Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Help getting rid of Malware
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 02-06-2008, 12:36 AM   #1 (permalink)
Registered User
 
Join Date: Feb 2008
Posts: 26
OS: xp


Help getting rid of Malware
I have been trying to play Maplestory and once I have loaded the game, it says that there has been a hacking threat or some traces of viruses and spyware.

I have been using Webroot and AVG, one big thing I found was a trojan called : Trojan-backdoor-czp

Deckard's System Scanner v20071014.68
Run by ryanho on 2008-02-05 23:18:51
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; System Restore is disabled (service is not running).


-- Last 5 Restore Point(s) --
58: 2006-11-12 01:46:28 UTC - RP97 - System Checkpoint
57: 2006-11-09 05:19:29 UTC - RP96 - System Checkpoint
56: 2006-11-08 04:04:08 UTC - RP95 - System Checkpoint
55: 2006-11-07 03:49:58 UTC - RP94 - System Checkpoint
54: 2006-11-06 02:44:43 UTC - RP93 - System Checkpoint


-- First Restore Point --
1: 2006-08-19 14:44:58 UTC - RP40 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 9.97 GiB (less than 15%) free.


-- HijackThis (run as ryanho.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:23:57 PM, on 2/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\Help\spoolsv.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\DOCUME~1\RYANHO~1.RYA\LOCALS~1\Temp\clclean.0001
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\vssms32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rdigfvd.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\ryanho.RYAN\Desktop\dss.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\PROGRA~1\TRENDM~1\HIJACK~1\ryanho.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.blizzard.com/register/war3x/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" /uninstall
O4 - HKLM\..\Run: [vssms32] C:\WINDOWS\system32\vssms32.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [cubvf] C:\WINDOWS\system32\cubvf.exe
O4 - HKLM\..\Run: [bzamlj] C:\WINDOWS\system32\bzamlj.exe
O4 - HKLM\..\Run: [vdxbzcopygm] C:\WINDOWS\system32\vdxbzcopygm.exe
O4 - HKLM\..\Run: [xempixd] C:\WINDOWS\system32\xempixd.exe
O4 - HKLM\..\Run: [tplnrzanm] C:\WINDOWS\system32\tplnrzanm.exe
O4 - HKLM\..\Run: [safjabhgx] C:\WINDOWS\system32\safjabhgx.exe
O4 - HKLM\..\Run: [q] C:\WINDOWS\system32\q.exe
O4 - HKLM\..\Run: [zpwaelr] C:\WINDOWS\system32\zpwaelr.exe
O4 - HKLM\..\Run: [byrd] C:\WINDOWS\system32\byrd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [glgwazyjakc] C:\WINDOWS\system32\glgwazyjakc.exe
O4 - HKLM\..\Run: [rzemypomhm] C:\WINDOWS\system32\rzemypomhm.exe
O4 - HKLM\..\Run: [mlioco] C:\WINDOWS\system32\mlioco.exe
O4 - HKLM\..\Run: [fnugcqz] C:\WINDOWS\system32\fnugcqz.exe
O4 - HKLM\..\Run: [kednradk] C:\WINDOWS\system32\kednradk.exe
O4 - HKLM\..\Run: [ztdcemqks] C:\WINDOWS\system32\ztdcemqks.exe
O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u
O4 - HKLM\..\Run: [rdigfvd] C:\WINDOWS\system32\rdigfvd.exe
O4 - HKLM\..\Run: [d] C:\WINDOWS\system32\d.exe
O4 - HKLM\..\Run: [zbctmnzhhncn] C:\WINDOWS\system32\zbctmnzhhncn.exe
O4 - HKLM\..\Run: [lvz] C:\WINDOWS\system32\lvz.exe
O4 - HKLM\..\Run: [syfexcqoq] C:\WINDOWS\system32\syfexcqoq.exe
O4 - HKLM\..\Run: [rjtyoewx] C:\WINDOWS\system32\rjtyoewx.exe
O4 - HKLM\..\Run: [y] C:\WINDOWS\system32\y.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE" /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\RunServices: [cubvf] C:\WINDOWS\system32\cubvf.exe
O4 - HKLM\..\RunServices: [vdxbzcopygm] C:\WINDOWS\system32\vdxbzcopygm.exe
O4 - HKLM\..\RunServices: [xempixd] C:\WINDOWS\system32\xempixd.exe
O4 - HKLM\..\RunServices: [tplnrzanm] C:\WINDOWS\system32\tplnrzanm.exe
O4 - HKLM\..\RunServices: [safjabhgx] C:\WINDOWS\system32\safjabhgx.exe
O4 - HKLM\..\RunServices: [q] C:\WINDOWS\system32\q.exe
O4 - HKLM\..\RunServices: [zpwaelr] C:\WINDOWS\system32\zpwaelr.exe
O4 - HKLM\..\RunServices: [byrd] C:\WINDOWS\system32\byrd.exe
O4 - HKLM\..\RunServices: [glgwazyjakc] C:\WINDOWS\system32\glgwazyjakc.exe
O4 - HKLM\..\RunServices: [rzemypomhm] C:\WINDOWS\system32\rzemypomhm.exe
O4 - HKLM\..\RunServices: [a] C:\WINDOWS\system32\a.exe
O4 - HKLM\..\RunServices: [mlioco] C:\WINDOWS\system32\mlioco.exe
O4 - HKLM\..\RunServices: [fnugcqz] C:\WINDOWS\system32\fnugcqz.exe
O4 - HKLM\..\RunServices: [kednradk] C:\WINDOWS\system32\kednradk.exe
O4 - HKLM\..\RunServices: [ztdcemqks] C:\WINDOWS\system32\ztdcemqks.exe
O4 - HKLM\..\RunServices: [rdigfvd] C:\WINDOWS\system32\rdigfvd.exe
O4 - HKLM\..\RunServices: [d] C:\WINDOWS\system32\d.exe
O4 - HKLM\..\RunServices: [zbctmnzhhncn] C:\WINDOWS\system32\zbctmnzhhncn.exe
O4 - HKLM\..\RunServices: [lvz] C:\WINDOWS\system32\lvz.exe
O4 - HKLM\..\RunServices: [syfexcqoq] C:\WINDOWS\system32\syfexcqoq.exe
O4 - HKLM\..\RunServices: [rjtyoewx] C:\WINDOWS\system32\rjtyoewx.exe
O4 - HKLM\..\RunServices: [y] C:\WINDOWS\system32\y.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Program Files\Octoshape Streaming Services\ryanho\OctoshapeClient.exe" -inv:bootrun
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] "C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" /S
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1152239816406
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0DD46FBB-00B6-463D-8202-199682932A46}: NameServer = 192.168.1.1,4.2.2.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{86AEE903-CED0-4BBA-9AC4-FFCB5B050BBA}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0DD46FBB-00B6-463D-8202-199682932A46}: NameServer = 192.168.1.1,4.2.2.2
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Print Spooler Service (ep1eiv1f7z) - Unknown owner - C:\WINDOWS\system32\y.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spooler Subsystem App (Splr_Service) - Unknown owner - C:\WINDOWS\Help\spoolsv.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 14235 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 oreans32 - c:\windows\system32\drivers\oreans32.sys
R2 {09BB444F-B2E2-4009-BAF2-7B727681223E} (BuddyVM) - c:\program files\vmlaunch\buddyvm.sys <Not Verified; Interlex Inc.; BUDDY for Virtual-Mate>
R2 npkcrypt - c:\program files\npkcrypt.sys <Not Verified; INCA Internet Co., Ltd.; nProtect KeyCrypt Driver>
R3 AR5211 (Airlink101 SuperG Wireless Adapter Service) - c:\windows\system32\drivers\ar5211.sys <Not Verified; Atheros Communications, Inc.; Atheros AR5001 Wireless Network Adapter>

S3 DISK_DRIVE32 - c:\docume~1\ryanho~1.rya\locals~1\temp\rar$ex00.359\disk drove\disk_1024.sys (file missing)
S3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>
S3 Dua1 - c:\docume~1\ryanho~1.rya\locals~1\temp\rar$ex02.156\dualengi.sys (file missing)
S3 Dual2 - c:\docume~1\ryanho~1.rya\locals~1\temp\rar$ex00.797\dual2.sys (file missing)
S3 GR - c:\docume~1\ryanho~1.rya\locals~1\temp\rar$ex00.641\gameregistance 2.08\gameregistance 2.08\gr.sys (file missing)
S3 NPF (NetGroup Packet Filter Driver) - c:\windows\system32\drivers\npf.sys <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver>
S3 npkcusb - c:\nexon\maplestory\npkcusb.sys (file missing)
S3 PCHWDRVDEVICE0 - c:\program files\çã·¹àì¸åå©·î\çã·¹àì¸þàìçã\pchwdrv.sys (file missing)
S3 SDDMI2 - c:\windows\system32\ddmi2.sys <Not Verified; Gteko Ltd.; DDMI>
S3 sejt1 - c:\documents and settings\ryanho.ryan\desktop\akumaengine33\applications\sejt.sys (file missing)
S3 serb1 - c:\docume~1\ryanho~1.rya\locals~1\temp\rar$ex00.250\serbio engine\serbio.sys (file missing)
S3 unrealordBypass - c:\user\ryan\new folder\unrealordbypass.sys (file missing)
S3 xp1 - c:\docume~1\ryanho~1.rya\locals~1\temp\rar$ex13.9047\s3nsa 5 [s5nsa]\would i rather date\boys\working uce's\xpengine [zenos' new one]\xp.sys (file missing)
S3 zenx1 - c:\docume~1\ryanho~1.rya\locals~1\temp\rar$ex03.656\zenxengine_latest\zenx.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 Splr_Service (Spooler Subsystem App) - "c:\windows\help\spoolsv.exe"
R3 Creative Labs Licensing Service - "c:\program files\common files\creative labs shared\service\creativelicensing.exe" <Not Verified; Creative Labs; Creative Labs Licensing Service>

S2 ep1eiv1f7z (Print Spooler Service) - c:\windows\system32\y.exe /service (file missing)
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "c:\program files\winpcap\rpcapd.exe" -d -f "c:\program files\winpcap\rpcapd.ini" <Not Verified; CACE Technologies; Remote Packet Capture Daemon>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-02-04 23:00:00 1680 --a------ C:\WINDOWS\Tasks\wrSpySweeper20060620223408.job
2008-02-01 20:00:00 414 --a------ C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (RYAN-amyho).job
2008-02-01 18:30:00 352 --a------ C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (RYAN-kingho).job
2008-01-30 17:56:05 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-01-05 and 2008-02-05 -----------------------------

2008-02-05 22:57:16 0 d-------- C:\Program Files\Trend Micro
2008-02-05 22:30:55 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-02-05 22:24:37 8576 --a------ C:\WINDOWS\system32\drivers\fkutiseiufes.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-02-05 22:02:28 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-02-05 22:02:25 0 d-------- C:\WINDOWS\LastGood
2008-02-05 20:59:44 0 d-------- C:\Program Files\GameGuard
2008-02-05 18:59:05 0 d-------- C:\Documents and Settings\ryanho.RYAN\Application Data\Uniblue
2008-02-05 18:58:57 0 d-------- C:\Program Files\Uniblue
2008-02-05 18:45:27 0 d-------- C:\WINDOWS\network diagnostic
2008-02-05 17:49:34 0 d-------- C:\Program Files\Common Files\INCA Shared
2008-02-03 21:26:08 0 d-------- C:\EPSONREG
2008-02-03 21:23:33 483328 --a------ C:\WINDOWS\system32\PICSDK.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2008-02-03 21:23:33 45056 --a------ C:\WINDOWS\system32\EpPicPrt.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2008-02-03 21:23:33 66532 --a------ C:\WINDOWS\system32\EPPICPrinterDB.dat
2008-02-03 21:23:33 1140 --a------ C:\WINDOWS\system32\EPPICPresetData_PT.dat
2008-02-03 21:23:33 1130 --a------ C:\WINDOWS\system32\EPPICPresetData_FR.dat
2008-02-03 21:23:33 1137 --a------ C:\WINDOWS\system32\EPPICPresetData_ES.dat
2008-02-03 21:23:33 1104 --a------ C:\WINDOWS\system32\EPPICPresetData_EN.dat
2008-02-03 21:23:33 1130 --a------ C:\WINDOWS\system32\EPPICPresetData_CF.dat
2008-02-03 21:23:33 1140 --a------ C:\WINDOWS\system32\EPPICPresetData_BP.dat
2008-02-03 21:23:33 4943 --a------ C:\WINDOWS\system32\EPPICPattern6.dat
2008-02-03 21:23:33 15670 --a------ C:\WINDOWS\system32\EPPICPattern5.dat
2008-02-03 21:23:32 10673 --a------ C:\WINDOWS\system32\EPPICPattern4.dat
2008-02-03 21:23:32 21021 --a------ C:\WINDOWS\system32\EPPICPattern3.dat
2008-02-03 21:23:32 13280 --a------ C:\WINDOWS\system32\EPPICPattern2.dat
2008-02-03 21:23:32 29114 --a------ C:\WINDOWS\system32\EPPICPattern1.dat
2008-02-03 21:23:32 45056 --a------ C:\WINDOWS\system32\EpPicMgr.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2008-02-03 21:22:10 0 d-------- C:\Program Files\EPSON
2008-01-30 10:13:44 110592 --a------ C:\Program Files\Canvas.dll <Not Verified; ; Canvas Module>
2008-01-30 10:02:42 253952 --a------ C:\Program Files\Gr2D_DX8.dll <Not Verified; ; Gr2D_DX8 Module>
2008-01-30 10:02:40 352256 --a------ C:\Program Files\ijl15.dll <Not Verified; Intel Corporation; Intel® JPEG Library>
2008-01-30 09:46:48 1874466 --a------ C:\Program Files\MapleStory.exe <Not Verified; Wizet; Wizet MapleStory>
2008-01-30 09:40:02 143360 --a------ C:\Program Files\NameSpace.dll <Not Verified; ; NameSpace Module>
2008-01-30 09:39:06 409680 --a------ C:\Program Files\npkcrypt.dll <Not Verified; INCA Internet Co., Ltd.; nProtect KeyCrypt Driver Support Dll>
2008-01-30 09:39:04 23217 --a------ C:\Program Files\npkcrypt.sys <Not Verified; INCA Internet Co., Ltd.; nProtect KeyCrypt Driver>
2008-01-30 09:39:02 15472 --a------ C:\Program Files\npkcusb.sys <Not Verified; INCA Internet Co., Ltd.; nProtect KeyCrypt Driver>
2008-01-30 09:39:00 53248 --a------ C:\Program Files\npkpdb.dll <Not Verified; INCA Internet Co., Ltd.; nProtect KeyCrypt Program Database DLL>
2008-01-30 09:38:56 106496 --a------ C:\Program Files\PCOM.dll <Not Verified; ; PCOM Module>
2008-01-30 09:37:36 409600 --a------ C:\Program Files\Setup.exe
2008-01-30 09:37:36 49152 --a------ C:\Program Files\ResMan.dll <Not Verified; ; ResMan Module>
2008-01-30 09:37:34 86016 --a------ C:\Program Files\Shape2D.dll <Not Verified; ; Shape2D Module>
2008-01-30 09:26:22 147456 --a------ C:\Program Files\Sound_DX8.dll <Not Verified; ; Sound_DX8 Module>
2008-01-30 09:25:34 524288 --a------ C:\Program Files\WzFlashRenderer.dll <Not Verified; Wizet; MapleStory>
2008-01-30 09:25:32 69685 --a------ C:\Program Files\ZLZ.dll
2008-01-27 00:37:54 0 d-------- C:\Program Files\PartyGaming
2008-01-27 00:37:33 0 d-------- C:\Program Files\Full Tilt Poker
2008-01-27 00:29:37 0 d-------- C:\Documents and Settings\ryanho.RYAN\PARTYPokerDir
2008-01-24 23:52:49 0 d-------- C:\Program Files\PokerStars.NET
2008-01-24 01:07:51 0 d-------- C:\WINDOWS\system32\windows media
2008-01-24 01:07:36 0 d--h----- C:\WINDOWS\msdownld.tmp
2008-01-24 01:07:24 0 d-------- C:\Program Files\Windows Media Components
2008-01-22 19:52:29 0 d-------- C:\Documents and Settings\ryanho.RYAN\OngameNetwork
2008-01-22 12:37:22 1384448 --a------ C:\Program Files\Patcher.exe <Not Verified; ; Patcher ?? ????>
2008-01-21 10:49:06 0 d-------- C:\Documents and Settings\All Users\Application Data\IJJIGame
2008-01-11 21:03:04 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2008-01-06 22:31:32 0 d-------- C:\Program Files\Ocean Technology


-- Find3M Report ---------------------------------------------------------------

2008-02-05 23:20:16 0 d-------- C:\Program Files\AIM6
2008-02-05 22:28:34 0 d-------- C:\Program Files\Bonjour
2008-02-05 22:21:59 0 d-------- C:\Program Files\iTunes
2008-02-05 22:21:29 0 d-------- C:\Program Files\Messenger
2008-02-05 22:21:26 0 d-------- C:\Program Files\Digital Line Detect
2008-02-05 22:21:23 0 d-------- C:\Program Files\Last.fm
2008-02-05 22:21:10 0 d-------- C:\Program Files\LimeWire
2008-02-05 22:19:03 0 d-------- C:\Program Files\BAE
2008-02-05 21:04:08 0 d-------- C:\Program Files\Steam
2008-02-05 21:03:23 0 d-------- C:\Documents and Settings\ryanho.RYAN\Application Data\Skype
2008-02-05 19:09:42 0 d-------- C:\Documents and Settings\ryanho.RYAN\Application Data\AVG7
2008-02-05 18:38:44 0 d-------- C:\Documents and Settings\ryanho.RYAN\Application Data\LimeWire
2008-02-05 17:49:34 0 d-------- C:\Program Files\Common Files
2008-02-05 16:46:55 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-01 20:17:06 0 d-------- C:\Documents and Settings\ryanho.RYAN\Application Data\Xfire
2008-01-31 00:12:32 0 d-------- C:\Documents and Settings\ryanho.RYAN\Application Data\Azureus
2008-01-30 10:13:44 6351 --a------ C:\Program Files\Base.wz
2008-01-30 10:13:42 118423889 --a------ C:\Program Files\Character.wz
2008-01-30 10:03:04 6111462 --a------ C:\Program Files\Effect.wz
2008-01-30 10:02:46 604366 --a------ C:\Program Files\Etc.wz
2008-01-30 10:02:44 274625 --a------ C:\Program Files\GameGuard.des <Not Verified; INCA Internet Co., Ltd.; nProtect GameGuard Launcher>
2008-01-30 10:02:38 8277114 --a------ C:\Program Files\Item.wz
2008-01-30 10:02:18 290816 --a------ C:\Program Files\l3codeca.acm <Not Verified; Fraunhofer Institut Integrierte Schaltungen IIS; MPEG Layer-3 Audio Codec for MSACM>
2008-01-30 10:02:16 336710101 --a------ C:\Program Files\Map.wz
2008-01-30 09:46:42 168365860 --a------ C:\Program Files\Mob.wz
2008-01-30 09:46:42 412 --a------ C:\Program Files\MapleStoryUS.ini
2008-01-30 09:40:04 160638 --a------ C:\Program Files\Morph.wz
2008-01-30 09:40:00 24732636 --a------ C:\Program Files\Npc.wz
2008-01-30 09:39:04 26344 --a------ C:\Program Files\npkcrypt.vxd
2008-01-30 09:38:54 2000385 --a------ C:\Program Files\Quest.wz
2008-01-30 09:38:48 25919769 --a------ C:\Program Files\Reactor.wz
2008-01-30 09:37:32 42333488 --a------ C:\Program Files\Skill.wz
2008-01-30 09:35:50 229561281 --a------ C:\Program Files\Sound.wz
2008-01-30 09:26:22 1686404 --a------ C:\Program Files\String.wz
2008-01-30 09:26:16 12072911 --a------ C:\Program Files\UI.wz
2008-01-30 09:26:16 381 --a------ C:\Program Files\TamingMob.wz
2008-01-26 01:15:57 0 d-------- C:\Program Files\Warcraft III
2008-01-25 16:00:03 0 d---s---- C:\Program Files\Xfire
2008-01-23 22:05:53 0 d-------- C:\Program Files\Azureus
2008-01-22 11:43:11 0 d-------- C:\Documents and Settings\ryanho.RYAN\Application Data\Macromedia
2008-01-22 11:41:44 4026 --a------ C:\WINDOWS\mozver.dat
2008-01-21 10:49:43 0 d--h----- C:\Documents and Settings\ryanho.RYAN\Application Data\ijjigame
2008-01-21 10:15:33 0 d-------- C:\Program Files\iPod
2008-01-21 10:13:39 0 d-------- C:\Program Files\QuickTime
2008-01-10 16:22:50 0 d-------- C:\Program Files\Starcraft
2007-12-19 23:01:24 0 d-------- C:\Program Files\World of Warcraft
2007-12-11 16:04:11 0 d-------- C:\Program Files\Java
2007-12-07 17:42:53 0 d-------- C:\Program Files\NHN USA
2007-12-07 17:37:19 0 d-------- C:\Documents and Settings\ryanho.RYAN\Application Data\InstallShield
2007-12-07 00:27:06 0 d-------- C:\Program Files\WC3Banlist
2007-11-13 19:29:34 52352 --a------ C:\Documents and Settings\ryanho.RYAN\Application Data\GDIPFONTCACHEV1.DAT


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [09/29/2005 11:01 AM]
"SigmatelSysTrayApp"="stsystra.exe" [03/22/2005 09:20 PM C:\WINDOWS\stsystra.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [08/05/2005 06:05 PM]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [05/03/2006 12:12 AM]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [09/15/2005 06:47 AM]
"MBMon"="CTMBHA.DLL" [05/19/2005 05:54 AM C:\WINDOWS\system32\CTMBHA.DLL]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [05/10/2000 10:00 PM]
"VoiceCenter"="C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" [09/19/2005 04:42 AM]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [06/10/2005 07:44 AM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/10/2005 07:44 AM]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [09/08/2005 02:20 AM]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [08/12/2005 01:16 PM]
"vssms32"="C:\WINDOWS\system32\vssms32.exe" [09/16/2006 01:06 PM]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [05/10/2006 08:12 AM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [01/27/2008 11:05 PM]
"cubvf"="C:\WINDOWS\system32\cubvf.exe" []
"bzamlj"="C:\WINDOWS\system32\bzamlj.exe" []
"vdxbzcopygm"="C:\WINDOWS\system32\vdxbzcopygm.exe" []
"xempixd"="C:\WINDOWS\system32\xempixd.exe" []
"tplnrzanm"="C:\WINDOWS\system32\tplnrzanm.exe" []
"safjabhgx"="C:\WINDOWS\system32\safjabhgx.exe" []
"q"="C:\WINDOWS\system32\q.exe" []
"zpwaelr"="C:\WINDOWS\system32\zpwaelr.exe" []
"byrd"="C:\WINDOWS\system32\byrd.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [06/29/2007 03:52 PM]
"glgwazyjakc"="C:\WINDOWS\system32\glgwazyjakc.exe" []
"rzemypomhm"="C:\WINDOWS\system32\rzemypomhm.exe" []
"mlioco"="C:\WINDOWS\system32\mlioco.exe" []
"fnugcqz"="C:\WINDOWS\system32\fnugcqz.exe" []
"kednradk"="C:\WINDOWS\system32\kednradk.exe" []
"ztdcemqks"="C:\WINDOWS\system32\ztdcemqks.exe" []
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"rdigfvd"="C:\WINDOWS\system32\rdigfvd.exe" [07/27/2007 06:15 PM]
"d"="C:\WINDOWS\system32\d.exe" []
"zbctmnzhhncn"="C:\WINDOWS\system32\zbctmnzhhncn.exe" []
"lvz"="C:\WINDOWS\system32\lvz.exe" []
"syfexcqoq"="C:\WINDOWS\system32\syfexcqoq.exe" []
"rjtyoewx"="C:\WINDOWS\system32\rjtyoewx.exe" []
"y"="C:\WINDOWS\system32\y.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [01/10/2008 03:27 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [01/15/2008 03:22 AM]
"EPSON Stylus C88 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.exe" [01/27/2005 04:00 AM]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [03/01/2007 04:55 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [12/22/2004 02:40 PM C:\WINDOWS\MIDIDEF.EXE]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [06/26/2006 12:53 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 08:24 AM]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
"Aim6"="" []
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 02:00 AM]
"Octoshape Streaming Services"="C:\Program Files\Octoshape Streaming Services\ryanho\OctoshapeClient.exe" []
"Steam"="c:\program files\steam\steam.exe" [11/29/2007 03:19 PM]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [02/01/2008 10:51 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"cubvf"=C:\WINDOWS\system32\cubvf.exe
"vdxbzcopygm"=C:\WINDOWS\system32\vdxbzcopygm.exe
"xempixd"=C:\WINDOWS\system32\xempixd.exe
"tplnrzanm"=C:\WINDOWS\system32\tplnrzanm.exe
"safjabhgx"=C:\WINDOWS\system32\safjabhgx.exe
"q"=C:\WINDOWS\system32\q.exe
"zpwaelr"=C:\WINDOWS\system32\zpwaelr.exe
"byrd"=C:\WINDOWS\system32\byrd.exe
"glgwazyjakc"=C:\WINDOWS\system32\glgwazyjakc.exe
"rzemypomhm"=C:\WINDOWS\system32\rzemypomhm.exe
"a"=C:\WINDOWS\system32\a.exe
"mlioco"=C:\WINDOWS\system32\mlioco.exe
"fnugcqz"=C:\WINDOWS\system32\fnugcqz.exe
"kednradk"=C:\WINDOWS\system32\kednradk.exe
"ztdcemqks"=C:\WINDOWS\system32\ztdcemqks.exe
"rdigfvd"=C:\WINDOWS\system32\rdigfvd.exe
"d"=C:\WINDOWS\system32\d.exe
"zbctmnzhhncn"=C:\WINDOWS\system32\zbctmnzhhncn.exe
"lvz"=C:\WINDOWS\system32\lvz.exe
"syfexcqoq"=C:\WINDOWS\system32\syfexcqoq.exe
"rjtyoewx"=C:\WINDOWS\system32\rjtyoewx.exe
"y"=C:\WINDOWS\system32\y.exe

C:\Documents and Settings\ryanho.RYAN\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [6/29/2007 12:31:51 PM]
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [12/3/2007 1:35:53 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [6/8/2006 8:33:52 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/12/2001 10:01:04 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe

*Newly Created Service* - FKUTISEIUFES
*Newly Created Service* - NPKCRYPT
*Newly Created Service* - NPPTNT2
*Newly Created Service* - RKPAVPROC
*Newly Created Service* - SDTHOOK



-- End of Deckard's System Scanner: finished at 2008-02-05 23:25:57 ------------
zeromonkeyx is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 02-09-2008, 08:03 AM   #2 (permalink)
Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic
 
Glaswegian's Avatar
 
Join Date: Sep 2005
Location: Glasgow
Posts: 25,499
OS: Win XP Pro SP3 / Win 7 Pro

My System

Blog Entries: 10
Re: Help getting rid of Malware
Hi and welcome to TSF.

Apologies for any delay in replying, but we have been rather busy lately, and, of course, all our helpers are volunteers.

You are heavily infected so please be aware that this may take some time and effort to clean.

My name is Iain and I will be helping you clean your system.

You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your logs are clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.

If there is anything you don't understand, please ask BEFORE proceeding with the fixes.

Please ensure that you follow the instructions in the order I have them listed.


We'll begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/comb...o-use-combofix
  • When the tool is finished, it will produce a report for you.
  • Please post C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
__________________
Iain - Defender of the Haggis and all things Scottish.
I don't help by PM - post in the Forums.



PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner
Glaswegian is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-10-2008, 11:02 AM   #3 (permalink)
Registered User
 
Join Date: Feb 2008
Posts: 26
OS: xp


Re: Help getting rid of Malware
Thank you guys for all your help. Here is the combofix log and the new hijacklog

ComboFix 08-02.05.3 - ryanho 2008-02-10 9:37:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.529 [GMT -8:00]
Running from: C:\Documents and Settings\ryanho.RYAN\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Temporary

.
((((((((((((((((((((((((( Files Created from 2008-01-10 to 2008-02-10 )))))))))))))))))))))))))))))))
.

2008-02-08 15:06 . 23,552 C:\WINDOWS\system32\ntcvx32.dll
2008-02-07 20:22 . 2008-02-07 20:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-07 19:20 . 2008-02-07 19:20 <DIR> d-------- C:\Nexon
2008-02-07 17:20 . 2008-02-07 17:20 86 --a------ C:\WINDOWS\wininit.ini
2008-02-07 16:46 . 2008-02-07 16:46 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-07 16:46 . 2008-02-07 16:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-07 16:36 . 2008-02-07 16:36 <DIR> d-------- C:\Program Files\CCleaner
2008-02-05 23:18 . 2008-02-05 23:18 <DIR> d-------- C:\Deckard
2008-02-05 22:57 . 2008-02-05 22:57 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-05 22:30 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-05 22:24 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\fkutiseiufes.sys
2008-02-05 22:02 . 2008-02-05 22:52 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-05 22:02 . 2008-02-05 22:02 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-05 22:02 . 2008-02-05 22:02 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-05 22:02 . 2008-02-05 22:02 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-05 20:59 . 2008-02-07 19:08 <DIR> d-------- C:\Program Files\GameGuard
2008-02-05 18:59 . 2008-02-05 18:59 <DIR> d-------- C:\Documents and Settings\ryanho.RYAN\Application Data\Uniblue
2008-02-05 18:50 . 2007-10-10 15:55 6,065,664 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-02-05 18:50 . 2007-06-30 19:31 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-02-05 18:50 . 2007-06-30 19:36 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-02-05 18:50 . 2007-10-10 15:55 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-02-05 18:50 . 2007-10-10 15:55 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-02-05 18:50 . 2007-10-10 15:55 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-02-05 18:50 . 2007-10-10 15:55 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-02-05 18:50 . 2007-10-10 15:55 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-02-05 18:50 . 2007-10-10 02:59 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-05 18:45 . 2007-08-13 18:54 33,792 --a------ C:\WINDOWS\system32\dllcache\custsat.dll
2008-02-05 17:49 . 2008-02-05 17:49 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-02-03 21:26 . 2008-02-03 21:26 <DIR> d-------- C:\EPSONREG
2008-02-03 21:22 . 2008-02-03 21:22 <DIR> d-------- C:\Program Files\EPSON
2008-02-03 21:22 . 2004-06-24 00:20 309,760 --a------ C:\WINDOWS\system32\EAL32.DLL
2008-02-03 21:22 . 2004-03-12 01:30 82,944 --a------ C:\WINDOWS\system32\EAL.EXE
2008-02-03 21:22 . 2004-11-25 05:07 79,679 --a------ C:\WINDOWS\system32\E_FLMABA.DLL
2008-02-03 21:22 . 2003-05-21 01:27 64,000 --a------ C:\WINDOWS\system32\E_FBCBABA.DLL
2008-02-03 21:22 . 2000-06-07 00:01 34,304 --a------ C:\WINDOWS\system32\E_FBCHABA.DLL
2008-02-03 21:22 . 2004-06-24 00:20 51 --a------ C:\WINDOWS\system32\EAL32.INI
2008-02-03 21:21 . 2008-02-03 21:26 58 --a------ C:\WINDOWS\EPSONSC88+.ini
2008-01-30 18:02 . 2008-01-30 18:02 54,608 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-01-27 00:37 . 2008-01-27 00:37 <DIR> d-------- C:\Program Files\PartyGaming
2008-01-27 00:37 . 2008-02-07 20:25 <DIR> d-------- C:\Program Files\Full Tilt Poker
2008-01-27 00:29 . 2008-01-27 00:29 <DIR> d-------- C:\Documents and Settings\ryanho.RYAN\PARTYPokerDir
2008-01-24 23:52 . 2008-01-27 00:23 <DIR> d-------- C:\Program Files\PokerStars.NET
2008-01-24 01:07 . 2008-01-24 01:07 <DIR> d-------- C:\WINDOWS\system32\windows media
2008-01-24 01:07 . 2008-01-24 01:07 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-01-24 01:07 . 2008-01-24 01:07 <DIR> d-------- C:\Program Files\Windows Media Components
2008-01-22 19:52 . 2008-01-28 17:46 <DIR> d-------- C:\Documents and Settings\ryanho.RYAN\OngameNetwork
2008-01-21 10:49 . 2008-01-21 10:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\IJJIGame
2008-01-11 21:03 . 2008-01-11 21:03 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-09 17:09 --------- d-s---w C:\Program Files\Xfire
2008-02-09 03:31 --------- d-----w C:\Program Files\Warcraft III
2008-02-08 23:32 --------- d-----w C:\Documents and Settings\ryanho.RYAN\Application Data\Xfire
2008-02-08 04:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-08 04:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-02-08 00:51 --------- d-----w C:\Program Files\GemMaster
2008-02-08 00:42 --------- d-----w C:\Program Files\SwiftSwitch
2008-02-08 00:42 --------- d-----w C:\Program Files\Starcraft
2008-02-08 00:42 --------- d-----w C:\Documents and Settings\ryanho.RYAN\Application Data\Skype
2008-02-07 23:11 --------- d-----w C:\Documents and Settings\ryanho.RYAN\Application Data\LimeWire
2008-02-07 23:10 --------- d-----w C:\Program Files\Steam
2008-02-06 07:39 --------- d-----w C:\Program Files\LimeWire
2008-02-06 07:38 --------- d-----w C:\Program Files\Last.fm
2008-02-06 07:37 --------- d-----w C:\Program Files\iTunes
2008-02-06 07:34 --------- d-----w C:\Program Files\DIGStream
2008-02-06 07:25 --------- d-----w C:\Program Files\Bonjour
2008-02-06 07:25 --------- d-----w C:\Program Files\BAE
2008-02-06 07:20 --------- d-----w C:\Program Files\AIM6
2008-02-06 06:21 --------- d-----w C:\Program Files\Digital Line Detect
2008-02-06 05:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-06 03:09 --------- d-----w C:\Documents and Settings\ryanho.RYAN\Application Data\AVG7
2008-01-31 08:12 --------- d-----w C:\Documents and Settings\ryanho.RYAN\Application Data\Azureus
2008-01-24 06:05 --------- d-----w C:\Program Files\Azureus
2008-01-21 18:49 --------- d--h--w C:\Documents and Settings\ryanho.RYAN\Application Data\ijjigame
2008-01-21 18:15 --------- d-----w C:\Program Files\iPod
2008-01-21 18:13 --------- d-----w C:\Program Files\QuickTime
2008-01-07 06:31 --------- d-----w C:\Program Files\Ocean Technology
2007-12-20 07:01 --------- d-----w C:\Program Files\World of Warcraft
2007-12-12 00:04 --------- d-----w C:\Program Files\Java
2007-11-14 03:29 52,352 ----a-w C:\Documents and Settings\ryanho.RYAN\Application Data\GDIPFONTCACHEV1.DAT
2007-07-16 01:03 3,597 ----a-w C:\Program Files\Read_Me.txt
2006-06-03 18:26 2,232 ----a-w C:\Program Files\Readme.txt
2006-06-03 18:26 1,796 ----a-w C:\Program Files\Changes.txt
2007-05-05 19:57 92,160 --sh--r C:\WINDOWS\Help\spoolsv.exe
2007-06-26 12:33 88 --sh--r C:\WINDOWS\system32\AFAA2DDEF3.sys
2007-06-26 12:33 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 14:40 24576 C:\WINDOWS\MIDIDEF.EXE]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 02:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 21:20 339968 C:\WINDOWS\stsystra.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 18:05 344064]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 00:12 98304]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-09-15 06:47 57344]
"MBMon"="CTMBHA.DLL" [2005-05-19 05:54 1345520 C:\WINDOWS\system32\CTMBHA.DLL]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-10 22:00 90112]
"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 07:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 07:44 81920]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 02:20 122940]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 08:12 90112]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-06-29 15:52 185896]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"EPSON Stylus C88 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.exe" [2005-01-27 04:00 98304]
"vssms32"="C:\WINDOWS\system32\vssms32.exe" [2006-09-16 13:06 1469952]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-07 20:22 579072]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-03-01 16:55 4865600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"cubvf"="C:\WINDOWS\system32\cubvf.exe" [ ]
"vdxbzcopygm"="C:\WINDOWS\system32\vdxbzcopygm.exe" [ ]
"xempixd"="C:\WINDOWS\system32\xempixd.exe" [ ]
"tplnrzanm"="C:\WINDOWS\system32\tplnrzanm.exe" [ ]
"safjabhgx"="C:\WINDOWS\system32\safjabhgx.exe" [ ]
"q"="C:\WINDOWS\system32\q.exe" [ ]
"zpwaelr"="C:\WINDOWS\system32\zpwaelr.exe" [ ]
"byrd"="C:\WINDOWS\system32\byrd.exe" [ ]
"glgwazyjakc"="C:\WINDOWS\system32\glgwazyjakc.exe" [ ]
"rzemypomhm"="C:\WINDOWS\system32\rzemypomhm.exe" [ ]
"a"="C:\WINDOWS\system32\a.exe" [ ]
"mlioco"="C:\WINDOWS\system32\mlioco.exe" [ ]
"fnugcqz"="C:\WINDOWS\system32\fnugcqz.exe" [ ]
"kednradk"="C:\WINDOWS\system32\kednradk.exe" [ ]
"ztdcemqks"="C:\WINDOWS\system32\ztdcemqks.exe" [ ]
"rdigfvd"="C:\WINDOWS\system32\rdigfvd.exe" [2007-07-27 18:15 108544]
"d"="C:\WINDOWS\system32\d.exe" [ ]
"zbctmnzhhncn"="C:\WINDOWS\system32\zbctmnzhhncn.exe" [ ]
"lvz"="C:\WINDOWS\system32\lvz.exe" [ ]
"syfexcqoq"="C:\WINDOWS\system32\syfexcqoq.exe" [ ]
"rjtyoewx"="C:\WINDOWS\system32\rjtyoewx.exe" [ ]
"y"="C:\WINDOWS\system32\y.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 02:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-07 20:22 219136]

C:\Documents and Settings\ryanho.RYAN\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-06-29 12:31:51 106496]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-08 08:33:52 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 22:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2006-11-11 22:29]
R2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;C:\Program Files\VMLaunch\BuddyVM.sys [2004-10-05 07:40]
R2 Splr_Service;Spooler Subsystem App;"C:\WINDOWS\Help\spoolsv.exe" [2007-05-05 11:57]
S2 ep1eiv1f7z;Print Spooler Service;C:\WINDOWS\system32\y.exe []
S3 DISK_DRIVE32;DISK_DRIVE32;C:\DOCUME~1\RYANHO~1.RYA\LOCALS~1\Temp\Rar$EX00.359\Disk Drove\disk_1024.sys []
S3 Dua1;Dua1;C:\DOCUME~1\RYANHO~1.RYA\LOCALS~1\Temp\Rar$EX02.156\DualEngi.sys []
S3 Dual2;Dual2;C:\DOCUME~1\RYANHO~1.RYA\LOCALS~1\Temp\Rar$EX00.797\Dual2.sys []
S3 GR;GR;C:\DOCUME~1\RYANHO~1.RYA\LOCALS~1\Temp\Rar$EX00.641\GameRegistance 2.08\GameRegistance 2.08\GR.sys []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 13:10]
S3 PCHWDRVDEVICE0;PCHWDRVDEVICE0;C:\Program Files\Ç÷¹À̸ÅÅ©·Î\Ç÷¹À̸ÞÀÌÇÃ\PCHWDRV.sys []
S3 sejt1;sejt1;C:\Documents and Settings\ryanho.RYAN\Desktop\AkumaEngine33\Applications\sejt.sys []
S3 serb1;serb1;C:\DOCUME~1\RYANHO~1.RYA\LOCALS~1\Temp\Rar$EX00.250\Serbio Engine\serbio.sys []
S3 unrealordBypass;unrealordBypass;C:\user\ryan\New Folder\unrealordBypass.sys []
S3 xp1;xp1;C:\DOCUME~1\RYANHO~1.RYA\LOCALS~1\Temp\Rar$EX13.9047\S3NSA 5 [S5NSA]\Would I rather date\Boys\Working UCE's\XPEngine [zenos' new one]\xp.sys []
S3 zenx1;zenx1;C:\DOCUME~1\RYANHO~1.RYA\LOCALS~1\Temp\Rar$EX03.656\ZenxEngine_LATEST\zenx.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-07 01:56:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-09 04:00:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (RYAN-amyho).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2008-02-09 02:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (RYAN-kingho).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2008-02-05 07:00:00 C:\WINDOWS\Tasks\wrSpySweeper20060620223408.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe*/ScheduleSweep=wrSpySweeper20060620223408
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-10 09:41:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ImagePath"="\??\C:\DOCUME~1\RYANHO~1.RYA\LOCALS~1\Temp\Rar$EX13.9047\S3NSA 5
[S5NSA]\Would I rather date\Boys\Working UCE's\XPEngine [zenos' new one]\xp.sys"

.
Completion time: 2008-02-10 9:44:57
.
2008-02-07 07:40:48 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:57:53 AM, on 2/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\Help\spoolsv.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\DOCUME~1\RYANHO~1.RYA\LOCALS~1\Temp\clclean.0001
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\WINDOWS\system32\vssms32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.blizzard.com/register/war3x/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE" /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"
O4 - HKLM\..\Run: [vssms32] C:\WINDOWS\system32\vssms32.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\RunServices: [cubvf] C:\WINDOWS\system32\cubvf.exe
O4 - HKLM\..\RunServices: [vdxbzcopygm] C:\WINDOWS\system32\vdxbzcopygm.exe
O4 - HKLM\..\RunServices: [xempixd] C:\WINDOWS\system32\xempixd.exe
O4 - HKLM\..\RunServices: [tplnrzanm] C:\WINDOWS\system32\tplnrzanm.exe
O4 - HKLM\..\RunServices: [safjabhgx] C:\WINDOWS\system32\safjabhgx.exe
O4 - HKLM\..\RunServices: [q] C:\WINDOWS\system32\q.exe
O4 - HKLM\..\RunServices: [zpwaelr] C:\WINDOWS\system32\zpwaelr.exe
O4 - HKLM\..\RunServices: [byrd] C:\WINDOWS\system32\byrd.exe
O4 - HKLM\..\RunServices: [glgwazyjakc] C:\WINDOWS\system32\glgwazyjakc.exe
O4 - HKLM\..\RunServices: [rzemypomhm] C:\WINDOWS\system32\rzemypomhm.exe
O4 - HKLM\..\RunServices: [a] C:\WINDOWS\system32\a.exe
O4 - HKLM\..\RunServices: [mlioco] C:\WINDOWS\system32\mlioco.exe
O4 - HKLM\..\RunServices: [fnugcqz] C:\WINDOWS\system32\fnugcqz.exe
O4 - HKLM\..\RunServices: [kednradk] C:\WINDOWS\system32\kednradk.exe
O4 - HKLM\..\RunServices: [ztdcemqks] C:\WINDOWS\system32\ztdcemqks.exe
O4 - HKLM\..\RunServices: [rdigfvd] C:\WINDOWS\system32\rdigfvd.exe
O4 - HKLM\..\RunServices: [d] C:\WINDOWS\system32\d.exe
O4 - HKLM\..\RunServices: [zbctmnzhhncn] C:\WINDOWS\system32\zbctmnzhhncn.exe
O4 - HKLM\..\RunServices: [lvz] C:\WINDOWS\system32\lvz.exe
O4 - HKLM\..\RunServices: [syfexcqoq] C:\WINDOWS\system32\syfexcqoq.exe
O4 - HKLM\..\RunServices: [rjtyoewx] C:\WINDOWS\system32\rjtyoewx.exe
O4 - HKLM\..\RunServices: [y] C:\WINDOWS\system32\y.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1152239816406
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0DD46FBB-00B6-463D-8202-199682932A46}: NameServer = 192.168.1.1,4.2.2.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{86AEE903-CED0-4BBA-9AC4-FFCB5B050BBA}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0DD46FBB-00B6-463D-8202-199682932A46}: NameServer = 192.168.1.1,4.2.2.2
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Print Spooler Service (ep1eiv1f7z) - Unknown owner - C:\WINDOWS\system32\y.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spooler Subsystem App (Splr_Service) - Unknown owner - C:\WINDOWS\Help\spoolsv.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 11630 bytes
zeromonkeyx is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-10-2008, 03:23 PM   #4 (permalink)
Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic
 
Glaswegian's Avatar
 
Join Date: Sep 2005
Location: Glasgow
Posts: 25,499
OS: Win XP Pro SP3 / Win 7 Pro

My System

Blog Entries: 10
Re: Help getting rid of Malware
Hi again

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.


Combofix
  • Close any open browsers.
  • Open notepad and copy/paste the text in the box below into it:

Code:
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cubvf"=-
"vdxbzcopygm"=-
"xempixd"=-
"tplnrzanm"=-
"safjabhgx"=-
"q"=-
"zpwaelr"=-
"byrd"=-
"glgwazyjakc"=-
"rzemypomhm"=-
"a"=-
"mlioco"=-
"fnugcqz"=-
"kednradk"=-
"ztdcemqks"=-
"rdigfvd"=-
"d"=-
"zbctmnzhhncn"=-
"lvz"=-
"syfexcqoq"=-
"rjtyoewx"=-
"y"=-
Looking at the image below as an example



Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at "C:\ComboFix.txt"

Do not mouseclick combofix's window whilst it's running. This may cause it to stall.

CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows!


Please post the log C:\ComboFix.txt along with a fresh HijackThis Log for further review.

Please also tell me how your system is running.
__________________
Iain - Defender of the Haggis and all things Scottish.
I don't help by PM - post in the Forums.



PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner
Glaswegian is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-11-2008, 04:37 PM   #5 (permalink)
Registered User
 
Join Date: Feb 2008
Posts: 26
OS: xp


Re: Help getting rid of Malware
My system is running smoothly as it usually does. Again, thanks for your guys help.

ComboFix 08-02.05.3 - ryanho 2008-02-11 15:21:43.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.579 [GMT -8:00]
Running from: C:\Documents and Settings\ryanho.RYAN\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ryanho.RYAN\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-11 to 2008-02-11 )))))))))))))))))))))))))))))))
.

2008-02-10 09:59 . 2008-02-11 15:06 23,552 --a------ C:\WINDOWS\system32\ntcvx32.dll
2008-02-10 09:59 . 2008-02-11 15:06 8,704 --a------ C:\WINDOWS\system32\ntswrl32.dll
2008-02-07 20:22 . 2008-02-07 20:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-07 19:20 . 2008-02-07 19:20 <DIR> d-------- C:\Nexon
2008-02-07 17:20 . 2008-02-07 17:20 86 --a------ C:\WINDOWS\wininit.ini
2008-02-07 16:46 . 2008-02-07 16:46 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-07 16:46 . 2008-02-07 16:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-07 16:36 . 2008-02-07 16:36 <DIR> d-------- C:\Program Files\CCleaner
2008-02-05 23:18 . 2008-02-05 23:18 <DIR> d-------- C:\Deckard
2008-02-05 22:57 . 2008-02-05 22:57 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-05 22:30 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-05 22:24 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\fkutiseiufes.sys
2008-02-05 22:02 . 2008-02-05 22:52 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-05 22:02 . 2008-02-05 22:02 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-05 22:02 . 2008-02-05 22:02 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-05 22:02 . 2008-02-05 22:02 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-05 20:59 . 2008-02-07 19:08 <DIR> d-------- C:\Program Files\GameGuard
2008-02-05 18:59 . 2008-02-05 18:59 <DIR> d-------- C:\Documents and Settings\ryanho.RYAN\Application Data\Uniblue
2008-02-05 18:50 . 2007-10-10 15:55 6,065,664 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-02-05 18:50 . 2007-06-30 19:31 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-02-05 18:50 . 2007-06-30 19:36 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-02-05 18:50 . 2007-10-10 15:55 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-02-05 18:50 . 2007-10-10 15:55 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-02-05 18:50 . 2007-10-10 15:55 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-02-05 18:50 . 2007-10-10 15:55 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-02-05 18:50 . 2007-10-10 15:55 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-02-05 18:50 . 2007-10-10 02:59 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-05 18:45 . 2007-08-13 18:54 33,792 --a------ C:\WINDOWS\system32\dllcache\custsat.dll
2008-02-05 17:49 . 2008-02-05 17:49 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-02-03 21:26 . 2008-02-03 21:26 <DIR> d-------- C:\EPSONREG
2008-02-03 21:22 . 2008-02-03 21:22 <DIR> d-------- C:\Program Files\EPSON
2008-02-03 21:22 . 2004-06-24 00:20 309,760 --a------ C:\WINDOWS\system32\EAL32.DLL
2008-02-03 21:22 . 2004-03-12 01:30 82,944 --a------ C:\WINDOWS\system32\EAL.EXE
2008-02-03 21:22 . 2004-11-25 05:07 79,679 --a------ C:\WINDOWS\system32\E_FLMABA.DLL
2008-02-03 21:22 . 2003-05-21 01:27 64,000 --a------ C:\WINDOWS\system32\E_FBCBABA.DLL
2008-02-03 21:22 . 2000-06-07 00:01 34,304 --a------ C:\WINDOWS\system32\E_FBCHABA.DLL
2008-02-03 21:22 . 2004-06-24 00:20 51 --a------ C:\WINDOWS\system32\EAL32.INI
2008-02-03 21:21 . 2008-02-03 21:26 58 --a------ C:\WINDOWS\EPSONSC88+.ini
2008-01-30 18:02 . 2008-01-30 18:02 54,608 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-01-27 00:37 . 2008-01-27 00:37 <DIR> d-------- C:\Program Files\PartyGaming
2008-01-27 00:37 . 2008-02-07 20:25 <DIR> d-------- C:\Program Files\Full Tilt Poker
2008-01-27 00:29 . 2008-01-27 00:29 <DIR> d-------- C:\Documents and Settings\ryanho.RYAN\PARTYPokerDir
2008-01-24 23:52 . 2008-01-27 00:23 <DIR> d-------- C:\Program Files\PokerStars.NET
2008-01-24 01:07 . 2008-01-24 01:07 <DIR> d-------- C:\WINDOWS\system32\windows media
2008-01-24 01:07 . 2008-01-24 01:07 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-01-24 01:07 . 2008-01-24 01:07 <DIR> d-------- C:\Program Files\Windows Media Components
2008-01-22 19:52 . 2008-01-28 17:46 <DIR> d-------- C:\Documents and Settings\ryanho.RYAN\OngameNetwork
2008-01-21 10:49 . 2008-01-21 10:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\IJJIGame
2008-01-11 21:03 . 2008-01-11 21:03 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-09 17:09 --------- d-s---w C:\Program Files\Xfire
2008-02-09 03:31 --------- d-----w C:\Program Files\Warcraft III
2008-02-08 23:32 --------- d-----w C:\Documents and Settings\ryanho.RYAN\Application Data\Xfire
2008-02-08 04:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-08 04:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-02-08 00:51 --------- d-----w C:\Program Files\GemMaster
2008-02-08 00:42 --------- d-----w C:\Program Files\SwiftSwitch
2008-02-08 00:42 --------- d-----w C:\Program Files\Starcraft
2008-02-08 00:42 --------- d-----w C:\Documents and Settings\ryanho.RYAN\Application Data\Skype
2008-02-07 23:11 --------- d-----w C:\Documents and Settings\ryanho.RYAN\Application Data\LimeWire
2008-02-07 23:10 --------- d-----w C:\Program Files\Steam
2008-02-06 07:39 --------- d-----w C:\Program Files\LimeWire
2008-02-06 07:38 --------- d-----w C:\Program Files\Last.fm
2008-02-06 07:37 --------- d-----w C:\Program Files\iTunes
2008-02-06 07:34 --------- d-----w C:\Program Files\DIGStream
2008-02-06 07:25 --------- d-----w C:\Program Files\Bonjour
2008-02-06 07:25 --------- d-----w C:\Program Files\BAE
2008-02-06 07:20 --------- d-----w C:\Program Files\AIM6
2008-02-06 06:21 --------- d-----w C:\Program Files\Digital Line Detect
2008-02-06 05:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-06 03:09 --------- d-----w C:\Documents and Settings\ryanho.RYAN\Application Data\AVG7
2008-01-31 08:12 --------- d-----w C:\Documents and Settings\ryanho.RYAN\Application Data\Azureus
2008-01-24 06:05 --------- d-----w C:\Program Files\Azureus
2008-01-21 18:49 --------- d--h--w C:\Documents and Settings\ryanho.RYAN\Application Data\ijjigame
2008-01-21 18:15 --------- d-----w C:\Program Files\iPod
2008-01-21 18:13 --------- d-----w C:\Program Files\QuickTime
2008-01-07 06:31 --------- d-----w C:\Program Files\Ocean Technology
2007-12-20 07:01 --------- d-----w C:\Program Files\World of Warcraft
2007-12-12 00:04 --------- d-----w C:\Program Files\Java
2007-11-14 03:29 52,352 ----a-w C:\Documents and Settings\ryanho.RYAN\Application Data\GDIPFONTCACHEV1.DAT
2007-07-16 01:03 3,597 ----a-w C:\Program Files\Read_Me.txt
2006-06-03 18:26 2,232 ----a-w C:\Program Files\Readme.txt
2006-06-03 18:26 1,796 ----a-w C:\Program Files\Changes.txt
2007-05-05 19:57 92,160 --sh--r C:\WINDOWS\Help\spoolsv.exe
2007-06-26 12:33 88 --sh--r C:\WINDOWS\system32\AFAA2DDEF3.sys
2007-06-26 12:33 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 14:40 24576 C:\WINDOWS\MIDIDEF.EXE]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 02:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 21:20 339968 C:\WINDOWS\stsystra.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 18:05 344064]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 00:12 98304]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-09-15 06:47 57344]
"MBMon"="CTMBHA.DLL" [2005-05-19 05:54 1345520 C:\WINDOWS\system32\CTMBHA.DLL]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-10 22:00 90112]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 07:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 07:44 81920]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 02:20 122940]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 08:12 90112]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-06-29 15:52 185896]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"EPSON Stylus C88 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.exe" [2005-01-27 04:00 98304]
"vssms32"="C:\WINDOWS\system32\vssms32.exe" [2006-09-16 13:06 1469952]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-07 20:22 579072]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-03-01 16:55 4865600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"cubvf"="C:\WINDOWS\system32\cubvf.exe" [ ]
"vdxbzcopygm"="C:\WINDOWS\system32\vdxbzcopygm.exe" [ ]
"xempixd"="C:\WINDOWS\system32\xempixd.exe" [ ]
"tplnrzanm"="C:\WINDOWS\system32\tplnrzanm.exe" [ ]
"safjabhgx"="C:\WINDOWS\system32\safjabhgx.exe" [ ]
"q"="C:\WINDOWS\system32\q.exe" [ ]
"zpwaelr"="C:\WINDOWS\system32\zpwaelr.exe" [ ]
"byrd"="C:\WINDOWS\system32\byrd.exe" [ ]
"glgwazyjakc"="C:\WINDOWS\system32\glgwazyjakc.exe" [ ]
"rzemypomhm"="C:\WINDOWS\system32\rzemypomhm.exe" [ ]
"a"="C:\WINDOWS\system32\a.exe" [ ]
"mlioco"="C:\WINDOWS\system32\mlioco.exe" [ ]
"fnugcqz"="C:\WINDOWS\system32\fnugcqz.exe" [ ]
"kednradk"="C:\WINDOWS\system32\kednradk.exe" [ ]
"ztdcemqks"="C:\WINDOWS\system32\ztdcemqks.exe" [ ]
"rdigfvd"="C:\WINDOWS\system32\rdigfvd.exe" [2007-07-27 18:15 108544]
"d"="C:\WINDOWS\system32\d.exe" [ ]
"zbctmnzhhncn"="C:\WINDOWS\system32\zbctmnzhhncn.exe" [ ]
"lvz"="C:\WINDOWS\system32\lvz.exe" [ ]
"syfexcqoq"="C:\WINDOWS\system32\syfexcqoq.exe" [ ]
"rjtyoewx"="C:\WINDOWS\system32\rjtyoewx.exe" [ ]
"y"="C:\WINDOWS\system32\y.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 02:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-07 20:22 219136]

C:\Documents and Settings\ryanho.RYAN\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-06-29 12:31:51 106496]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-08 08:33:52 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 22:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2006-11-11 22:29]
R2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;C:\Program Files\VMLaunch\BuddyVM.sys [2004-10-05 07:40]
R2 Splr_Service;Spooler Subsystem App;"C:\WINDOWS\Help\spoolsv.exe" [2007-05-05 11:57]
S2 ep1eiv1f7z;Print Spooler Service;C:\WINDOWS\system32\y.exe []
S3 DISK_DRIVE32;DISK_DRIVE32;C:\DOCUME~1\RYANHO~1.RYA\LOCALS~1\Temp\Rar$EX00.359\Disk Drove\disk_1024.sys []
S3 Dua1;Dua1;C:\DOCUME~1\RYANHO~1.RYA\LOCALS~1\Temp\Rar$EX02.156\DualEngi.sys []
S3 Dual2;Dual2;C:\DOCUME~1\RYANHO~1.RYA\LOCALS~1\Temp\Rar$EX00.797\Dual2.sys []
S3 GR;GR;C:\DOCUME~1\RYANHO~1.RYA\LOCALS~1\Temp\Rar$EX00.641\GameRegistance 2.08\GameRegistance 2.08\GR.sys []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 13:10]
S3 PCHWDRVDEVICE0;PCHWDRVDEVICE0;C:\Program Files\Ç÷¹À̸ÅÅ©·Î\Ç÷¹À̸ÞÀÌÇÃ\PCHWDRV.sys []
S3 sejt1;sejt1;C:\Documents and Settings\ryanho.RYAN\Desktop\AkumaEngine33\Applications\sejt.sys []
S3 serb1;serb1;C:\DOCUME~1\RYANHO~1.RYA\LOCALS~1\Temp\Rar$EX00.250\Serbio Engine\serbio.sys []
S3 unrealordBypass;unrealordBypass;C:\user\ryan\New Folder\unrealordBypass.sys []
S3 xp1;xp1;C:\DOCUME~1\RYANHO~1.RYA\LOCALS~1\Temp\Rar$EX13.9047\S3NSA 5 [S5NSA]\Would I rather date\Boys\Working UCE's\XPEngine [zenos' new one]\xp.sys []
S3 zenx1;zenx1;C:\DOCUME~1\RYANHO~1.RYA\LOCALS~1\Temp\Rar$EX03.656\ZenxEngine_LATEST\zenx.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-07 01:56:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-09 04:00:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (RYAN-amyho).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2008-02-09 02:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (RYAN-kingho).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2008-02-05 07:00:00 C:\WINDOWS\Tasks\wrSpySweeper20060620223408.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe*/ScheduleSweep=wrSpySweeper20060620223408
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-11 15:25:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ImagePath"="\??\C:\DOCUME~1\RYANHO~1.RYA\LOCALS~1\Temp\Rar$EX13.9047\S3NSA 5
[S5NSA]\Would I rather date\Boys\Working UCE's\XPEngine [zenos' new one]\xp.sys"

.
Completion time: 2008-02-11 15:26:27
ComboFix2.txt 2008-02-10 17:44:58
.
2008-02-07 07:40:48 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:27:59 PM, on 2/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\Help\spoolsv.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\RYANHO~1.RYA\LOCALS~1\Temp\clclean.0001
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\WINDOWS\system32\vssms32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.blizzard.com/register/war3x/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE" /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"
O4 - HKLM\..\Run: [vssms32] C:\WINDOWS\system32\vssms32.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKLM\..\RunServices: [cubvf] C:\WINDOWS\system32\cubvf.exe
O4 - HKLM\..\RunServices: [vdxbzcopygm] C:\WINDOWS\system32\vdxbzcopygm.exe
O4 - HKLM\..\RunServices: [xempixd] C:\WINDOWS\system32\xempixd.exe
O4 - HKLM\..\RunServices: [tplnrzanm] C:\WINDOWS\system32\tplnrzanm.exe
O4 - HKLM\..\RunServices: [safjabhgx] C:\WINDOWS\system32\safjabhgx.exe
O4 - HKLM\..\RunServices: [q] C:\WINDOWS\system32\q.exe
O4 - HKLM\..\RunServices: [zpwaelr] C:\WINDOWS\system32\zpwaelr.exe
O4 - HKLM\..\RunServices: [byrd] C:\WINDOWS\system32\byrd.exe
O4 - HKLM\..\RunServices: [glgwazyjakc] C:\WINDOWS\system32\glgwazyjakc.exe
O4 - HKLM\..\RunServices: [rzemypomhm] C:\WINDOWS\system32\rzemypomhm.exe
O4 - HKLM\..\RunServices: [a] C:\WINDOWS\system32\a.exe
O4 - HKLM\..\RunServices: [mlioco] C:\WINDOWS\system32\mlioco.exe
O4 - HKLM\..\RunServices: [fnugcqz] C:\WINDOWS\system32\fnugcqz.exe
O4 - HKLM\..\RunServices: [kednradk] C:\WINDOWS\system32\kednradk.exe
O4 - HKLM\..\RunServices: [ztdcemqks] C:\WINDOWS\system32\ztdcemqks.exe
O4 - HKLM\..\RunServices: [rdigfvd] C:\WINDOWS\system32\rdigfvd.exe
O4 - HKLM\..\RunServices: [d] C:\WINDOWS\system32\d.exe
O4 - HKLM\..\RunServices: [zbctmnzhhncn] C:\WINDOWS\system32\zbctmnzhhncn.exe
O4 - HKLM\..\RunServices: [lvz] C:\WINDOWS\system32\lvz.exe
O4 - HKLM\..\RunServices: [syfexcqoq] C:\WINDOWS\system32\syfexcqoq.exe
O4 - HKLM\..\RunServices: [rjtyoewx] C:\WINDOWS\system32\rjtyoewx.exe
O4 - HKLM\..\RunServices: [y] C:\WINDOWS\system32\y.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1152239816406
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0DD46FBB-00B6-463D-8202-199682932A46}: NameServer = 192.168.1.1,4.2.2.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{86AEE903-CED0-4BBA-9AC4-FFCB5B050BBA}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0DD46FBB-00B6-463D-8202-199682932A46}: NameServer = 192.168.1.1,4.2.2.2
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Print Spooler Service (ep1eiv1f7z) - Unknown owner - C:\WINDOWS\system32\y.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spooler Subsystem App (Splr_Service) - Unknown owner - C:\WINDOWS\Help\spoolsv.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 11582 bytes
zeromonkeyx is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-11-2008, 05:02 PM   #6 (permalink)
Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic
 
Glaswegian's Avatar
 
Join Date: Sep 2005
Location: Glasgow
Posts: 25,499
OS: Win XP Pro SP3 / Win 7 Pro

My System

Blog Entries: 10
Re: Help getting rid of Malware
Hi again

Looks better.


HijackThis Entries
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

O4 - HKLM\..\RunServices: [cubvf] C:\WINDOWS\system32\cubvf.exe
O4 - HKLM\..\RunServices: [vdxbzcopygm] C:\WINDOWS\system32\vdxbzcopygm.exe
O4 - HKLM\..\RunServices: [xempixd] C:\WINDOWS\system32\xempixd.exe
O4 - HKLM\..\RunServices: [tplnrzanm] C:\WINDOWS\system32\tplnrzanm.exe
O4 - HKLM\..\RunServices: [safjabhgx] C:\WINDOWS\system32\safjabhgx.exe
O4 - HKLM\..\RunServices: [q] C:\WINDOWS\system32\q.exe
O4 - HKLM\..\RunServices: [zpwaelr] C:\WINDOWS\system32\zpwaelr.exe
O4 - HKLM\..\RunServices: [byrd] C:\WINDOWS\system32\byrd.exe
O4 - HKLM\..\RunServices: [glgwazyjakc] C:\WINDOWS\system32\glgwazyjakc.exe
O4 - HKLM\..\RunServices: [rzemypomhm] C:\WINDOWS\system32\rzemypomhm.exe
O4 - HKLM\..\RunServices: [a] C:\WINDOWS\system32\a.exe
O4 - HKLM\..\RunServices: [mlioco] C:\WINDOWS\system32\mlioco.exe
O4 - HKLM\..\RunServices: [fnugcqz] C:\WINDOWS\system32\fnugcqz.exe
O4 - HKLM\..\RunServices: [kednradk] C:\WINDOWS\system32\kednradk.exe
O4 - HKLM\..\RunServices: [ztdcemqks] C:\WINDOWS\system32\ztdcemqks.exe
O4 - HKLM\..\RunServices: [rdigfvd] C:\WINDOWS\system32\rdigfvd.exe
O4 - HKLM\..\RunServices: [d] C:\WINDOWS\system32\d.exe
O4 - HKLM\..\RunServices: [zbctmnzhhncn] C:\WINDOWS\system32\zbctmnzhhncn.exe
O4 - HKLM\..\RunServices: [lvz] C:\WINDOWS\system32\lvz.exe
O4 - HKLM\..\RunServices: [syfexcqoq] C:\WINDOWS\system32\syfexcqoq.exe
O4 - HKLM\..\RunServices: [rjtyoewx] C:\WINDOWS\system32\rjtyoewx.exe
O4 - HKLM\..\RunServices: [y] C:\WINDOWS\system32\y.exe

Please remember to close all other windows, including browsers then click Fix checked.



Online Scan
Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky WebScanner

Next Click on Kaspersky Online Scanner


A Welcome screen will appear - click 'Accept' at the bottom. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
  • Extended
Scan Options:
  • Scan Archives
  • Scan Mail Bases
Click OK

Now under select a target to scan: Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Take note of the name(s) and location(s) of any file(s) it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.


Please post back with the Kaspersky Log and a fresh HijackThis Log.
__________________
Iain - Defender of the Haggis and all things Scottish.
I don't help by PM - post in the Forums.



PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner
Glaswegian is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-12-2008, 07:56 PM   #7 (permalink)
Registered User
 
Join Date: Feb 2008
Posts: 26
OS: xp


Re: Help getting rid of Malware
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, February 12, 2008 6:47:48 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/02/2008
Kaspersky Anti-Virus database records: 560524
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 113550
Number of viruses found: 6
Number of infected objects: 9
Number of suspicious objects: 1
Duration of the scan process: 01:31:21

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\RYANHO~1.RYA\LOCALS~1\Temp\DualEngine2-1.zip/GR.sys Infected: Rootkit.Win32.Agent.zi skipped
C:\Deckard\System Scanner\backup\DOCUME~1\RYANHO~1.RYA\LOCALS~1\Temp\DualEngine2-1.zip ZIP: infected - 1 skipped
C:\Deckard\System Scanner\backup\DOCUME~1\RYANHO~1.RYA\LOCALS~1\Temp\DualEngine2-2.zip/GR.sys Infected: Rootkit.Win32.Agent.zi skipped
C:\Deckard\System Scanner\backup\DOCUME~1\RYANHO~1.RYA\LOCALS~1\Temp\DualEngine2-2.zip ZIP: infected - 1 skipped
C:\Deckard\System Scanner\backup\WINDOWS\temp\ASHeuristic\499582c31280be030a6e2c25b3c9f87bbe132d[1]_jpg.vir Suspicious: Trojan-Downloader.Win32.Small.gen skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\kingho\Application Data\Gtek\gtny\4EC308F4-A9FC-4be8-BA18-75066D6256D5_CONFIRM.cache Object is locked skipped
C:\Documents and Settings\kingho\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\AUNet.log Object is locked skipped
C:\Documents and Settings\kingho\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
C:\Documents and Settings\kingho\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSBrws.log Object is locked skipped
C:\Documents and Settings\kingho\Application Data\Microsoft\CLR Security Config\v1.0.3705\security.config.cch Object is locked skipped
C:\Documents and Settings\kingho\Application Data\Microsoft\CLR Security Config\v1.1.4322\security.config.cch Object is locked skipped
C:\Documents and Settings\kingho\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1296218899-3709985790-138410248-500\65dba0f110c5574d44890fc7f2abbda5_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\kingho\Application Data\Microsoft\HTML Help\hh.dat Object is locked skipped
C:\Documents and Settings\kingho\Application Data\Microsoft\Internet Explorer\brndlog.bak Object is locked skipped
C:\Documents and Settings\kingho\Application Data\Microsoft\Internet Explorer\brndlog.txt Object is locked skipped
C:\Documents and Settings\kingho\Application Data\Microsoft\Internet Explorer\Desktop.htt Object is locked skipped
C:\Documents and Settings\kingho\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf Object is locked skipped
C:\Documents and Settings\kingho\Application Data\Microsoft\Protect\CREDHIST Object is locked skipped
C:\Documents and Settings\kingho\Application Data\Microsoft\Protect\S-1-5-21-1296218899-3709985790-138410248-500\01f479ec-088d-46a8-ba53-14d770ab07ce Object is locked skipped
C:\Documents and Settings\kingho\Application Data\Microsoft\Protect\S-1-5-21-1296218899-3709985790-138410248-500\Preferred Object is locked skipped
C:\Documents and Settings\kingho\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\kingho\Favorites\Dell\Dell Auction.url Object is locked skipped
C:\Documents and Settings\kingho\Favorites\Dell\Dell Internet Security.url Object is locked skipped
C:\Documents and Settings\kingho\Favorites\Dell\Dell.url Object is locked skipped
C:\Documents and Settings\kingho\Favorites\Dell\Support.Dell.Com.url Object is locked skipped
C:\Documents and Settings\kingho\Favorites\Links\Customize Links.url Object is locked skipped
C:\Documents and Settings\kingho\Favorites\Links\Free Hotmail.url Object is locked skipped
C:\Documents and Settings\kingho\Favorites\Links\RealPlayer.url Object is locked skipped
C:\Documents and Settings\kingho\Favorites\Links\Windows Marketplace.url Object is locked skipped
C:\Documents and Settings\kingho\Favorites\Links\Windows Media.url Object is locked skipped
C:\Documents and Settings\kingho\Favorites\Links\Windows.url Object is locked skipped
C:\Documents and Settings\kingho\Favorites\Media\Real.com Radio Tuner.url Object is locked skipped
C:\Documents and Settings\kingho\Favorites\MSN.com.url Object is locked skipped
C:\Documents and Settings\kingho\Favorites\Radio Station Guide.url Object is locked skipped
C:\Documents and Settings\kingho\Favorites\RealPlayer Home Page.url Object is locked skipped
C:\Documents and Settings\kingho\Favorites\SBC Yahoo! DSL\Yahoo!\LAUNCH Music.url Object is locked skipped
C:\Documents and Settings\kingho\Favorites\SBC Yahoo! DSL\Yahoo!\My Yahoo!.url Object is locked skipped
C:\Documents and Settings\kingho\Favorites\SBC Yahoo! DSL\Yahoo!\Yahoo! Auctions.url Object is locked skipped
C:\Documents and Settings\kingho\Favorites\SBC Yahoo! DSL\Yahoo!\Yahoo! Bookmarks.url Object is locked skipped
C:\Documents and Settings\kingho\Favorites\SBC Yahoo! DSL\Yahoo!\Yahoo! Briefcase.url Object is locked skipped
C:\Documents and Settings\kingho\Favorites\SBC Yahoo! DSL\Yahoo!\Yahoo! Calendar.url Object is locked skipped
C:\Documents and Settings\kingho\Favorites\SBC Yahoo! DSL\Yahoo!\Yahoo! Entertainment.url Object is locked skipped
C:\Documents and Settings\kingho\Favorites\SBC Yahoo! DSL\Yahoo!\Yahoo! Finance.url Object is locked skipped
C:\Documents and Settings\kingho\Favorites\SBC Yahoo! DSL\Yahoo!\Yahoo! Games.url Object is locked skipped
C:\Documents and Settings\kingho\Favorites\SBC Yahoo! DSL\Yahoo!\Yahoo! Groups.url Object is locked skipped
C:\Documents and Settings\kingho\Favorites\SBC Yahoo! DSL\Yahoo!\Yahoo! Mail.url Object is locked skipped
C:\Documents and Settings\kingho\Favorites\SBC Yahoo! DSL\Yahoo!\Yahoo! News.url Object is locked skipped
C:\Documents and Settings\kingho\Favorites\SBC Yahoo! DSL\Yahoo!\Yahoo! People Search.url Object is locked skipped
C:\Documents and Settings\kingho\Favorites\SBC Yahoo! DSL\Yahoo!\Yahoo! Personals.url Object is locked skipped
C:\Documents and Settings\kingho\Favorites\SBC Yahoo! DSL\Yahoo!\Yahoo! Photos.url Object is locked skipped
C:\Documents and Settings\kingho\Favorites\SBC Yahoo! DSL\Yahoo!\Yahoo! Shopping.url Object is locked skipped
C:\Documents and Settings\kingho\Favorites\SBC Yahoo! DSL\Yahoo!\Yahoo! Sports.url Object is locked skipped
C:\Documents and Settings\kingho\Favorites\SBC Yahoo! DSL\Yahoo!\Yahoo! Travel.url Object is locked skipped
C:\Documents and Settings\kingho\Favorites\SBC Yahoo! DSL\Yahoo!\Yahoo! Yellow Pages.url Object is locked skipped
C:\Documents and Settings\kingho\Favorites\SBC Yahoo! DSL\Yahoo!\Yahooligans!.url Object is locked skipped
C:\Documents and Settings\kingho\Local Settings\Application Data\fusioncache.dat Object is locked skipped
C:\Documents and Settings\kingho\Local Settings\Application Data\IconCache.db Object is locked skipped
C:\Documents and Settings\kingho\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Documents and Settings\kingho\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_59R.wmdb Object is locked skipped
C:\Documents and Settings\kingho\Local Settings\Application Data\Microsoft\Wallpaper1.bmp Object is locked skipped
C:\Documents and Settings\kingho\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\kingho\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\kingho\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNS.DTD Object is locked skipped
C:\Documents and Settings\kingho\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNS.XML Object is locked skipped
C:\Documents and Settings\kingho\Local Settings\Application Data\Musicmatch\Jukebox\CurrUserSpec.xml Object is locked skipped
C:\Documents and Settings\kingho\Local Settings\Application Data\Musicmatch\Jukebox\mmjbaltlog.txt Object is locked skipped
C:\Documents and Settings\kingho\Local Settings\Application Data\Musicmatch\Jukebox\mmjblog.txt Object is locked skipped
C:\Documents and Settings\kingho\Local Settings\Application Data\Musicmatch\Jukebox\MMPlayPref.log Object is locked skipped
C:\Documents and Settings\kingho\Local Settings\Application Data\Musicmatch\Jukebox\UserInfo.dat Object is locked skipped
C:\Documents and Settings\kingho\Local Settings\Application Data\Musicmatch\MIM\Database\Default.mdb Object is locked skipped
C:\Documents and Settings\kingho\Local Settings\Application Data\Musicmatch\MIM\Database\Default.mdb.bak Object is locked skipped
C:\Documents and Settings\kingho\Local Settings\Application Data\Musicmatch\MIM\MMCDi.xml Object is locked skipped
C:\Documents and Settings\kingho\Local Settings\Application Data\Wildtangent\Cdacache\cdacache.odds Object is locked skipped
C:\Documents and Settings\kingho\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\kingho\Local Settings\History\History.IE5\MSHist012006061720060618\index.dat Object is locked skipped
C:\Documents and Settings\kingho\Local Settings\History\History.IE5\MSHist012006061820060619\index.dat Object is locked skipped
C:\Documents and Settings\kingho\Local Settings\Temp\clclean.0001 Object is locked skipped
C:\Documents and Settings\kingho\Local Settings\Temp\clclean.0001.dir(2).0000\Ky5s96SF.csa Object is locked skipped
C:\Documents and Settings\kingho\Local Settings\Temp\clclean.0001.dir(2).0000\PfdRun.pfd Object is locked skipped
C:\Documents and Settings\kingho\Local Settings\Temp\clclean.0001.dir(2).0000\~de1785.tmp Object is locked skipped
C:\Documents and Settings\kingho\Local Settings\Temp\clclean.0001.dir(2).0000\~df394b.tmp Object is locked skipped
C:\Documents and Settings\kingho\Local Settings\Temp\clclean.0001.dir(2).0000\~efe2.tmp Object is locked skipped
C:\Documents and Settings\kingho\Local Settings\Temp\GLB16.tmp Object is locked skipped
C:\Documents and Settings\kingho\Local Settings\Temp\GLB3A.tmp Object is locked skipped
C:\Documents and Settings\kingho\Local Settings\Temp\GLB4D.tmp Object is locked skipped
C:\Documents and Settings\kingho\Local Settings\Temp\GLBB.tmp Object is locked skipped
C:\Documents and Settings\kingho\Local Settings\Temp\PTI4B.tmp Object is locked skipped
C:\Documents and Settings\kingho\Local Settings\Temp\PTI76.tmp Object is locked skipped
C:\Documents and Settings\kingho\Local Settings\Temp\Yahoo!\install\install.log Object is locked skipped
C:\Documents and Settings\kingho\Local Settings\Temp\~DF45C2.tmp Object is locked skipped
C:\Documents and Settings\kingho\Local Settings\Temporary Internet Files\Content.IE5\ETM345QF\DSLCPEStatus[1].xml Object is locked skipped
C:\Documents and Settings\kingho\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\kingho\Local Settings\Temporary Internet Files\Content.IE5\SHMNGXAR\devicedesc[1].xml Object is locked skipped
C:\Documents and Settings\kingho\Local Settings\Temporary Internet Files\Content.IE5\W5Q74TU7\DSLCPEConfig[1].xml Object is locked skipped
C:\Documents and Settings\kingho\My Documents\My Music\Corel Sample Music\Classical Interlude 1.mp3 Object is locked skipped
C:\Documents and Settings\kingho\My Documents\My Music\Corel Sample Music\Jazz Groove.mp3 Object is locked skipped
C:\Documents and Settings\kingho\My Documents\My Music\Corel Sample Music\Piano Blues 1.mp3 Object is locked skipped
C:\Documents and Settings\kingho\My Documents\My Music\Get More with Jukebox Plus.mp3 Object is locked skipped
C:\Documents and Settings\kingho\My Documents\My Music\Internet Radio on LAUNCH.url Object is locked skipped
C:\Documents and Settings\kingho\My Documents\My Music\Music Videos & More on LAUNCH.url Object is locked skipped
C:\Documents and Settings\kingho\My Documents\My Pictures\Yahoo! Photos.url Object is locked skipped
C:\Documents and Settings\kingho\My Documents\Yahoo! Briefcase.url Object is locked skipped
C:\Documents and Settings\kingho\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\kingho\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\kingho\Templates\excel.xls Object is locked skipped
C:\Documents and Settings\kingho\Templates\excel4.xls Object is locked skipped
C:\Documents and Settings\kingho\Templates\lotus.wk4 Object is locked skipped
C:\Documents and Settings\kingho\Templates\powerpnt.ppt Object is locked skipped
C:\Documents and Settings\kingho\Templates\presenta.shw Object is locked skipped
C:\Documents and Settings\kingho\Templates\quattro.wb2 Object is locked skipped
C:\Documents and Settings\kingho\Templates\sndrec.wav Object is locked skipped
C:\Documents and Settings\kingho\Templates\winword.doc Object is locked skipped
C:\Documents and Settings\kingho\Templates\winword2.doc Object is locked skipped
C:\Documents and Settings\kingho\Templates\wordpfct.wpd Object is locked skipped
C:\Documents and Settings\kingho\Templates\wordpfct.wpg Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS022893DF-0954-467D-8F0E-1E603EBD3F6D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS039E0F45-A9CF-4F08-84C6-E59380F7FF5E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS03C4C744-31BE-4FF7-863F-4D90925F509C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS051A9DB6-7EBA-4EC9-9497-8AE50042081C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS056748C6-FE6E-4DE5-989F-9EF07589B3D9.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS076E68AF-C15F-4CC5-94DC-0ACEB337F72F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS07F78A1A-C29C-46B3-931A-3458925DB1F7.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS09414022-6781-4220-ABE2-5C91C9D01372.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS0E0606E2-C2B9-459B-A674-AA1AC918B8FD.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS11C34FB6-3D81-4B6B-95A6-819904E865F1.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1420E498-DDA0-4387-8C81-D790F1BCCD69.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS146681F5-9929-4B9B-9945-8C70AE9C03B4.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS19B87495-6EC2-472D-B7B4-FF8C283B06C8.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1ACD20A6-1E9B-48CF-915A-CB29CFB8074F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1D1C7846-1B11-4C0F-8983-E0D840F5AB03.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1DBE6C02-362F-444D-BF8D-5E5A5808B010.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1F6D3322-D974-45BF-9512-317155051BC4.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS216D6466-F553-469E-92E3-5AD0509F0C8B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS237FC7DF-4D1B-4F3A-91C5-CA836934ED90.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS243E062B-CCBB-497A-A7A0-CF944E8ED64C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS24CEF51B-1799-4A63-874C-40EB42F6D9EF.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS24FC5D7C-3D38-46F9-B612-D871424BBCE5.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS2CF8F8C8-C18F-4937-9914-19A562F8D6A2.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS37439CE4-61F2-430E-A007-986CCC8D424D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3A59E1E8-1C34-4DF0-8C8E-2C071F5D4CF2.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3A85B578-C7E9-4C49-B116-234AF9BABBC3.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3BA3F8E8-9634-44C6-9BE7-BAF8CA663C37.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3C1AD55E-FF8E-4E4F-A2F8-8E23011C201C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3DA9C968-E5DF-4205-9744-A1D343BC5D7F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3F074C6D-74D6-4521-8DF6-8BEF63CE228E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3F0DF136-830B-440F-9991-CCA6F887D2AF.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS45D57C09-A53D-458E-B8AD-22EC36BDB2FD.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4823E4A4-328A-430A-8548-F08AF9982DAD.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS487B2DB0-C95A-4090-9CC6-8D7629482A47.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4BD8DF18-4358-4856-9714-596080A96391.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4C0FF089-79BB-4C4D-A3E7-7E4144F48848.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4D38F5B3-F03F-4504-8A66-6638B8F1290F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS517FC425-2B11-403C-A119-01178D8F3941.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS53AEA147-EB34-4238-9926-A6C97CB16ACF.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS547F192B-B141-4109-A53F-E9FB629FCDD9.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS555CA9F0-25A1-4F41-BCAC-979B957733F5.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS5F5DD8EC-A03F-4E6D-BA19-47F309EF68AD.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6140D2B1-4ADE-469E-9D1E-5851646AFDAF.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS61FF449C-898C-467E-B707-E60EB8183CF2.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS62D1C652-8FC1-42A3-923B-01C79E62DB0C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS64F4E14B-F8E1-4649-8AD3-EF216BBE4DAB.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS65C45D3B-3F52-45D9-BC95-96E59A91C907.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6DF36885-6F7B-43D3-93DB-A78CDBA7097D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6F6E3767-EF0F-481B-B518-80AC3B41F88C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS74088051-579D-4FF4-BEE9-5C52F71C2ED5.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS775E10AC-BBB9-4560-A0FA-58FD2562E89A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS777E9DF2-7D81-4BA3-B724-565A670F6E85.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS7E76FA2B-15AD-4433-BA21-676EE3F5FF03.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS7F786782-9710-48F4-94B2-CBC46EFEE0E9.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS8685E26A-0E5D-488F-82B2-75F01EAD4A95.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS86B9FE1D-E5F1-454F-8CDA-44DD6BA53D20.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS8FA8911A-E3BA-47F3-8405-ED1B4881CA60.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS946A2CD7-EE65-4DD1-BC43-5171D3E0336B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9B37056E-EF1D-4B66-91CC-3518B51A83E0.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9D2A46E9-1902-44D7-836D-1A4E00C89BA9.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA667A8A8-BC8E-401D-8ABB-E2B2F592F7E7.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSAA9A7853-A100-4DC5-A315-E5A49F1B3CCB.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSACCFDFA0-60F4-4E1C-AA01-286AF7E0E666.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSAFFBDA3F-71D1-4FA2-856F-678134E6E63C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB01B36C6-739F-4D0E-8AE9-1A9D24DF0B84.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB591A7EA-DA7C-4FAB-8A53-C4AE0C8C99B7.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB6449B15-489D-47E1-9349-2559EFBA6CD4.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB8343C00-EB99-438D-92D0-9BF547A7FB9C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB83B42DA-0749-410A-B99C-BA718C4A1415.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB96E4B17-7B0A-4077-AF03-F11FE82EF1D0.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSBC273D7B-9422-4E2C-A831-B481A1A3A5C0.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSBEDBFA00-A30F-4215-8250-F135A50A110C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC08D5D02-CE1B-405C-ACB1-F0F4C4A65CC7.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC11130E9-B928-45B2-8F0E-A5991E9E0F6A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC258051A-5263-4A2A-85C1-B21666AC848B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSCFDC2E0A-A727-4822-B722-4BB574D4110A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD3747351-A60C-45C5-A02C-43BB7CDCAA34.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD4149811-516F-4AB8-9F18-26F571A68AD8.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD5187762-A308-4E77-8766-24D69F2ED7C9.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD85B7106-CEAD-448D-97EA-A35932CC477D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE0061C21-5F96-4E65-AF34-58E3E9152376.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE080145D-D2EB-4DAD-AECE-043BA57D40D7.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE30248D8-9141-49E5-BE3C-FE997A5A0E76.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE353EEDD-28C4-4EA6-A36C-B690F3DA4A9A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE570CF4B-401C-4632-92CE-B12252D9E28A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE67276D1-43EF-44FC-A2BA-FC96C36F6CE7.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSEDA5845D-9DC6-424B-A037-D973BAF2020F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSF016681E-3EE4-42CB-BE55-F0E7B8362707.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSF4B9F71D-5BEC-43E5-85AB-C7B9AD7A2146.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSFBB170DA-85D5-4715-85B0-3D4D01BF409D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSFD93732B-1A84-402A-ABF3-EF0F480F0E9D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\ryanho.RYAN\Application Data\acccore\nss\cert8.db Object is locked skipped
C:\Documents and Settings\ryanho.RYAN\Application Data\acccore\nss\key3.db Object is locked skipped
C:\Documents and Settings\ryanho.RYAN\Application Data\Mozilla\Firefox\Profiles\xg9s1lx7.default\history.dat Object is locked skipped
C:\Documents and Settings\ryanho.RYAN\Application Data\Mozilla\Firefox\Profiles\xg9s1lx7.default\parent.lock Object is locked skipped
C:\Documents and Settings\ryanho.RYAN\Application Data\Webroot\Spy Sweeper\Logs\080212151214.ses Object is locked skipped
C:\Documents and Settings\ryanho.RYAN\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\ryanho.RYAN\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\ryanho.RYAN\Local Settings\Application Data\AOL OCP\AIM\Storage\data\g0taznr1ce\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\ryanho.RYAN\Local Settings\Application Data\Last.fm\Client\iTunesPlugin.log Object is locked skipped
C:\Documents and Settings\ryanho.RYAN\Local Settings\Application Data\Last.fm\Client\Last.fm.log Object is locked skipped
C:\Documents and Settings\ryanho.RYAN\Local Settings\Application Data\Last.fm\Client\lastfmhelper.log Object is locked skipped
C:\Documents and Settings\ryanho.RYAN\Local Settings\Application Data\Last.fm\collection.db Object is locked skipped
C:\Documents and Settings\ryanho.RYAN\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\ryanho.RYAN\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\ryanho.RYAN\Local Settings\Application Data\Mozilla\Firefox\Profiles\xg9s1lx7.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\ryanho.RYAN\Local Settings\Application Data\Mozilla\Firefox\Profiles\xg9s1lx7.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\ryanho.RYAN\Local Settings\Application Data\Mozilla\Firefox\Profiles\xg9s1lx7.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\ryanho.RYAN\Local Settings\Application Data\Mozilla\Firefox\Profiles\xg9s1lx7.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\ryanho.RYAN\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ryanho.RYAN\Local Settings\Temp\clclean.0001.dir.0000\~efe2.tmp Object is locked skipped
C:\Documents and Settings\ryanho.RYAN\Local Settings\Temp\etilqs_og3iMn6acYlBl8z Object is locked skipped
C:\Documents and Settings\ryanho.RYAN\Local Settings\Temp\~DF1012.tmp Object is locked skipped
C:\Documents and Settings\ryanho.RYAN\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\ryanho.RYAN\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ryanho.RYAN\My Documents\My Music\iTunes\iTunes Library.itl Object is locked skipped
C:\Documents and Settings\ryanho.RYAN\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\ryanho.RYAN\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\ryanho.RYAN\Shared\counter strike.zip/Setup.exe Infected: not-a-virus:AdWare.Win32.Agent.zk skipped
C:\Documents and Settings\ryanho.RYAN\Shared\counter strike.zip ZIP: infected - 1 skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Help\spoolsv.exe Infected: Backdoor.Win32.SdBot.aad skipped
C:\WINDOWS\ModemLog_Conexant D850 56K V.9x DFVc Modem.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{226D9216-4C93-4DC5-8DEB-5440B00CC7D0}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\ntcvx32.dll Object is locked skipped
C:\WINDOWS\system32\ntswrl32.dll Object is locked skipped
C:\WINDOWS\system32\rdigfvd.exe Infected: Trojan.Win32.Obfuscated.gy skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:49:42 PM, on 2/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\Help\spoolsv.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\DOCUME~1\RYANHO~1.RYA\LOCALS~1\Temp\clclean.0001
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\WINDOWS\system32\vssms32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.blizzard.com/register/war3x/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE" /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"
O4 - HKLM\..\Run: [vssms32] C:\WINDOWS\system32\vssms32.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1152239816406
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0DD46FBB-00B6-463D-8202-199682932A46}: NameServer = 192.168.1.1,4.2.2.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{86AEE903-CED0-4BBA-9AC4-FFCB5B050BBA}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0DD46FBB-00B6-463D-8202-199682932A46}: NameServer = 192.168.1.1,4.2.2.2
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Print Spooler Service (ep1eiv1f7z) - Unknown owner - C:\WINDOWS\system32\y.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spooler Subsystem App (Splr_Service) - Unknown owner - C:\WINDOWS\Help\spoolsv.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 10727 bytes
zeromonkeyx is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-13-2008, 09:25 AM   #8 (permalink)
Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic
 
Glaswegian's Avatar
 
Join Date: Sep 2005
Location: Glasgow
Posts: 25,499
OS: Win XP Pro SP3 / Win 7 Pro

My System

Blog Entries: 10
Re: Help getting rid of Malware
Hi again

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.


Disable SpyBot Tea Timer
While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.


Disable Webroot SpySweeper
Please disable Webroot SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean.
To disable Webroot SpySweeper:
  • Go to the Options > Program Options
  • Uncheck Load at Windows Startup
  • Click Shields & uncheck all items there
  • Uncheck Home page shield.
  • Automatically restore default without notification
  • Exit the program.


Show Hidden Files
Go to My Computer > Tools > Folder Options > View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System files and Folders are showing / visible. Uncheck the Hide protected operating system files option.


Reboot
Reboot your system in Safe Mode.
  • Restart the computer. The computer begins processing a set of instructions known as BIOS.
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8 (dependent on your system this may be F5 or another key)
  • Instead of Windows loading as normal, a menu should appear
  • Use the arrow key to highlight Safe Mode and press Enter.



HijackThis Entries
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O4 - HKLM\..\Run: [vssms32] C:\WINDOWS\system32\vssms32.exe

Please remember to close all other windows, including browsers then click Fix checked.



File Deletions
Delete the following Files indicated in RED if they still exist.

C:\WINDOWS\system32\vssms32.exe
C:\WINDOWS\Help\spoolsv.exe <- -This file from this location only
C:\WINDOWS\system32\rdigfvd.exe




Reboot
Reboot your system in Normal Mode.



Online Scan
Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on located in the middle of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*
Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on then click
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


Please post back with the Panda Log and a fresh HijackThis Log.
__________________
Iain - Defender of the Haggis and all things Scottish.
I don't help by PM - post in the Forums.



PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner
Glaswegian is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-15-2008, 07:00 PM   #9 (permalink)
Registered User
 
Join Date: Feb 2008
Posts: 26
OS: xp


Re: Help getting rid of Malware
Hi again, sorry for the late reply.

Incident Status Location

Adware:Adware/GoodSearchNow Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\RYANHO~1.RYA\LOCALS~1\Temp\DualEngine2-1.zip[GR.sys]
Adware:Adware/GoodSearchNow Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\RYANHO~1.RYA\LOCALS~1\Temp\DualEngine2-2.zip[GR.sys]
Virus:Generic Malware Disinfected C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\HGStart9USA.exe
Possible Virus. Not disinfected C:\Deckard\System Scanner\backup\WINDOWS\temp\ASHeuristic\499582c31280be030a6e2c25b3c9f87bbe132d[1]_jpg.vir
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\amyho.RYAN\Cookies\amyho@doubleclick[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\kingho.RYAN\Cookies\kingho@doubleclick[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\ryanho\Application Data\Mozilla\Firefox\Profiles\n7o84hiv.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\ryanho\Cookies\ryanho@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\ryanho\Cookies\ryanho@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\ryanho\Cookies\ryanho@doubleclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\ryanho\Cookies\ryanho@mediaplex[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\ryanho\Cookies\ryanho@overture[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\ryanho.RYAN\Application Data\Mozilla\Firefox\Profiles\xg9s1lx7.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\ryanho.RYAN\Application Data\Mozilla\Firefox\Profiles\xg9s1lx7.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\ryanho.RYAN\Application Data\Mozilla\Firefox\Profiles\xg9s1lx7.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\ryanho.RYAN\Application Data\Mozilla\Firefox\Profiles\xg9s1lx7.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\ryanho.RYAN\Application Data\Mozilla\Firefox\Profiles\xg9s1lx7.default\cookies.txt[.ad.yieldmanager.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\ryanho.RYAN\Application Data\Mozilla\Firefox\Profiles\xg9s1lx7.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\ryanho.RYAN\Application Data\Mozilla\Firefox\Profiles\xg9s1lx7.default\cookies.txt[.ad.yieldmanager.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\ryanho.RYAN\Application Data\Mozilla\Firefox\Profiles\xg9s1lx7.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\ryanho.RYAN\Application Data\Mozilla\Firefox\Profiles\xg9s1lx7.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\ryanho.RYAN\Application Data\Mozilla\Firefox\Profiles\xg9s1lx7.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\ryanho.RYAN\Application Data\Mozilla\Firefox\Profiles\xg9s1lx7.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\ryanho.RYAN\Application Data\Mozilla\Firefox\Profiles\xg9s1lx7.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\ryanho.RYAN\Application Data\Mozilla\Firefox\Profiles\xg9s1lx7.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\ryanho.RYAN\Application Data\Mozilla\Firefox\Profiles\xg9s1lx7.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\ryanho.RYAN\Application Data\Mozilla\Firefox\Profiles\xg9s1lx7.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\ryanho.RYAN\Application Data\Mozilla\Firefox\Profiles\xg9s1lx7.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\ryanho.RYAN\Application Data\Mozilla\Firefox\Profiles\xg9s1lx7.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\ryanho.RYAN\Application Data\Mozilla\Firefox\Profiles\xg9s1lx7.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\ryanho.RYAN\Application Data\Mozilla\Firefox\Profiles\xg9s1lx7.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\ryanho.RYAN\Application Data\Mozilla\Firefox\Profiles\xg9s1lx7.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\ryanho.RYAN\Application Data\Mozilla\Firefox\Profiles\xg9s1lx7.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\ryanho.RYAN\Application Data\Mozilla\Firefox\Profiles\xg9s1lx7.default\cookies.txt[.azjmp.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\ryanho.RYAN\Application Data\Mozilla\Firefox\Profiles\xg9s1lx7.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\ryanho.RYAN\Application Data\Mozilla\Firefox\Profiles\xg9s1lx7.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\ryanho.RYAN\Application Data\Mozilla\Firefox\Profiles\xg9s1lx7.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\ryanho.RYAN\Application Data\Mozilla\Firefox\Profiles\xg9s1lx7.default\cookies.txt[.overture.com/]
Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\ryanho.RYAN\Application Data\Mozilla\Firefox\Profiles\xg9s1lx7.default\cookies.txt[.linksynergy.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\ryanho.RYAN\Application Data\Mozilla\Firefox\Profiles\xg9s1lx7.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\ryanho.RYAN\Application Data\Mozilla\Firefox\Profiles\xg9s1lx7.default\cookies.txt[.bfast.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\ryanho.RYAN\Application Data\Mozilla\Firefox\Profiles\xg9s1lx7.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\ryanho.RYAN\Application Data\Mozilla\Firefox\Profiles\xg9s1lx7.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\ryanho.RYAN\Application Data\Mozilla\Firefox\Profiles\xg9s1lx7.default\cookies.txt[.com.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\ryanho.RYAN\Cookies\ryanho@advertising[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\ryanho.RYAN\Cookies\ryanho@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\ryanho.RYAN\Cookies\ryanho@atwola[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\ryanho.RYAN\Cookies\ryanho@atwola[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\ryanho.RYAN\Cookies\ryanho@doubleclick[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\ryanho.RYAN\Cookies\ryanho@doubleclick[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\ryanho.RYAN\Cookies\ryanho@tribalfusion[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\ryanho.RYAN\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.com]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\ryanho.RYAN\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.cfexe]
Potentially unwanted tool:Application/Playmp3z Not disinfected C:\Documents and Settings\ryanho.RYAN\Shared\counter strike.zip[Setup.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\Nircmd.exe
Virus:Trj/Cakl.J Disinfected C:\WINDOWS\system32\ntcvx32.dll
Virus:Trj/Pdpinch.AK Disinfected C:\WINDOWS\system32\ntswrl32.dll


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:59:42 PM, on 2/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\DOCUME~1\RYANHO~1.RYA\LOCALS~1\Temp\clclean.0001
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.blizzard.com/register/war3x/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE" /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1152239816406
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0DD46FBB-00B6-463D-8202-199682932A46}: NameServer = 192.168.1.1,4.2.2.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{86AEE903-CED0-4BBA-9AC4-FFCB5B050BBA}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0DD46FBB-00B6-463D-8202-199682932A46}: NameServer = 192.168.1.1,4.2.2.2
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Print Spooler Service (ep1eiv1f7z) - Unknown owner - C:\WINDOWS\system32\y.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spooler Subsystem App (Splr_Service) - Unknown owner - C:\WINDOWS\Help\spoolsv.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9724 bytes
zeromonkeyx is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-16-2008, 09:52 AM   #10 (permalink)
Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic
 
Glaswegian's Avatar
 
Join Date: Sep 2005
Location: Glasgow
Posts: 25,499
OS: Win XP Pro SP3 / Win 7 Pro

My System

Blog Entries: 10
Re: Help getting rid of Malware
Hi again

Your logs are looking good. Just before we finish up, please tell me how your system is running? Any particular issues or problems?
__________________
Iain - Defender of the Haggis and all things Scottish.
I don't help by PM - post in the Forums.



PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner
Glaswegian is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-17-2008, 01:49 AM   #11 (permalink)
Registered User
 
Join Date: Feb 2008
Posts: 26
OS: xp


Re: Help getting rid of Malware
Everything looks fine now! Thank you guys so much
zeromonkeyx is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-17-2008, 07:55 AM   #12 (permalink)
Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic
 
Glaswegian's Avatar
 
Join Date: Sep 2005
Location: Glasgow
Posts: 25,499
OS: Win XP Pro SP3 / Win 7 Pro

My System

Blog Entries: 10
Re: Help getting rid of Malware
All your logs are clean. If there are no more problems we’ll just tidy up and I’ll let you go, along with my recommendations for staying safe and secure.


Reset Hidden/System Files
To reset your hidden and system files:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Deselect the Show hidden files and folders option.
  • Select the Hide file extensions for known types option.
  • Select the Hide protected operating system files option.
  • Click Yes to confirm.
  • Click OK.



The following procedure will clear out the tools we've used as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Referring to the image below



Click Start > Run and copy/paste, or type the following bold text into the Run box and click OK:


ComboFix /u



Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

Spyware Blaster to help prevent spyware from installing in the first place.
Spyware Guard to catch and block spyware before it can execute.
Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here.


Ad-aware
Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here.


IE-SPYAD
IE-Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here.


SnoopFree
SnoopFree is a real time monitor that notifies you when a programme wants to record your keystrokes or read your screen. Note that SnoopFree is only for XP systems.


MVPS Hosts File
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file.


Alternate Browsers
Try the following free alternate browsers rather than Internet Explorer
Firefox
Opera
Maxthon


Firewalls
A good firewall will monitor incoming and outgoing traffic. NOTE: Microsoft's Firewall does not monitor outgoing traffic. If you do not have a firewall, here are 3 free ones available for personal use:
Comodo Personal Firewall
Sygate Personal Firewall
ZoneAlarm


Anti Virus Software
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online antivirus scanners:
Anti-Spyware Tutorial

Here are three very good free Antivirus products which are available:
BitDefender Free
Avast!
AVG

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.



Other Protection
Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here:
Using Winpatrol to protect your computer.

ERUNT & NTREGOPT
ERUNT is a programme that will create automatic backups of your Registry. These backups can be used to help restore your system in the event of a serious crash.
NTREGOPT will compact and optimise your Registry, to assist the smooth running of your system


Additional Reading
In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

PC Safety & Security - What Do I Need?.
Making Internet Explorer Safer.


Keep clean and safe and enjoy your computing!

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Iain - Defender of the Haggis and all things Scottish.
I don't help by PM - post in the Forums.



PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner
Glaswegian is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-18-2008, 10:38 AM   #13 (permalink)
Registered User
 
Join Date: Feb 2008
Posts: 26
OS: xp


Re: Help getting rid of Malware
Alright, thank you. I should be more careful from now on.
zeromonkeyx is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 03:03 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85