12-26 03:37 . 2007-12-26 03:37 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\ATI
2007-12-26 01:15 . 2007-12-26 01:15 <DIR> d-------- C:\Documents and Settings\Brandee\Application Data\ATI
2007-12-26 01:12 . 2007-12-26 01:12 <DIR> d-------- C:\Program Files\Common Files\ATI Technologies
2007-12-26 01:03 . 2007-12-26 01:09 <DIR> d-------- C:\Program Files\ATI Technologies
2007-12-26 01:03 . 2006-05-03 11:57 520,192 --a------ C:\WINDOWS\SYSTEM32\ati2sgag.exe
2007-12-26 01:02 . 2005-10-14 07:10 58,560 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ativckxx.vp
2007-12-26 01:02 . 2006-05-03 10:09 28,080 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ativvpxx.vp
2007-12-26 01:02 . 2006-01-25 17:48 6,005 --a------ C:\WINDOWS\SYSTEM32\atifglpf.xml
2007-12-26 01:02 . 2006-02-08 13:44 929 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ativcaxx.vp
2007-12-25 11:30 . 2007-12-25 14:13 <DIR> d-------- C:\Documents and Settings\Brandee\Application Data\U3
2007-12-25 11:30 . 2004-08-04 02:08 26,496 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\usbstor.sys
2007-12-20 01:45 . 2007-12-20 01:45 <DIR> d-------- C:\Program Files\SecondLife
2007-12-20 01:45 . 2007-12-20 02:21 <DIR> d-------- C:\Documents and Settings\Brandee\Application Data\SecondLife
2007-12-20 01:23 . 2007-12-20 01:23 <DIR> d-------- C:\Documents and Settings\Brandee\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-13 21:29 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-01-13 21:25 --------- d-----w C:\Program Files\QuickTime
2008-01-08 20:29 --------- d-----w C:\Program Files\Palm
2008-01-08 20:23 --------- d-----w C:\Program Files\MSN Messenger
2008-01-08 20:23 --------- d-----w C:\Program Files\Last.fm
2008-01-08 20:17 --------- d-----w C:\Program Files\Google
2008-01-05 16:13 --------- d-----w C:\Documents and Settings\Guest\Application Data\OpenOffice.org2
2008-01-01 19:47 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-01 19:47 --------- d-----w C:\Documents and Settings\Brandee\Application Data\AdobeUM
2007-12-28 18:36 --------- d-----w C:\Documents and Settings\Brandee\Application Data\OpenOffice.org2
2007-12-26 06:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\lsasrv.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\lsasrv.dll
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-10-30 17:20 360,064 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
.

((((((((((((((((((((((((((((( snapshot@2008-01-13_16.38.24.07 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-12 21:02:35 1,363,968 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-13 22:12:32 1,363,968 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-12 21:02:35 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-13 22:12:32 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-12 21:02:35 1,077,248 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-13 22:12:32 1,077,248 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-12 21:02:36 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-13 22:12:32 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-12 21:02:36 6,139,904 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-13 22:12:32 6,135,808 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-12 21:02:36 475,136 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-13 22:12:32 475,136 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-12 15:18 68856]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2008-01-12 15:18 1591808]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-01-12 15:18 1318912]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-12 15:18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-01-12 15:17 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-01-12 15:17 126976]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-01-12 15:17 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2008-01-12 15:17 45056]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 15:17 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 20:34 5419008]

C:\Documents and Settings\Guest\Start Menu\Programs\Startup\
OpenOffice.org 2.1.lnk - C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 16:45:48]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 14:27:34]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2007-05-23 17:46 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
path=
backup=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpcmpmgr]
--a------ 2008-01-12 15:17 126976 C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a--c--- 2003-09-03 20:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McUpdate]
--a--c--- 2003-09-03 20:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-05-29 20:34 5419008 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\realsched]
--a------ 2006-12-30 12:31 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-12-30 12:31 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pml Driver HPZ12"=3 (0x3)

R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-28 21:59]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-04-20 02:00:24 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2006-12-05 15:31:28 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 17:15:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-13 17:17:04
ComboFix-quarantined-files.txt 2008-01-13 22:16:42
ComboFix2.txt 2008-01-13 21:38:54
.
2007-12-13 08:05:03 --- E O F ---

tetonbob · 01-12-2008, 03:36 PM

I see no evidence of an AntiVirus program on your system. This must be resolved. Connecting to the Internet without antivirus protection is a "Welcome" doormat for malware. It can take as little as eight seconds to infect an unprotected computer.

Install this FREE AntiVirus program, update it, and run a full system scan.

Avira PersonalEdition Classic

Here is a tutorial on it's setup and use:

http://www.techsupportforum.com/cont...ticles/64.html

Save the log and post it, please.

Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

brandeewyne · 01-12-2008, 03:38 PM

When I ran the combofix it stated that all firewalls and other such programs be turned off, which I did. Is it safe to turn them back on at this point or should I wait until I've completed the remaining steps?

Also, this computer is networked with one other computer in my home. Do I need to complete any of these steps on the other system?

tetonbob · 01-12-2008, 03:39 PM

Yes, please re-enable any protections. Typically, a reboot will do this.

tetonbob · 01-12-2008, 03:43 PM

Just to clarify...did you turn off the Windows firewall? Because I don't see a third party firewall, which is what that guide's intent is. Your answer may help us clarify that for other users.

tetonbob · 01-12-2008, 03:53 PM

Please try not to edit posts. I may not see the addition.

Quote:

Also, this computer is networked with one other computer in my home. Do I need to complete any of these steps on the other system?

Not at this time. It would be a good idea when we're done with this machine to get a look at the other machine. We'll have you start a new thread for that machine once we're done here.

brandeewyne · 01-12-2008, 04:04 PM

To answer the first question; Yes. I turned off the Windows Firewall. (I've since turned it back on) I do not have an additional firewall installed. I may have misread the directions, but I was under the impression that it was an all emcompassing statement. I don't remember seeing an exclusion for the Windows Firewall.

Secondly, I apologize for the edit. The question was an after thought as I submitted the post and had gone to add on before I saw you had replied.

You're fast!

I will use seperate posts from here on out.

I'll post the updated logfiles momentarily.

brandeewyne · 01-12-2008, 04:14 PM

Okay .. the AntiVir scan popped up with a detection as follows:

During the scan a virus or unwanted program was found!
What should be done with the file?

C:\Deckard\System Scanner\backup\...\RCX21.tmp

This result has been obtained using heuristic techniques. It may be a false alarm. For a more detailed analysis, you may send us the file(s) for closer inspection via the Quarantine Manager.

Contains suspicious code HEUR/Malware

Move to quarantine or ignore?

Is this file associated with the scan that I downloaded off this site and should I prompt the scan to ignore it?

tetonbob · 01-12-2008, 05:36 PM

Sorry for the delay. Supper time.

You should be able to tell Avira to take actions after the scan is complete.

For all actions, it should want to quarantine first, delete second. Accept it's recommendations.

That file is a Temp file which was removed when DSS first ran, so you want it gone. In other words, quarantine

Thanks for the info about the Windows Firewall. You're quite right, the guide does not differentiate. With your feedback, we'll be able to adjust the guide for ComboFix usage. The tool is not new, but the published guide for usage is.

01-12-2008, 10:06 AM	#2 (permalink)
brandeewyne Registered User Join Date: Jan 2008 Posts: 18 OS: win xp sp2	Re: HijackThis Log - completed 5 steps bump anyone?

01-12-2008, 12:04 PM	#3 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,151 OS: 2000 Pro; XP Pro; XP Home	Re: HijackThis Log - completed 5 steps Hello, and Welcome to TSF. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. You have the latest version of the Vundo infection. It is a file infector, and replaces many legit exe files in startup. It's possible these applications will need to be reinstalled. You have no AntiVirus application installed on this machine. Why is that? AntiSpyware applications do not protect in the same way. We'll address that in the course of this fix. --------------------------------------------------------------------------------------------- Please visit this webpage for instructions for downloading and running ComboFix: http://www.bleepingcomputer.com/comb...o-use-combofix Post the log from ComboFix when you've accomplished that, along with a new HijackThis log. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

01-12-2008, 02:51 PM	#4 (permalink)
brandeewyne Registered User Join Date: Jan 2008 Posts: 18 OS: win xp sp2	Re: HijackThis Log - completed 5 steps First and foremost, thank you a great deal for your assistance. I ran the combofix utility as instructed. The logfile follows, as well as the new hjt log. ComboFix 08-01-13.1 - Brandee 2008-01-12 16:05:03.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.378 [GMT -5:00] Running from: C:\Documents and Settings\Brandee\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\pos10.tmp C:\pos100.tmp C:\pos101.tmp C:\pos102.tmp C:\pos103.tmp C:\pos104.tmp C:\pos105.tmp C:\pos106.tmp C:\pos107.tmp C:\pos108.tmp C:\pos109.tmp C:\pos10A.tmp C:\pos10B.tmp C:\pos10C.tmp C:\pos10D.tmp C:\pos10E.tmp C:\pos10F.tmp C:\pos11.tmp C:\pos110.tmp C:\pos111.tmp C:\pos112.tmp C:\pos113.tmp C:\pos114.tmp C:\pos115.tmp C:\pos116.tmp C:\pos117.tmp C:\pos118.tmp C:\pos119.tmp C:\pos11A.tmp C:\pos11B.tmp C:\pos11C.tmp C:\pos11D.tmp C:\pos11E.tmp C:\pos11F.tmp C:\pos120.tmp C:\pos121.tmp C:\pos122.tmp C:\pos123.tmp C:\pos124.tmp C:\pos125.tmp C:\pos126.tmp C:\pos127.tmp C:\pos128.tmp C:\pos129.tmp C:\pos12A.tmp C:\pos12B.tmp C:\pos12C.tmp C:\pos12D.tmp C:\pos12E.tmp C:\pos12F.tmp C:\pos130.tmp C:\pos131.tmp C:\pos132.tmp C:\pos133.tmp C:\pos134.tmp C:\pos135.tmp C:\pos136.tmp C:\pos137.tmp C:\pos138.tmp C:\pos139.tmp C:\pos13A.tmp C:\pos13B.tmp C:\pos13C.tmp C:\pos13D.tmp C:\pos13E.tmp C:\pos13F.tmp C:\pos14.tmp C:\pos140.tmp C:\pos141.tmp C:\pos142.tmp C:\pos143.tmp C:\pos144.tmp C:\pos145.tmp C:\pos146.tmp C:\pos147.tmp C:\pos148.tmp C:\pos149.tmp C:\pos14A.tmp C:\pos14B.tmp C:\pos14C.tmp C:\pos14D.tmp C:\pos14E.tmp C:\pos14F.tmp C:\pos15.tmp C:\pos150.tmp C:\pos151.tmp C:\pos152.tmp C:\pos153.tmp C:\pos154.tmp C:\pos155.tmp C:\pos156.tmp C:\pos157.tmp C:\pos158.tmp C:\pos159.tmp C:\pos15A.tmp C:\pos15B.tmp C:\pos15C.tmp C:\pos15D.tmp C:\pos15E.tmp C:\pos15F.tmp C:\pos16.tmp C:\pos160.tmp C:\pos161.tmp C:\pos162.tmp C:\pos163.tmp C:\pos164.tmp C:\pos165.tmp C:\pos166.tmp C:\pos167.tmp C:\pos168.tmp C:\pos169.tmp C:\pos16A.tmp C:\pos16B.tmp C:\pos16C.tmp C:\pos16D.tmp C:\pos16E.tmp C:\pos16F.tmp C:\pos17.tmp C:\pos170.tmp C:\pos171.tmp C:\pos172.tmp C:\pos173.tmp C:\pos174.tmp C:\pos175.tmp C:\pos176.tmp C:\pos177.tmp C:\pos178.tmp C:\pos179.tmp C:\pos17A.tmp C:\pos17B.tmp C:\pos17C.tmp C:\pos17D.tmp C:\pos17E.tmp C:\pos17F.tmp C:\pos18.tmp C:\pos180.tmp C:\pos181.tmp C:\pos182.tmp C:\pos183.tmp C:\pos184.tmp C:\pos185.tmp C:\pos186.tmp C:\pos187.tmp C:\pos188.tmp C:\pos189.tmp C:\pos18A.tmp C:\pos18B.tmp C:\pos18C.tmp C:\pos18D.tmp C:\pos18E.tmp C:\pos18F.tmp C:\pos19.tmp C:\pos190.tmp C:\pos191.tmp C:\pos192.tmp C:\pos193.tmp C:\pos194.tmp C:\pos195.tmp C:\pos196.tmp C:\pos197.tmp C:\pos198.tmp C:\pos199.tmp C:\pos19A.tmp C:\pos19B.tmp C:\pos19C.tmp C:\pos19D.tmp C:\pos19E.tmp C:\pos19F.tmp C:\pos1A.tmp C:\pos1A0.tmp C:\pos1A1.tmp C:\pos1A2.tmp C:\pos1A3.tmp C:\pos1A4.tmp C:\pos1A5.tmp C:\pos1A6.tmp C:\pos1A7.tmp C:\pos1A8.tmp C:\pos1A9.tmp C:\pos1AA.tmp C:\pos1AB.tmp C:\pos1AC.tmp C:\pos1AD.tmp C:\pos1AE.tmp C:\pos1AF.tmp C:\pos1B.tmp C:\pos1B0.tmp C:\pos1B1.tmp C:\pos1B2.tmp C:\pos1B3.tmp C:\pos1B4.tmp C:\pos1B5.tmp C:\pos1B6.tmp C:\pos1B7.tmp C:\pos1B8.tmp C:\pos1B9.tmp C:\pos1BA.tmp C:\pos1BB.tmp C:\pos1BC.tmp C:\pos1BD.tmp C:\pos1BE.tmp C:\pos1BF.tmp C:\pos1C.tmp C:\pos1C0.tmp C:\pos1C1.tmp C:\pos1C2.tmp C:\pos1C3.tmp C:\pos1C4.tmp C:\pos1C5.tmp C:\pos1C6.tmp C:\pos1C7.tmp C:\pos1C8.tmp C:\pos1C9.tmp C:\pos1CA.tmp C:\pos1CB.tmp C:\pos1CC.tmp C:\pos1CD.tmp C:\pos1CE.tmp C:\pos1CF.tmp C:\pos1D.tmp C:\pos1D0.tmp C:\pos1D1.tmp C:\pos1D2.tmp C:\pos1D3.tmp C:\pos1D4.tmp C:\pos1D5.tmp C:\pos1D6.tmp C:\pos1D7.tmp C:\pos1D8.tmp C:\pos1D9.tmp C:\pos1DA.tmp C:\pos1DB.tmp C:\pos1DC.tmp C:\pos1DD.tmp C:\pos1DE.tmp C:\pos1DF.tmp C:\pos1E.tmp C:\pos1E0.tmp C:\pos1E1.tmp C:\pos1E2.tmp C:\pos1E3.tmp C:\pos1E4.tmp C:\pos1E5.tmp C:\pos1E6.tmp C:\pos1E7.tmp C:\pos1E8.tmp C:\pos1E9.tmp C:\pos1EA.tmp C:\pos1EB.tmp C:\pos1EC.tmp C:\pos1ED.tmp C:\pos1EE.tmp C:\pos1EF.tmp C:\pos1F.tmp C:\pos1F0.tmp C:\pos1F1.tmp C:\pos1F2.tmp C:\pos1F3.tmp C:\pos1F4.tmp C:\pos1F5.tmp C:\pos1F6.tmp C:\pos1F7.tmp C:\pos1F8.tmp C:\pos1F9.tmp C:\pos1FA.tmp C:\pos1FB.tmp C:\pos1FC.tmp C:\pos1FD.tmp C:\pos1FE.tmp C:\pos1FF.tmp C:\pos20.tmp C:\pos200.tmp C:\pos201.tmp C:\pos202.tmp C:\pos203.tmp C:\pos204.tmp C:\pos205.tmp C:\pos206.tmp C:\pos207.tmp C:\pos208.tmp C:\pos209.tmp C:\pos20A.tmp C:\pos20B.tmp C:\pos20C.tmp C:\pos20D.tmp C:\pos20E.tmp C:\pos20F.tmp C:\pos21.tmp C:\pos210.tmp C:\pos211.tmp C:\pos212.tmp C:\pos213.tmp C:\pos214.tmp C:\pos215.tmp C:\pos216.tmp C:\pos217.tmp C:\pos218.tmp C:\pos219.tmp C:\pos21A.tmp C:\pos21B.tmp C:\pos21C.tmp C:\pos21D.tmp C:\pos21E.tmp C:\pos21F.tmp C:\pos22.tmp C:\pos220.tmp C:\pos221.tmp C:\pos222.tmp C:\pos223.tmp C:\pos224.tmp C:\pos225.tmp C:\pos226.tmp C:\pos227.tmp C:\pos228.tmp C:\pos229.tmp C:\pos22A.tmp C:\pos22B.tmp C:\pos22C.tmp C:\pos22D.tmp C:\pos22E.tmp C:\pos22F.tmp C:\pos23.tmp C:\pos230.tmp C:\pos231.tmp C:\pos232.tmp C:\pos234.tmp C:\pos235.tmp C:\pos236.tmp C:\pos237.tmp C:\pos238.tmp C:\pos239.tmp C:\pos23A.tmp C:\pos23B.tmp C:\pos23C.tmp C:\pos23D.tmp C:\pos23E.tmp C:\pos23F.tmp C:\pos24.tmp C:\pos240.tmp C:\pos241.tmp C:\pos242.tmp C:\pos243.tmp C:\pos244.tmp C:\pos245.tmp C:\pos246.tmp C:\pos249.tmp C:\pos24A.tmp C:\pos24B.tmp C:\pos24D.tmp C:\pos24E.tmp C:\pos24F.tmp C:\pos25.tmp C:\pos250.tmp C:\pos251.tmp C:\pos254.tmp C:\pos255.tmp C:\pos256.tmp C:\pos257.tmp C:\pos258.tmp C:\pos259.tmp C:\pos25A.tmp C:\pos25B.tmp C:\pos25C.tmp C:\pos25D.tmp C:\pos25F.tmp C:\pos26.tmp C:\pos262.tmp C:\pos263.tmp C:\pos264.tmp C:\pos265.tmp C:\pos266.tmp C:\pos267.tmp C:\pos268.tmp C:\pos269.tmp C:\pos26B.tmp C:\pos26C.tmp C:\pos26D.tmp C:\pos27.tmp C:\pos270.tmp C:\pos271.tmp C:\pos272.tmp C:\pos273.tmp C:\pos274.tmp C:\pos275.tmp C:\pos276.tmp C:\pos277.tmp C:\pos278.tmp C:\pos279.tmp C:\pos27A.tmp C:\pos27C.tmp C:\pos27D.tmp C:\pos28.tmp C:\pos280.tmp C:\pos281.tmp C:\pos282.tmp C:\pos283.tmp C:\pos284.tmp C:\pos285.tmp C:\pos286.tmp C:\pos287.tmp C:\pos289.tmp C:\pos28A.tmp C:\pos28B.tmp C:\pos28C.tmp C:\pos28D.tmp C:\pos28E.tmp C:\pos28F.tmp C:\pos29.tmp C:\pos290.tmp C:\pos291.tmp C:\pos292.tmp C:\pos293.tmp C:\pos294.tmp C:\pos295.tmp C:\pos296.tmp C:\pos297.tmp C:\pos299.tmp C:\pos29B.tmp C:\pos29C.tmp C:\pos29D.tmp C:\pos29E.tmp C:\pos29F.tmp C:\pos2A.tmp C:\pos2A0.tmp C:\pos2A2.tmp C:\pos2A3.tmp C:\pos2A4.tmp C:\pos2A5.tmp C:\pos2A6.tmp C:\pos2A7.tmp C:\pos2A8.tmp C:\pos2A9.tmp C:\pos2AA.tmp C:\pos2AB.tmp C:\pos2AC.tmp C:\pos2AD.tmp C:\pos2AE.tmp C:\pos2B.tmp C:\pos2B1.tmp C:\pos2B2.tmp C:\pos2B3.tmp C:\pos2B4.tmp C:\pos2B5.tmp C:\pos2B7.tmp C:\pos2B8.tmp C:\pos2B9.tmp C:\pos2BA.tmp C:\pos2BB.tmp C:\pos2BE.tmp C:\pos2BF.tmp C:\pos2C.tmp C:\pos2C0.tmp C:\pos2C1.tmp C:\pos2C2.tmp C:\pos2C3.tmp C:\pos2C4.tmp C:\pos2C5.tmp C:\pos2C7.tmp C:\pos2C8.tmp C:\pos2C9.tmp C:\pos2CA.tmp C:\pos2CB.tmp C:\pos2CC.tmp C:\pos2CD.tmp C:\pos2CF.tmp C:\pos2D.tmp C:\pos2D0.tmp C:\pos2D1.tmp C:\pos2D2.tmp C:\pos2D3.tmp C:\pos2D4.tmp C:\pos2D5.tmp C:\pos2D6.tmp C:\pos2D7.tmp C:\pos2D8.tmp C:\pos2D9.tmp C:\pos2DA.tmp C:\pos2DB.tmp C:\pos2DC.tmp C:\pos2DD.tmp C:\pos2DE.tmp C:\pos2DF.tmp C:\pos2E.tmp C:\pos2E0.tmp C:\pos2E1.tmp C:\pos2E2.tmp C:\pos2E3.tmp C:\pos2E4.tmp C:\pos2E5.tmp C:\pos2E6.tmp C:\pos2E7.tmp C:\pos2E8.tmp C:\pos2E9.tmp C:\pos2EA.tmp C:\pos2EB.tmp C:\pos2EC.tmp C:\pos2ED.tmp C:\pos2EE.tmp C:\pos2EF.tmp C:\pos2F.tmp C:\pos2F0.tmp C:\pos2F1.tmp C:\pos2F2.tmp C:\pos2F3.tmp C:\pos2F4.tmp C:\pos2F5.tmp C:\pos2F6.tmp C:\pos2F7.tmp C:\pos2F8.tmp C:\pos2F9.tmp C:\pos2FA.tmp C:\pos2FB.tmp C:\pos2FC.tmp C:\pos2FD.tmp C:\pos2FE.tmp C:\pos2FF.tmp C:\pos3.tmp C:\pos30.tmp C:\pos300.tmp C:\pos301.tmp C:\pos302.tmp C:\pos303.tmp C:\pos304.tmp C:\pos305.tmp C:\pos306.tmp C:\pos307.tmp C:\pos308.tmp C:\pos309.tmp C:\pos30A.tmp C:\pos30B.tmp C:\pos30C.tmp C:\pos30D.tmp C:\pos30E.tmp C:\pos30F.tmp C:\pos31.tmp C:\pos310.tmp C:\pos311.tmp C:\pos312.tmp C:\pos313.tmp C:\pos314.tmp C:\pos315.tmp C:\pos316.tmp C:\pos317.tmp C:\pos318.tmp C:\pos319.tmp C:\pos31A.tmp C:\pos31B.tmp C:\pos31C.tmp C:\pos31D.tmp C:\pos31E.tmp C:\pos31F.tmp C:\pos32.tmp C:\pos320.tmp C:\pos321.tmp C:\pos322.tmp C:\pos323.tmp C:\pos324.tmp C:\pos325.tmp C:\pos326.tmp C:\pos327.tmp C:\pos328.tmp C:\pos329.tmp C:\pos32A.tmp C:\pos32B.tmp C:\pos32C.tmp C:\pos32D.tmp C:\pos32E.tmp C:\pos32F.tmp C:\pos33.tmp C:\pos330.tmp C:\pos331.tmp C:\pos332.tmp C:\pos333.tmp C:\pos334.tmp C:\pos335.tmp C:\pos336.tmp C:\pos337.tmp C:\pos338.tmp C:\pos339.tmp C:\pos33A.tmp C:\pos33B.tmp C:\pos33C.tmp C:\pos33D.tmp C:\pos33E.tmp C:\pos33F.tmp C:\pos34.tmp C:\pos340.tmp C:\pos341.tmp C:\pos342.tmp C:\pos343.tmp C:\pos344.tmp C:\pos345.tmp C:\pos346.tmp C:\pos347.tmp C:\pos348.tmp C:\pos349.tmp C:\pos34A.tmp C:\pos34B.tmp C:\pos34C.tmp C:\pos34D.tmp C:\pos34E.tmp C:\pos34F.tmp C:\pos35.tmp C:\pos350.tmp C:\pos351.tmp C:\pos352.tmp C:\pos353.tmp C:\pos354.tmp C:\pos355.tmp C:\pos356.tmp C:\pos357.tmp C:\pos358.tmp C:\pos359.tmp C:\pos35A.tmp C:\pos35B.tmp C:\pos35C.tmp C:\pos35D.tmp C:\pos35E.tmp C:\pos35F.tmp C:\pos36.tmp C:\pos360.tmp C:\pos361.tmp C:\pos362.tmp C:\pos363.tmp C:\pos364.tmp C:\pos365.tmp C:\pos366.tmp C:\pos367.tmp C:\pos368.tmp C:\pos369.tmp C:\pos36A.tmp C:\pos36B.tmp C:\pos36C.tmp C:\pos36D.tmp C:\pos36E.tmp C:\pos36F.tmp C:\pos37.tmp C:\pos370.tmp C:\pos371.tmp C:\pos372.tmp C:\pos373.tmp C:\pos374.tmp C:\pos375.tmp C:\pos376.tmp C:\pos377.tmp C:\pos378.tmp C:\pos379.tmp C:\pos37A.tmp C:\pos37B.tmp C:\pos37C.tmp C:\pos37D.tmp C:\pos37E.tmp C:\pos37F.tmp C:\pos38.tmp C:\pos380.tmp C:\pos381.tmp C:\pos382.tmp C:\pos383.tmp C:\pos384.tmp C:\pos385.tmp C:\pos386.tmp C:\pos387.tmp C:\pos388.tmp C:\pos389.tmp C:\pos38A.tmp C:\pos38B.tmp C:\pos38C.tmp C:\pos38D.tmp C:\pos38E.tmp C:\pos38F.tmp C:\pos39.tmp C:\pos390.tmp C:\pos391.tmp C:\pos392.tmp C:\pos393.tmp C:\pos394.tmp C:\pos395.tmp C:\pos396.tmp C:\pos397.tmp C:\pos398.tmp C:\pos399.tmp C:\pos39A.tmp C:\pos39B.tmp C:\pos39C.tmp C:\pos39D.tmp C:\pos39E.tmp C:\pos39F.tmp C:\pos3A.tmp C:\pos3A0.tmp C:\pos3A1.tmp C:\pos3A2.tmp C:\pos3A3.tmp C:\pos3A4.tmp C:\pos3A5.tmp C:\pos3A6.tmp C:\pos3A7.tmp C:\pos3A8.tmp C:\pos3A9.tmp C:\pos3AA.tmp C:\pos3AB.tmp C:\pos3AC.tmp C:\pos3AD.tmp C:\pos3AE.tmp C:\pos3AF.tmp C:\pos3B.tmp C:\pos3B0.tmp C:\pos3B1.tmp C:\pos3B2.tmp C:\pos3B3.tmp C:\pos3B4.tmp C:\pos3B5.tmp C:\pos3B6.tmp C:\pos3B7.tmp C:\pos3B8.tmp C:\pos3B9.tmp C:\pos3BA.tmp C:\pos3BB.tmp C:\pos3BC.tmp C:\pos3BD.tmp C:\pos3BE.tmp C:\pos3BF.tmp C:\pos3C.tmp C:\pos3C0.tmp C:\pos3C1.tmp C:\pos3C2.tmp C:\pos3C3.tmp C:\pos3C4.tmp C:\pos3C5.tmp C:\pos3C6.tmp C:\pos3C7.tmp C:\pos3C8.tmp C:\pos3C9.tmp C:\pos3CA.tmp C:\pos3CB.tmp C:\pos3CC.tmp C:\pos3CD.tmp C:\pos3CE.tmp C:\pos3CF.tmp C:\pos3D.tmp C:\pos3D0.tmp C:\pos3D1.tmp C:\pos3D2.tmp C:\pos3D3.tmp C:\pos3D4.tmp C:\pos3D5.tmp C:\pos3D6.tmp C:\pos3D7.tmp C:\pos3D8.tmp C:\pos3D9.tmp C:\pos3DA.tmp C:\pos3DB.tmp C:\pos3DC.tmp C:\pos3DD.tmp C:\pos3DE.tmp C:\pos3DF.tmp C:\pos3E.tmp C:\pos3E0.tmp C:\pos3E1.tmp C:\pos3E2.tmp C:\pos3E3.tmp C:\pos3E4.tmp C:\pos3E5.tmp C:\pos3E6.tmp C:\pos3E7.tmp C:\pos3E8.tmp C:\pos3E9.tmp C:\pos3EA.tmp C:\pos3EB.tmp C:\pos3EC.tmp C:\pos3ED.tmp C:\pos3EE.tmp C:\pos3EF.tmp C:\pos3F.tmp C:\pos3F0.tmp C:\pos3F1.tmp C:\pos3F2.tmp C:\pos3F3.tmp C:\pos3F4.tmp C:\pos3F5.tmp C:\pos3F6.tmp C:\pos3F7.tmp C:\pos3F8.tmp C:\pos3F9.tmp C:\pos3FA.tmp C:\pos3FB.tmp C:\pos3FC.tmp C:\pos3FD.tmp C:\pos3FE.tmp C:\pos3FF.tmp C:\pos4.tmp C:\pos40.tmp C:\pos400.tmp C:\pos401.tmp C:\pos402.tmp C:\pos403.tmp C:\pos404.tmp C:\pos405.tmp C:\pos406.tmp C:\pos407.tmp C:\pos41.tmp C:\pos42.tmp C:\pos43.tmp C:\pos44.tmp C:\pos45.tmp C:\pos46.tmp C:\pos47.tmp C:\pos48.tmp C:\pos49.tmp C:\pos4A.tmp C:\pos4B.tmp C:\pos4C.tmp C:\pos4D.tmp C:\pos4E.tmp C:\pos4F.tmp C:\pos5.tmp C:\pos50.tmp C:\pos51.tmp C:\pos52.tmp C:\pos53.tmp C:\pos54.tmp C:\pos55.tmp C:\pos56.tmp C:\pos57.tmp C:\pos58.tmp C:\pos59.tmp C:\pos5A.tmp C:\pos5B.tmp C:\pos5C.tmp C:\pos5D.tmp C:\pos5E.tmp C:\pos5F.tmp C:\pos6.tmp C:\pos60.tmp C:\pos61.tmp C:\pos62.tmp C:\pos63.tmp C:\pos64.tmp C:\pos65.tmp C:\pos66.tmp C:\pos67.tmp C:\pos68.tmp C:\pos69.tmp C:\pos6A.tmp C:\pos6B.tmp C:\pos6C.tmp C:\pos6D.tmp C:\pos6E.tmp C:\pos6F.tmp C:\pos70.tmp C:\pos71.tmp C:\pos72.tmp C:\pos73.tmp C:\pos74.tmp C:\pos75.tmp C:\pos76.tmp C:\pos77.tmp C:\pos78.tmp C:\pos79.tmp C:\pos7A.tmp C:\pos7B.tmp C:\pos7C.tmp C:\pos7D.tmp C:\pos7E.tmp C:\pos7F.tmp C:\pos8.tmp C:\pos80.tmp C:\pos81.tmp C:\pos82.tmp C:\pos83.tmp C:\pos84.tmp C:\pos85.tmp C:\pos86.tmp C:\pos87.tmp C:\pos88.tmp C:\pos89.tmp C:\pos8A.tmp C:\pos8B.tmp C:\pos8C.tmp C:\pos8D.tmp C:\pos8E.tmp C:\pos8F.tmp C:\pos9.tmp C:\pos90.tmp C:\pos91.tmp C:\pos92.tmp C:\pos93.tmp C:\pos94.tmp C:\pos95.tmp C:\pos96.tmp C:\pos97.tmp C:\pos98.tmp C:\pos99.tmp C:\pos9A.tmp C:\pos9B.tmp C:\pos9C.tmp C:\pos9D.tmp C:\pos9E.tmp C:\pos9F.tmp C:\posA.tmp C:\posA0.tmp C:\posA1.tmp C:\posA2.tmp C:\posA3.tmp C:\posA4.tmp C:\posA5.tmp C:\posA6.tmp C:\posA7.tmp C:\posA8.tmp C:\posA9.tmp C:\posAA.tmp C:\posAB.tmp C:\posAC.tmp C:\posAD.tmp C:\posAE.tmp C:\posAF.tmp C:\posB.tmp C:\posB0.tmp C:\posB1.tmp C:\posB2.tmp C:\posB3.tmp C:\posB4.tmp C:\posB5.tmp C:\posB6.tmp C:\posB7.tmp C:\posB8.tmp C:\posB9.tmp C:\posBA.tmp C:\posBB.tmp C:\posBC.tmp C:\posBD.tmp C:\posBE.tmp C:\posBF.tmp C:\posC.tmp C:\posC0.tmp C:\posC1.tmp C:\posC2.tmp C:\posC3.tmp C:\posC4.tmp C:\posC5.tmp C:\posC6.tmp C:\posC7.tmp C:\posC8.tmp C:\posC9.tmp C:\posCA.tmp C:\posCB.tmp C:\posCC.tmp C:\posCD.tmp C:\posCE.tmp C:\posCF.tmp C:\posD.tmp C:\posD0.tmp C:\posD1.tmp C:\posD2.tmp C:\posD3.tmp C:\posD4.tmp C:\posD5.tmp C:\posD6.tmp C:\posD7.tmp C:\posD8.tmp C:\posD9.tmp C:\posDA.tmp C:\posDB.tmp C:\posDC.tmp C:\posDD.tmp C:\posDE.tmp C:\posDF.tmp C:\posE.tmp C:\posE0.tmp C:\posE1.tmp C:\posE2.tmp C:\posE3.tmp C:\posE4.tmp C:\posE5.tmp C:\posE6.tmp C:\posE7.tmp C:\posE8.tmp C:\posE9.tmp C:\posEA.tmp C:\posEB.tmp C:\posEC.tmp C:\posED.tmp C:\posEE.tmp C:\posEF.tmp C:\posF.tmp C:\posF0.tmp C:\posF1.tmp C:\posF2.tmp C:\posF3.tmp C:\posF4.tmp C:\posF5.tmp C:\posF6.tmp C:\posF7.tmp C:\posF8.tmp C:\posF9.tmp C:\posFA.tmp C:\posFB.tmp C:\posFC.tmp C:\posFD.tmp C:\posFE.tmp C:\posFF.tmp C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\kernel C:\Program Files\QuickTime\qttask .exe C:\Program Files\QuickTime\qttask .exe C:\Program Files\QuickTime\qttask .exe C:\Program Files\QuickTime\qttask .exe C:\Program Files\QuickTime\qttask .exe C:\Program Files\QuickTime\qttask .exe C:\Program Files\QuickTime\qttask .exe C:\Program Files\QuickTime\qttask .exe C:\Program Files\QuickTime\qttask .exe C:\Program Files\QuickTime\qttask .exe C:\Program Files\QuickTime\qttask .exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Temporary C:\Program Files\Temporary\kernInstall.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe C:\Temp\1cb C:\Temp\1cb\syscheck.log C:\temp\tn3 C:\WINDOWS\b122.exe C:\WINDOWS\cookies.ini C:\WINDOWS\Fonts\a.zip C:\WINDOWS\system32\amlhvqvf.dll C:\WINDOWS\system32\drivers\fad.sys C:\WINDOWS\system32\dslnjfsm.dll C:\WINDOWS\SYSTEM32\fvqvhlma.ini C:\WINDOWS\system32\fxibhuxd.dll C:\WINDOWS\system32\hgxfdsxp.dll C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\kfhncrmw.dll C:\WINDOWS\system32\lgenbhsb.dll C:\WINDOWS\SYSTEM32\lptakeub.ini C:\WINDOWS\SYSTEM32\mbipjnps.ini C:\WINDOWS\SYSTEM32\orutv.ini C:\WINDOWS\SYSTEM32\orutv.ini2 C:\WINDOWS\system32\pac.txt C:\WINDOWS\SYSTEM32\pxsdfxgh.ini C:\WINDOWS\system32\sosndqby.exe C:\WINDOWS\system32\taesrpqq.dll C:\WINDOWS\system32\tvnannxg.exe C:\WINDOWS\system32\urjkxhng.dll C:\WINDOWS\system32\urjkxhng.dllbox C:\WINDOWS\system32\uvtqplit.exe C:\WINDOWS\system32\vtsphlxp.exe C:\WINDOWS\system32\vturo.dll C:\WINDOWS\system32\vturo.exe C:\WINDOWS\system32\windows C:\WINDOWS\SYSTEM32\ymxysckb.ini C:\WINDOWS\system32\z1 C:\WINDOWS\system32\z9 C:\winlogon.exe C:\x.dat C:\z.dat Code: <pre> C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe ---> Reader_sl.exe C:\Program Files\ATI Technologies\ATI.ACE\cli .exe ---> cli.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe ---> GoogleToolbarNotifier.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe ---> jusched.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe ---> SUPERAntiSpyware.exe C:\Program Files\Windows Media Player\WMPNSCFG .exe ---> WMPNSCFG.exe C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro .exe ---> FreeRAM XP Pro.exe C:\WINDOWS\SYSTEM32\hkcmd .exe ---> hkcmd.exe C:\WINDOWS\SYSTEM32\igfxtray .exe ---> igfxtray.exe </pre> . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_CORE -------\LEGACY_DOMAINSERVICE -------\DomainService ((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 ))))))))))))))))))))))))))))))) . 2008-01-12 16:01 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2008-01-09 14:27 . 2008-01-09 14:27 <DIR> d-------- C:\Deckard 2008-01-09 14:06 . 2008-01-09 14:06 <DIR> d-------- C:\ie-spyad_zo 2008-01-08 16:54 . 2008-01-08 16:54 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-01-08 16:54 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\SYSTEM32\MSSTDFMT.DLL 2008-01-08 14:04 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SDTHOOK.SYS 2008-01-08 13:26 . 2008-01-08 15:53 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan 2008-01-08 13:26 . 2008-01-08 13:26 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico 2008-01-08 13:26 . 2008-01-08 13:26 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico 2008-01-08 13:26 . 2008-01-08 13:26 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico 2008-01-07 22:03 . 2008-01-07 22:03 <DIR> d-------- C:\Program Files\Trend Micro 2008-01-06 22:07 . 2008-01-06 22:07 <DIR> d-------- C:\VundoFix Backups 2008-01-04 11:32 . 2008-01-04 11:32 <DIR> d-------- C:\Documents and Settings\Administrator.BRAN\Application Data\Lavasoft 2008-01-04 11:25 . 2004-04-23 10:41 <DIR> d-------- C:\Documents and Settings\Administrator.BRAN\Application Data\Jasc Software Inc 2008-01-04 11:25 . 2005-05-26 08:59 <DIR> d-------- C:\Documents and Settings\Administrator.BRAN\Application Data\Gtek 2008-01-03 15:58 . 2008-01-04 10:37 696 --a------ C:\WINDOWS\wininit.ini 2008-01-03 13:18 . 2008-01-12 15:17 155,648 --a------ C:\WINDOWS\SYSTEM32\igfxtray.exe 2008-01-03 13:18 . 2008-01-12 15:17 126,976 --a------ C:\WINDOWS\SYSTEM32\hkcmd.exe 2008-01-03 12:20 . 2008-01-03 12:20 147,456 --a------ C:\WINDOWS\SYSTEM32\vbzip10.dll 2008-01-03 12:18 . 2008-01-04 10:41 379,904 --a------ C:\WINDOWS\mrofinu1000106.exe.tmp 2008-01-03 12:17 . 2008-01-04 14:15 <DIR> d-------- C:\WINDOWS\SYSTEM32\mr9 2008-01-03 12:17 . 2008-01-04 14:15 <DIR> d-------- C:\WINDOWS\SYSTEM32\ardCo18 2008-01-03 12:17 . 2008-01-04 14:15 <DIR> d-------- C:\WINDOWS\SYSTEM32\aj2 2008-01-03 12:17 . 2008-01-04 14:15 <DIR> d--hs---- C:\WINDOWS\SHVnaCBTdHVsbA 2008-01-03 12:17 . 2008-01-03 12:17 <DIR> d-------- C:\temp\cEeer12 2008-01-03 12:17 . 2008-01-03 12:17 166,945 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\core.cache(2).dsk 2008-01-03 12:17 . 2008-01-03 12:17 134 --a------ C:\n.bat 2007-12-30 17:05 . 2007-12-30 17:05 <DIR> d-------- C:\Program Files\abrViewer.NET 2007-12-28 13:11 . 2003-12-12 16:06 1,693,696 --a------ C:\WINDOWS\SYSTEM32\ltclr13n.dll 2007-12-28 13:11 . 2003-11-04 15:11 155,648 --a------ C:\WINDOWS\SYSTEM32\lftif13n.dll 2007-12-28 13:11 . 2003-11-04 15:10 98,304 --a------ C:\WINDOWS\SYSTEM32\lffax13n.dll 2007-12-28 13:11 . 2003-05-22 16:31 55,808 --a------ C:\WINDOWS\SYSTEM32\lfpsd13n.dll 2007-12-27 00:09 . 2007-12-27 00:09 <DIR> d-------- C:\Program Files\High-Logic 2007-12-27 00:09 . 2007-12-27 00:10 <DIR> d-------- C:\Documents and Settings\Brandee\Application Data\FontCreator 2007-12-27 00:09 . 2008-01-07 19:04 147 --a------ C:\WINDOWS\fcp5.cfg 2007-12-26 03:37 . 2007-12-26 03:37 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\ATI 2007-12-26 01:15 . 2007-12-26 01:15 <DIR> d-------- C:\Documents and Settings\Brandee\Application Data\ATI 2007-12-26 01:12 . 2007-12-26 01:12 <DIR> d-------- C:\Program Files\Common Files\ATI Technologies 2007-12-26 01:03 . 2007-12-26 01:09 <DIR> d-------- C:\Program Files\ATI Technologies 2007-12-26 01:03 . 2006-05-03 11:57 520,192 --a------ C:\WINDOWS\SYSTEM32\ati2sgag.exe 2007-12-26 01:02 . 2005-10-14 07:10 58,560 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ativckxx.vp 2007-12-26 01:02 . 2006-05-03 10:09 28,080 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ativvpxx.vp 2007-12-26 01:02 . 2006-01-25 17:48 6,005 --a------ C:\WINDOWS\SYSTEM32\atifglpf.xml 2007-12-26 01:02 . 2006-02-08 13:44 929 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ativcaxx.vp 2007-12-25 11:30 . 2007-12-25 14:13 <DIR> d-------- C:\Documents and Settings\Brandee\Application Data\U3 2007-12-25 11:30 . 2004-08-04 02:08 26,496 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\usbstor.sys 2007-12-20 01:45 . 2007-12-20 01:45 <DIR> d-------- C:\Program Files\SecondLife 2007-12-20 01:45 . 2007-12-20 02:21 <DIR> d-------- C:\Documents and Settings\Brandee\Application Data\SecondLife 2007-12-20 01:23 . 2007-12-20 01:23 <DIR> d-------- C:\Documents and Settings\Brandee\Application Data\Move Networks . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-13 21:29 --------- d-----w C:\Program Files\SUPERAntiSpyware 2008-01-13 21:25 --------- d-----w C:\Program Files\QuickTime 2008-01-08 20:29 --------- d-----w C:\Program Files\Palm 2008-01-08 20:23 --------- d-----w C:\Program Files\MSN Messenger 2008-01-08 20:23 --------- d-----w C:\Program Files\Last.fm 2008-01-08 20:17 --------- d-----w C:\Program Files\Google 2008-01-05 16:13 --------- d-----w C:\Documents and Settings\Guest\Application Data\OpenOffice.org2 2008-01-01 19:47 --------- d-----w C:\Program Files\Common Files\Adobe 2008-01-01 19:47 --------- d-----w C:\Documents and Settings\Brandee\Application Data\AdobeUM 2007-12-28 18:36 --------- d-----w C:\Documents and Settings\Brandee\Application Data\OpenOffice.org2 2007-12-26 06:03 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-12 15:18 68856] "FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2008-01-12 15:18 1591808] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-01-12 15:18 1318912] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-12 15:18 204288] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-01-12 15:17 155648] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-01-12 15:17 126976] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-01-12 15:17 132496] "QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2008-01-12 15:17 45056] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 15:17 39792] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 20:34 5419008] C:\Documents and Settings\Guest\Start Menu\Programs\Startup\ OpenOffice.org 2.1.lnk - C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 16:45:48] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 14:27:34] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2007-05-23 17:46 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL path= backup= [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpcmpmgr] --a------ 2008-01-12 15:17 126976 C:\WINDOWS\System32\hkcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM] --a--c--- 2003-09-03 20:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McUpdate] --a--c--- 2003-09-03 20:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM] --a------ 2007-05-29 20:34 5419008 C:\Program Files\MySpace\IM\MySpaceIM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\realsched] --a------ 2006-12-30 12:31 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper] C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2006-12-30 12:31 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Pml Driver HPZ12"=3 (0x3) R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-28 21:59] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\AutoRun\command - E:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder "2007-04-20 02:00:24 C:\WINDOWS\Tasks\RegCure Program Check.job" - C:\Program Files\RegCure\RegCure.exe "2006-12-05 15:31:28 C:\WINDOWS\Tasks\RegCure.job" - C:\Program Files\RegCure\RegCure.exe . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-13 16:30:35 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-01-13 16:38:53 - machine was rebooted ComboFix-quarantined-files.txt 2008-01-13 21:38:50 . 2007-12-13 08:05:03 --- E O F --- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:40:41 PM, on 1/13/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\netdde.exe C:\WINDOWS\System32\HPZipm12.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\Palm\Hotsync.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user') O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab55579.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204 O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab O16 - DPF: {339234B4-4E14-4280-B8B4-8BAE5AF99063} (Chess Object) - http://zone.msn.com/bingame/zpagames...p.cab55579.cab O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-48.cab O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.co...veX/winrep.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/re...s/MSNPUpld.cab O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab55579.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124628481531 O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.geni.com/ImageUploader4.cab O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://brandeewynne.spaces.live.com/...d/MsnPUpld.cab O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames...z.cab55579.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by141fd.bay141.hotmail.msn.co...x/HMAtchmt.ocx O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe -- End of file - 9240 bytes

01-12-2008, 02:56 PM	#5 (permalink)
brandeewyne Registered User Join Date: Jan 2008 Posts: 18 OS: win xp sp2	Re: HijackThis Log - completed 5 steps I just saw the warning, "WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!" on the logfile. The file icon is on my desktop and I have the disk burned as it suggested. I'm not sure if I've done something improperly with that file.

01-12-2008, 02:56 PM	#6 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,151 OS: 2000 Pro; XP Pro; XP Home	Re: HijackThis Log - completed 5 steps Hi brandeewyne - I see that you did not install the Recovery Console. Does this mean you have no Windows XP CD? Did you create a bootable disk, NTFS4FreeDos, from the link provided? __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

01-12-2008, 02:57 PM	#7 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,151 OS: 2000 Pro; XP Pro; XP Home	Re: HijackThis Log - completed 5 steps We cross posted. Recovery Console is a bit different. If you created the NTFSFreeDOS bootable CD, that will suffice. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

01-12-2008, 02:59 PM	#8 (permalink)
brandeewyne Registered User Join Date: Jan 2008 Posts: 18 OS: win xp sp2	Re: HijackThis Log - completed 5 steps Then I believe I've burned the proper disk. I used the following link to save the file to my desktop and burn a disk... If you do not have the Windows CD, then you can download and burn the following file to a CD. NTFS4FreeDos ISO Download Link Is that correct?

01-12-2008, 03:00 PM	#9 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,151 OS: 2000 Pro; XP Pro; XP Home	Re: HijackThis Log - completed 5 steps That's great. It is a recovery access CD every Windows user should have. I'll be back in a short while with the next instructions. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

01-12-2008, 03:03 PM	#10 (permalink)
brandeewyne Registered User Join Date: Jan 2008 Posts: 18 OS: win xp sp2	Re: HijackThis Log - completed 5 steps Okay, good. That means I've not screwed up so far. Thank you, I'll check back periodically.

01-12-2008, 03:31 PM	#12 (permalink)
brandeewyne Registered User Join Date: Jan 2008 Posts: 18 OS: win xp sp2	Re: HijackThis Log - completed 5 steps As a precaution I will change all passwords from a clean computer and notify all my financial institutions first thing Monday. Thank you for the heads up on that. Hopefully no damage was done, but you're right, it's best to be safe. I saved the text file as "CFScript.txt" and drug it into the "combofix" icon on my desktop as suggested and following is the updated logfile. ComboFix 08-01-13.1 - Brandee 2008-01-13 17:12:53.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.311 [GMT -5:00] Running from: C:\Documents and Settings\Brandee\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Brandee\Desktop\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE C:\n.bat C:\WINDOWS\mrofinu1000106.exe.tmp C:\WINDOWS\SYSTEM32\DRIVERS\core.cache(2).dsk . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\n.bat C:\temp\cEeer12 C:\temp\cEeer12\skAt.log C:\VundoFix Backups C:\WINDOWS\mrofinu1000106.exe.tmp C:\WINDOWS\SHVnaCBTdHVsbA C:\WINDOWS\SYSTEM32\aj2 C:\WINDOWS\SYSTEM32\ardCo18 C:\WINDOWS\SYSTEM32\DRIVERS\core.cache(2).dsk C:\WINDOWS\SYSTEM32\mr9 . ((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 ))))))))))))))))))))))))))))))) . 2008-01-12 16:01 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2008-01-09 14:27 . 2008-01-09 14:27 <DIR> d-------- C:\Deckard 2008-01-09 14:06 . 2008-01-09 14:06 <DIR> d-------- C:\ie-spyad_zo 2008-01-08 16:54 . 2008-01-08 16:54 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-01-08 16:54 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\SYSTEM32\MSSTDFMT.DLL 2008-01-08 14:04 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SDTHOOK.SYS 2008-01-08 13:26 . 2008-01-08 15:53 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan 2008-01-08 13:26 . 2008-01-08 13:26 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico 2008-01-08 13:26 . 2008-01-08 13:26 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico 2008-01-08 13:26 . 2008-01-08 13:26 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico 2008-01-07 22:03 . 2008-01-07 22:03 <DIR> d-------- C:\Program Files\Trend Micro 2008-01-04 11:32 . 2008-01-04 11:32 <DIR> d-------- C:\Documents and Settings\Administrator.BRAN\Application Data\Lavasoft 2008-01-04 11:25 . 2004-04-23 10:41 <DIR> d-------- C:\Documents and Settings\Administrator.BRAN\Application Data\Jasc Software Inc 2008-01-04 11:25 . 2005-05-26 08:59 <DIR> d-------- C:\Documents and Settings\Administrator.BRAN\Application Data\Gtek 2008-01-03 15:58 . 2008-01-04 10:37 696 --a------ C:\WINDOWS\wininit.ini 2008-01-03 13:18 . 2008-01-12 15:17 155,648 --a------ C:\WINDOWS\SYSTEM32\igfxtray.exe 2008-01-03 13:18 . 2008-01-12 15:17 126,976 --a------ C:\WINDOWS\SYSTEM32\hkcmd.exe 2008-01-03 12:20 . 2008-01-03 12:20 147,456 --a------ C:\WINDOWS\SYSTEM32\vbzip10.dll 2007-12-30 17:05 . 2007-12-30 17:05 <DIR> d-------- C:\Program Files\abrViewer.NET 2007-12-28 13:11 . 2003-12-12 16:06 1,693,696 --a------ C:\WINDOWS\SYSTEM32\ltclr13n.dll 2007-12-28 13:11 . 2003-11-04 15:11 155,648 --a------ C:\WINDOWS\SYSTEM32\lftif13n.dll 2007-12-28 13:11 . 2003-11-04 15:10 98,304 --a------ C:\WINDOWS\SYSTEM32\lffax13n.dll 2007-12-28 13:11 . 2003-05-22 16:31 55,808 --a------ C:\WINDOWS\SYSTEM32\lfpsd13n.dll 2007-12-27 00:09 . 2007-12-27 00:09 <DIR> d-------- C:\Program Files\High-Logic 2007-12-27 00:09 . 2007-12-27 00:10 <DIR> d-------- C:\Documents and Settings\Brandee\Application Data\FontCreator 2007-12-27 00:09 . 2008-01-07 19:04 147 --a------ C:\WINDOWS\fcp5.cfg 2007-12-26 03:37 . 2007-12-26 03:37 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\ATI 2007-12-26 01:15 . 2007-12-26 01:15 <DIR> d-------- C:\Documents and Settings\Brandee\Application Data\ATI 2007-12-26 01:12 . 2007-12-26 01:12 <DIR> d-------- C:\Program Files\Common Files\ATI Technologies 2007-12-26 01:03 . 2007-12-26 01:09 <DIR> d-------- C:\Program Files\ATI Technologies 2007-12-26 01:03 . 2006-05-03 11:57 520,192 --a------ C:\WINDOWS\SYSTEM32\ati2sgag.exe 2007-12-26 01:02 . 2005-10-14 07:10 58,560 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ativckxx.vp 2007-12-26 01:02 . 2006-05-03 10:09 28,080 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ativvpxx.vp 2007-12-26 01:02 . 2006-01-25 17:48 6,005 --a------ C:\WINDOWS\SYSTEM32\atifglpf.xml 2007-12-26 01:02 . 2006-02-08 13:44 929 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ativcaxx.vp 2007-12-25 11:30 . 2007-12-25 14:13 <DIR> d-------- C:\Documents and Settings\Brandee\Application Data\U3 2007-12-25 11:30 . 2004-08-04 02:08 26,496 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\usbstor.sys 2007-12-20 01:45 . 2007-12-20 01:45 <DIR> d-------- C:\Program Files\SecondLife 2007-12-20 01:45 . 2007-12-20 02:21 <DIR> d-------- C:\Documents and Settings\Brandee\Application Data\SecondLife 2007-12-20 01:23 . 2007-12-20 01:23 <DIR> d-------- C:\Documents and Settings\Brandee\Application Data\Move Networks . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-13 21:29 --------- d-----w C:\Program Files\SUPERAntiSpyware 2008-01-13 21:25 --------- d-----w C:\Program Files\QuickTime 2008-01-08 20:29 --------- d-----w C:\Program Files\Palm 2008-01-08 20:23 --------- d-----w C:\Program Files\MSN Messenger 2008-01-08 20:23 --------- d-----w C:\Program Files\Last.fm 2008-01-08 20:17 --------- d-----w C:\Program Files\Google 2008-01-05 16:13 --------- d-----w C:\Documents and Settings\Guest\Application Data\OpenOffice.org2 2008-01-01 19:47 --------- d-----w C:\Program Files\Common Files\Adobe 2008-01-01 19:47 --------- d-----w C:\Documents and Settings\Brandee\Application Data\AdobeUM 2007-12-28 18:36 --------- d-----w C:\Documents and Settings\Brandee\Application Data\OpenOffice.org2 2007-12-26 06:03 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\lsasrv.dll 2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\lsasrv.dll 2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll 2007-10-30 17:20 360,064 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys 2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll 2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll 2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll 2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wmasf.dll 2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll . ((((((((((((((((((((((((((((( snapshot@2008-01-13_16.38.24.07 ))))))))))))))))))))))))))))))))))))))))) . - 2008-01-12 21:02:35 1,363,968 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT + 2008-01-13 22:12:32 1,363,968 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT - 2008-01-12 21:02:35 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat + 2008-01-13 22:12:32 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat - 2008-01-12 21:02:35 1,077,248 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT + 2008-01-13 22:12:32 1,077,248 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT - 2008-01-12 21:02:36 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat + 2008-01-13 22:12:32 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat - 2008-01-12 21:02:36 6,139,904 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat + 2008-01-13 22:12:32 6,135,808 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat - 2008-01-12 21:02:36 475,136 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat + 2008-01-13 22:12:32 475,136 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-12 15:18 68856] "FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2008-01-12 15:18 1591808] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-01-12 15:18 1318912] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-12 15:18 204288] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-01-12 15:17 155648] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-01-12 15:17 126976] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-01-12 15:17 132496] "QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2008-01-12 15:17 45056] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 15:17 39792] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 20:34 5419008] C:\Documents and Settings\Guest\Start Menu\Programs\Startup\ OpenOffice.org 2.1.lnk - C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 16:45:48] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 14:27:34] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2007-05-23 17:46 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL path= backup= [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpcmpmgr] --a------ 2008-01-12 15:17 126976 C:\WINDOWS\System32\hkcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM] --a--c--- 2003-09-03 20:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McUpdate] --a--c--- 2003-09-03 20:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM] --a------ 2007-05-29 20:34 5419008 C:\Program Files\MySpace\IM\MySpaceIM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\realsched] --a------ 2006-12-30 12:31 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper] C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2006-12-30 12:31 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Pml Driver HPZ12"=3 (0x3) R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-28 21:59] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\AutoRun\command - E:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder "2007-04-20 02:00:24 C:\WINDOWS\Tasks\RegCure Program Check.job" - C:\Program Files\RegCure\RegCure.exe "2006-12-05 15:31:28 C:\WINDOWS\Tasks\RegCure.job" - C:\Program Files\RegCure\RegCure.exe . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-13 17:15:57 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-01-13 17:17:04 ComboFix-quarantined-files.txt 2008-01-13 22:16:42 ComboFix2.txt 2008-01-13 21:38:54 . 2007-12-13 08:05:03 --- E O F ---

01-12-2008, 03:36 PM	#13 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,151 OS: 2000 Pro; XP Pro; XP Home	Re: HijackThis Log - completed 5 steps I see no evidence of an AntiVirus program on your system. This must be resolved. Connecting to the Internet without antivirus protection is a "Welcome" doormat for malware. It can take as little as eight seconds to infect an unprotected computer. Install this FREE AntiVirus program, update it, and run a full system scan. Avira PersonalEdition Classic Here is a tutorial on it's setup and use: http://www.techsupportforum.com/cont...ticles/64.html Save the log and post it, please. Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out. --------------------------------------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. --------------------------------------------------------------------------------------------- __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

01-12-2008, 03:38 PM	#14 (permalink)
brandeewyne Registered User Join Date: Jan 2008 Posts: 18 OS: win xp sp2	Re: HijackThis Log - completed 5 steps When I ran the combofix it stated that all firewalls and other such programs be turned off, which I did. Is it safe to turn them back on at this point or should I wait until I've completed the remaining steps? Also, this computer is networked with one other computer in my home. Do I need to complete any of these steps on the other system? Last edited by brandeewyne; 01-12-2008 at 03:40 PM.

01-12-2008, 03:39 PM	#15 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,151 OS: 2000 Pro; XP Pro; XP Home	Re: HijackThis Log - completed 5 steps Yes, please re-enable any protections. Typically, a reboot will do this. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

01-12-2008, 03:43 PM	#16 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,151 OS: 2000 Pro; XP Pro; XP Home	Re: HijackThis Log - completed 5 steps Just to clarify...did you turn off the Windows firewall? Because I don't see a third party firewall, which is what that guide's intent is. Your answer may help us clarify that for other users. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

01-12-2008, 04:04 PM	#18 (permalink)
brandeewyne Registered User Join Date: Jan 2008 Posts: 18 OS: win xp sp2	Re: HijackThis Log - completed 5 steps To answer the first question; Yes. I turned off the Windows Firewall. (I've since turned it back on) I do not have an additional firewall installed. I may have misread the directions, but I was under the impression that it was an all emcompassing statement. I don't remember seeing an exclusion for the Windows Firewall. Secondly, I apologize for the edit. The question was an after thought as I submitted the post and had gone to add on before I saw you had replied. You're fast! I will use seperate posts from here on out. I'll post the updated logfiles momentarily.

01-12-2008, 04:14 PM	#19 (permalink)
brandeewyne Registered User Join Date: Jan 2008 Posts: 18 OS: win xp sp2	Re: HijackThis Log - completed 5 steps Okay .. the AntiVir scan popped up with a detection as follows: During the scan a virus or unwanted program was found! What should be done with the file? C:\Deckard\System Scanner\backup\...\RCX21.tmp This result has been obtained using heuristic techniques. It may be a false alarm. For a more detailed analysis, you may send us the file(s) for closer inspection via the Quarantine Manager. Contains suspicious code HEUR/Malware Move to quarantine or ignore? Is this file associated with the scan that I downloaded off this site and should I prompt the scan to ignore it?

01-12-2008, 05:36 PM	#20 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,151 OS: 2000 Pro; XP Pro; XP Home	Re: HijackThis Log - completed 5 steps Sorry for the delay. Supper time. You should be able to tell Avira to take actions after the scan is complete. For all actions, it should want to quarantine first, delete second. Accept it's recommendations. That file is a Temp file which was removed when DSS first ran, so you want it gone. In other words, quarantine Thanks for the info about the Windows Firewall. You're quite right, the guide does not differentiate. With your feedback, we'll be able to adjust the guide for ComboFix usage. The tool is not new, but the published guide for usage is. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009