virus list from Panda. What do I do now?

tillyoulostme · 08-20-2008, 07:04 PM

I've run a scan with Panda ActiveScan 2.0 and it's come up with a list of things.

1. C:\WINDOWS\system32\ruftgx.dll
2. C:\WINDOWS\system32\rakgef.dll
3. C:\WINDOWS\system32\fajjiqvc.dll
4. C:\WINDOWS\system32\tcufbbjy.dll

1. C:\WINDOWS\system32\pdgujm.dll
2. C:\WINDOWS\system32\wrngpoos.dll
3. C:\WINDOWS\system32\qsaumt.dll
4. C:\WINDOWS\system32\wgpbxatv.dll

C:\WINDOWS\system32\vrvrmywn.dll
C:\WINDOWS\system32\ijmgjfip.dll
C:\WINDOWS\system32\hhtjmvkx.dll
C:\WINDOWS\system32\gevqxjxb.dll
C:\WINDOWS\system32\cljdymlr.dll
C:\WINDOWS\system32\agffmusx.dll
C:\WINDOWS\SysNotifier.exe
C:\WINDOWS\system32\vrvrmywn.dll
C:\WINDOWS\system32\vrvrmywn.dll

What do I do now? Delete them? How do I go about it? I'm afraid I'm pretty new to all this stuff and haven't got the first clue how to go about solving these problems.

Could these be the reason I can't access googlemail, facebook and other, rather more random, websites.

I'm also running Norton Internet Security 2008, AVG Free and SpywareTerminator. Could it be the multiple antivirus' causing the blocks on certain pages as there's nothing unusual in the hosts file.

Thanks,

Tori

**amateur** · 08-25-2008, 02:22 AM

Hello and welcome to TSF.

Apologies for the long delay in response. We have a large number of HijackThis logs to handle and it’s taking us longer to catch up. If you haven’t received help elsewhere already and still require assistance please follow the instructions in IMPORTANT - Read This Before Posting A Log and post a fresh HijackThis log.

tillyoulostme · 08-31-2008, 05:05 PM

Hi,

Thanks so much for replying. I've had a few more problems and I've only just got everything going again, so I'm sorry for the delay.

Here's the log from Hijack This:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:01:45, on 01/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG111T\wlan111t.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/people/Victoria_Smith/733472413
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {19AE98E2-910B-4B15-8AA4-0FB60079588F} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {fa2c3785-8440-5199-67c4-87dec9002f49} - {94f2009c-ed78-4c76-9915-04485873c2af} - (no file)
O2 - BHO: (no name) - {CC628875-53FE-4DE3-9CA8-E61652820398} - (no file)
O2 - BHO: (no name) - {F1079574-5D98-4990-9ECB-36AE259CB2C8} - (no file)
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [IERESETATTRIB] %SystemRoot%\system32\cmd.exe /d /q /c %SystemRoot%\system32\ieudinit.exe -ResetFileAttributes
O4 - HKLM\..\RunOnce: [IERESETICONS] %SystemRoot%\system32\cmd.exe /d /q /c %SystemRoot%\iereseticons.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab55579.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/The%20Mystery%20of%20the%20Crystal%20Portal/Images/stg_drm.ocx
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/bingame/trix/def...x.1.0.0.87.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab55579.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase5036.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://zone.msn.com/bingame/dsh2/def...2.1.0.0.68.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1162907886561
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1164842721390
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/def...jolauncher.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames...1.cab60096.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://zone.msn.com/bingame/fotg/def...g.1.0.0.37.cab
O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (MSN Music Mediabar) - http://sib1.pvw.od2.com/common/music...agerPlugin.CAB
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/def...rsion=1,0,0,10
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mystery%20Case%20Files%20-%20Ravenhearst/Images/armhelper.ocx
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/cnma/default/ct.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/popcaploader_v10.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: hgGyYsrP - hgGyYsrP.dll (file missing)
O20 - Winlogon Notify: nietdraw - C:\Program Files\Windows Media Player\Network Sharing\nietdraw.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 9130 bytes

Hope this helps

Thanks again

**amateur** · 09-01-2008, 02:40 AM

Hi,

The system is infected. But, first of all, you should not be running two antivirus applications, i.e. Norton Internet Security Suit and AVG8. Multiple antivirus programs can bog down your system, interfere with each other, and may even cause crashes. Before you do anything else, please remove one of them immediately via Add or Remove Programs in Control Panel.

==================================

Next, download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/comb...o-use-combofix

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you're unsure how to do that, visit this page.

--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

When finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

tillyoulostme · 09-01-2008, 01:46 PM

Hi,

Thanks for the advice, I've removed Norton as it isn't doing much for me, I must admit.

Here's the combo log:
ComboFix 08-08-31.01 - Administrator 2008-09-01 18:59:13.1 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM2f7466e7.txt
C:\WINDOWS\BM2f7466e7.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bxjxqveg.ini
C:\WINDOWS\system32\EdeggOYb.ini
C:\WINDOWS\system32\EdeggOYb.ini2
C:\WINDOWS\system32\fajjiqvc.dll
C:\WINDOWS\system32\hhtjmvkx.dll
C:\WINDOWS\system32\ijmgjfip.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mfagdikd.ini
C:\WINDOWS\system32\qvhjtjcp.ini
C:\WINDOWS\system32\rakgef.dll
C:\WINDOWS\system32\ruftgx.dll
C:\WINDOWS\system32\tcufbbjy.dll
C:\WINDOWS\system32\vmnchvor.ini
C:\WINDOWS\system32\vxegimlg.ini
C:\WINDOWS\system32\xsumffga.ini

.
((((((((((((((((((((((((( Files Created from 2008-08-01 to 2008-09-01 )))))))))))))))))))))))))))))))
.

2008-08-31 23:56 . 2008-08-31 23:56 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-08-21 02:24 . 2008-08-21 02:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-20 23:24 . 2008-04-29 11:33 16,952 --------- C:\WINDOWS\system32\drivers\RkPavproc1.sys
2008-08-20 22:55 . 2008-08-31 23:50 <DIR> d-------- C:\Program Files\Panda Security
2008-08-17 01:08 . 2008-09-01 14:17 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-17 00:11 . 2008-09-01 11:26 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-17 00:11 . 2008-08-30 00:37 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-17 00:11 . 2008-08-17 00:11 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-08-17 00:11 . 2008-08-17 00:11 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-08-17 00:09 . 2008-08-17 00:09 <DIR> d-------- C:\Program Files\AVG
2008-08-17 00:09 . 2008-08-17 00:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-15 13:27 . 2008-08-15 13:27 <DIR> d-------- C:\Program Files\CCleaner
2008-08-15 12:57 . 2008-09-01 08:52 <DIR> d-------- C:\Program Files\WinClamAVShield
2008-08-15 12:41 . 2008-09-01 08:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-08-15 12:41 . 2008-09-01 11:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Spyware Terminator
2008-08-15 12:41 . 2008-08-15 12:41 141,312 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-08-15 12:40 . 2008-09-01 08:49 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-08-14 16:17 . 2008-08-14 16:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\GameHouse
2008-08-14 16:14 . 2008-08-14 16:14 <DIR> d-------- C:\WINDOWS\Cate West The Vanishing Files
2008-08-11 19:27 . 2008-08-15 01:31 <DIR> d-------- C:\Program Files\DNA
2008-08-10 13:03 . 2008-08-10 13:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-08-10 12:59 . 2008-08-10 12:59 <DIR> d-------- C:\Program Files\AOL Games
2008-08-09 11:56 . 2008-08-09 11:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FloodLightGames
2008-08-09 11:56 . 2008-08-09 11:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\FloodLightGames
2008-08-08 09:24 . 2008-08-08 09:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Gogii
2008-08-08 00:55 . 2008-08-08 00:55 268 --ah----- C:\sqmdata16.sqm
2008-08-08 00:55 . 2008-08-08 00:55 244 --ah----- C:\sqmnoopt16.sqm
2008-08-07 22:51 . 2008-08-07 22:51 4,096 --a------ C:\WINDOWS\d3dx.dat
2008-08-07 00:38 . 2008-08-07 00:38 268 --ah----- C:\sqmdata15.sqm
2008-08-07 00:38 . 2008-08-07 00:38 244 --ah----- C:\sqmnoopt15.sqm
2008-08-06 02:11 . 2008-08-06 02:11 268 --ah----- C:\sqmdata14.sqm
2008-08-06 02:11 . 2008-08-06 02:11 244 --ah----- C:\sqmnoopt14.sqm
2008-08-05 02:14 . 2008-08-05 02:14 268 --ah----- C:\sqmdata13.sqm
2008-08-05 02:14 . 2008-08-05 02:14 244 --ah----- C:\sqmnoopt13.sqm
2008-08-04 01:28 . 2008-08-04 01:28 268 --ah----- C:\sqmdata12.sqm
2008-08-04 01:28 . 2008-08-04 01:28 244 --ah----- C:\sqmnoopt12.sqm
2008-08-03 03:50 . 2008-08-03 03:50 268 --ah----- C:\sqmdata11.sqm
2008-08-03 03:50 . 2008-08-03 03:50 244 --ah----- C:\sqmnoopt11.sqm
2008-08-02 02:08 . 2008-08-02 02:08 268 --ah----- C:\sqmdata10.sqm
2008-08-02 02:08 . 2008-08-02 02:08 244 --ah----- C:\sqmnoopt10.sqm
2008-08-01 01:07 . 2008-08-01 01:07 268 --ah----- C:\sqmdata09.sqm
2008-08-01 01:07 . 2008-08-01 01:07 244 --ah----- C:\sqmnoopt09.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-01 18:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-01 18:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-21 02:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-08-17 00:08 --------- d-----w C:\Program Files\AIM6
2008-08-16 11:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-08-15 00:55 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-08-11 17:34 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-11 14:01 --------- d-----w C:\Documents and Settings\Administrator\Application Data\PlayFirst
2008-08-09 12:48 --------- d-----w C:\Program Files\MSN Games
2008-08-07 16:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Flood Light Games
2008-08-07 16:20 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Flood Light Games
2008-07-12 22:48 --------- d-----w C:\Program Files\Mario Forever
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-05-16 22:01 0 ----a-w C:\Program Files\temp01
2008-02-14 15:00 43,832 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-12-13 13:59 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-08-31 10:55 1783808]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-30 00:38 1235736]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2007-11-28 20:51 583048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111T Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111T\wlan111t.exe [2006-12-30 10:02:20 884840]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2007-09-29 21:22 50528 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 13:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
--a------ 2002-10-23 19:15 86016 c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
--a------ 2002-06-27 02:36 90112 C:\Program Files\Analog Devices\SoundMAX\SMTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-02-12 13:58 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-30 00:37]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-08-15 12:41]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-30 00:37]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-30 00:38]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-17 00:11]
R3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;C:\WINDOWS\system32\DRIVERS\WG11TND5.sys [2005-09-05 12:21]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\DNINDIS5.SYS [2003-07-24 13:10]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2002-10-16 09:11]

*Newly Created Service* - LIVEUPDATE_NOTICE_SERVICE
.
- - - - ORPHANS REMOVED - - - -

Notify-nietdraw - C:\Program Files\Windows Media Player\Network Sharing\nietdraw.dll
Notify-hgGyYsrP - hgGyYsrP.dll
MSConfigStartUp-ccApp - C:\Program Files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-osCheck - C:\Program Files\Norton Internet Security\osCheck.exe
MSConfigStartUp-QuickTime Task - C:\Program Files\QuickTime\qttask.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nbgu0iyg.default\
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-01 19:08:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-09-01 20:39:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-01 19:38:56

Pre-Run: 16,916,701,184 bytes free
Post-Run: 17,602,002,944 bytes free

189 --- E O F --- 2008-08-13 23:54:18

And the HiJack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:41:45, on 01/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG111T\wlan111t.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/people/Victoria_Smith/733472413
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab55579.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/The%20Mystery%20of%20the%20Crystal%20Portal/Images/stg_drm.ocx
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/bingame/trix/def...x.1.0.0.87.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab55579.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase5036.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://zone.msn.com/bingame/dsh2/def...2.1.0.0.68.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1162907886561
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1164842721390
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/def...jolauncher.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames...1.cab60096.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://zone.msn.com/bingame/fotg/def...g.1.0.0.37.cab
O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (MSN Music Mediabar) - http://sib1.pvw.od2.com/common/music...agerPlugin.CAB
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/def...rsion=1,0,0,10
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mystery%20Case%20Files%20-%20Ravenhearst/Images/armhelper.ocx
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/cnma/default/ct.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 7120 bytes

Thanks for your help, I really do appreciate it

**amateur** · 09-02-2008, 04:55 AM

Hi,

Quote:

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

Before we go any further, please install the recovery console.

The Windows Recovery Console will allow you to boot up into a special recovery mode if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Click here to go to the Microsoft page and download the Recovery Console file which is appropriate for your system, and save it to your desktop. Please make sure that you save it as it's originally named and place it next to Combofix on your desktop:

Close all open windows and programs
Drag and drop the setup package onto ComboFix.exe
Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

As part of installing the Recovery Console, ComboFix will begin to run. Follow the prompts to install the Recovery Console. Your desktop may disappear. This is normal. It will return.

Once the Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so that they do not interfere with the running of ComboFix.

Click No to exit ComboFix.

====================================

Open notepad (Start>All programs>accessories>notepad ) (It must be notepad, not wordpad, or it won't work)
Copy the entire contents of the Quote Box below to Notepad.
Name the file as CFScript.txt
Change the Save as Type to All Files
and Save it on the desktop
Click Format and ensure Wordwrap is unchecked.

Code:

KILLALL::

Folder::
C:\Documents and Settings\All Users\Application Data\Viewpoint

DirLook::
C:\Program Files\temp01

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"=-

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

=======================================

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run.
Once the scan is complete, click on View scan report
Now, click on the Save Report as button.
In the drop down box labeled Files of type change the type to Text file.
Save the file to your desktop.
Copy and paste that information in your next post along with the Combofix.txt and a fresh HijackThis log.

tillyoulostme · 09-02-2008, 10:12 AM

Hi,

Thanks again for all your help.

Kaspersky log:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, September 2, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, September 02, 2008 15:50:02
Records in database: 1181518
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 48903
Threat name: 2
Infected objects: 6
Suspicious objects: 0
Duration of the scan: 02:10:18

File name / Threat name / Threats count
C:\QooBox\Quarantine\C\WINDOWS\system32\fajjiqvc.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.cqd 1
C:\QooBox\Quarantine\C\WINDOWS\system32\hhtjmvkx.dll.vir Infected: Trojan.Win32.Monder.fyf 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ijmgjfip.dll.vir Infected: Trojan.Win32.Monder.fyf 1
C:\QooBox\Quarantine\C\WINDOWS\system32\rakgef.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.cqd 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ruftgx.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.cqd 1
C:\QooBox\Quarantine\C\WINDOWS\system32\tcufbbjy.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.cqd 1

The selected area was scanned.

ComboFix Log:
ComboFix 08-09-01.01 - Administrator 2008-09-02 13:49:27.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.285 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Viewpoint

.
((((((((((((((((((((((((( Files Created from 2008-08-02 to 2008-09-02 )))))))))))))))))))))))))))))))
.

2008-08-31 23:56 . 2008-08-31 23:56 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-08-21 02:24 . 2008-08-21 02:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-20 23:24 . 2008-04-29 11:33 16,952 --------- C:\WINDOWS\system32\drivers\RkPavproc1.sys
2008-08-20 22:55 . 2008-08-31 23:50 <DIR> d-------- C:\Program Files\Panda Security
2008-08-17 01:08 . 2008-09-02 12:52 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-17 00:11 . 2008-09-02 09:52 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-17 00:11 . 2008-08-30 00:37 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-17 00:11 . 2008-08-17 00:11 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-08-17 00:11 . 2008-08-17 00:11 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-08-17 00:09 . 2008-08-17 00:09 <DIR> d-------- C:\Program Files\AVG
2008-08-17 00:09 . 2008-08-17 00:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-15 13:27 . 2008-08-15 13:27 <DIR> d-------- C:\Program Files\CCleaner
2008-08-15 12:57 . 2008-09-02 13:58 <DIR> d-------- C:\Program Files\WinClamAVShield
2008-08-15 12:41 . 2008-09-02 08:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-08-15 12:41 . 2008-09-02 08:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Spyware Terminator
2008-08-15 12:41 . 2008-08-15 12:41 141,312 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-08-15 12:40 . 2008-09-01 08:49 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-08-14 16:17 . 2008-08-14 16:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\GameHouse
2008-08-14 16:14 . 2008-08-14 16:14 <DIR> d-------- C:\WINDOWS\Cate West The Vanishing Files
2008-08-11 19:27 . 2008-08-15 01:31 <DIR> d-------- C:\Program Files\DNA
2008-08-10 13:03 . 2008-08-10 13:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-08-10 12:59 . 2008-08-10 12:59 <DIR> d-------- C:\Program Files\AOL Games
2008-08-09 11:56 . 2008-08-09 11:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FloodLightGames
2008-08-09 11:56 . 2008-08-09 11:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\FloodLightGames
2008-08-08 09:24 . 2008-08-08 09:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Gogii
2008-08-08 00:55 . 2008-08-08 00:55 268 --ah----- C:\sqmdata16.sqm
2008-08-08 00:55 . 2008-08-08 00:55 244 --ah----- C:\sqmnoopt16.sqm
2008-08-07 22:51 . 2008-08-07 22:51 4,096 --a------ C:\WINDOWS\d3dx.dat
2008-08-07 00:38 . 2008-08-07 00:38 268 --ah----- C:\sqmdata15.sqm
2008-08-07 00:38 . 2008-08-07 00:38 244 --ah----- C:\sqmnoopt15.sqm
2008-08-06 02:11 . 2008-08-06 02:11 268 --ah----- C:\sqmdata14.sqm
2008-08-06 02:11 . 2008-08-06 02:11 244 --ah----- C:\sqmnoopt14.sqm
2008-08-05 02:14 . 2008-08-05 02:14 268 --ah----- C:\sqmdata13.sqm
2008-08-05 02:14 . 2008-08-05 02:14 244 --ah----- C:\sqmnoopt13.sqm
2008-08-04 01:28 . 2008-08-04 01:28 268 --ah----- C:\sqmdata12.sqm
2008-08-04 01:28 . 2008-08-04 01:28 244 --ah----- C:\sqmnoopt12.sqm
2008-08-03 03:50 . 2008-08-03 03:50 268 --ah----- C:\sqmdata11.sqm
2008-08-03 03:50 . 2008-08-03 03:50 244 --ah----- C:\sqmnoopt11.sqm
2008-08-02 02:08 . 2008-08-02 02:08 268 --ah----- C:\sqmdata10.sqm
2008-08-02 02:08 . 2008-08-02 02:08 244 --ah----- C:\sqmnoopt10.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-01 18:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-01 18:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-17 00:08 --------- d-----w C:\Program Files\AIM6
2008-08-16 11:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-08-15 00:55 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-08-11 17:34 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-11 14:01 --------- d-----w C:\Documents and Settings\Administrator\Application Data\PlayFirst
2008-08-09 12:48 --------- d-----w C:\Program Files\MSN Games
2008-08-07 16:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Flood Light Games
2008-08-07 16:20 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Flood Light Games
2008-07-12 22:48 --------- d-----w C:\Program Files\Mario Forever
2008-05-16 22:01 0 ----a-w C:\Program Files\temp01
2008-02-14 15:00 43,832 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-12-13 13:59 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Program Files\temp01 ----

C:\Program Files\temp01\

((((((((((((((((((((((((((((( snapshot@2008-09-01_20.38.08.37 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-06-23 11:02:49 1,022,976 ----a-w C:\WINDOWS\system32\browseui.dll
+ 2008-06-23 15:38:28 1,023,488 ----a-w C:\WINDOWS\system32\browseui.dll
- 2006-06-23 11:02:49 151,040 -c--a-w C:\WINDOWS\system32\cdfview.dll
+ 2008-06-23 15:38:29 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
- 2006-06-23 11:02:50 1,054,208 -c--a-w C:\WINDOWS\system32\danim.dll
+ 2008-06-23 15:38:30 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
- 2006-06-23 11:02:49 1,022,976 -c--a-w C:\WINDOWS\system32\dllcache\browseui.dll
+ 2008-06-23 15:38:28 1,023,488 -c--a-w C:\WINDOWS\system32\dllcache\browseui.dll
- 2006-06-23 11:02:49 151,040 -c--a-w C:\WINDOWS\system32\dllcache\cdfview.dll
+ 2008-06-23 15:38:29 151,040 -c--a-w C:\WINDOWS\system32\dllcache\cdfview.dll
- 2006-06-23 11:02:50 1,054,208 -c--a-w C:\WINDOWS\system32\dllcache\danim.dll
+ 2008-06-23 15:38:30 1,054,208 -c--a-w C:\WINDOWS\system32\dllcache\danim.dll
- 2006-06-23 11:02:50 357,888 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-06-23 15:38:30 357,888 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2006-06-23 11:02:50 205,312 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-06-23 15:38:30 205,312 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2006-06-23 11:02:50 55,808 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-06-23 15:38:30 55,808 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2006-06-23 08:35:52 18,432 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
+ 2008-06-23 09:49:29 18,432 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
- 2006-06-23 11:02:50 251,392 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
+ 2008-06-23 15:38:31 251,392 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
- 2006-06-23 11:02:50 96,256 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
+ 2008-06-23 15:38:31 96,256 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
- 2006-05-18 05:24:25 450,560 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
+ 2007-12-18 14:40:58 450,560 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
- 2006-06-23 11:02:50 16,384 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-06-23 15:38:31 16,384 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2006-07-28 11:28:54 3,054,080 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-06-23 15:38:33 3,059,712 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2006-06-23 11:02:51 448,512 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-06-23 15:38:33 449,024 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2006-06-23 11:02:51 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-06-23 15:38:33 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2006-06-23 11:02:51 532,480 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-06-23 15:38:33 532,480 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2006-06-23 11:02:51 39,424 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-06-23 15:38:33 39,424 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2006-09-04 06:08:01 1,494,016 -c--a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
+ 2008-06-23 15:38:34 1,494,528 -c--a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
- 2006-06-23 11:02:51 474,112 -c--a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
+ 2008-06-23 15:38:34 474,112 -c--a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
- 2006-07-25 20:33:39 613,888 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-06-23 15:38:34 615,936 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2004-08-04 12:00:00 417,792 -c--a-w C:\WINDOWS\system32\dllcache\vbscript.dll
+ 2007-12-18 14:40:58 417,792 -c--a-w C:\WINDOWS\system32\dllcache\vbscript.dll
- 2006-06-23 11:02:52 658,944 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-06-23 15:38:34 659,456 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2006-06-23 11:02:50 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-06-23 15:38:30 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2006-06-23 11:02:50 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-06-23 15:38:30 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2006-06-23 11:02:50 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2008-06-23 15:38:30 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2006-06-23 11:02:50 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
+ 2008-06-23 15:38:31 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
- 2006-06-23 11:02:50 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
+ 2008-06-23 15:38:31 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
- 2006-05-18 05:24:25 450,560 ----a-w C:\WINDOWS\system32\jscript.dll
+ 2007-12-18 14:40:58 450,560 ----a-w C:\WINDOWS\system32\jscript.dll
- 2006-06-23 11:02:50 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-06-23 15:38:31 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2006-07-28 11:28:54 3,054,080 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-06-23 15:38:33 3,059,712 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2006-06-23 11:02:51 448,512 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-06-23 15:38:33 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2006-06-23 11:02:51 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2008-06-23 15:38:33 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
- 2006-06-23 11:02:51 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2008-06-23 15:38:33 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
- 2008-03-31 22:50:23 40,196 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-09-01 19:49:37 40,196 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-31 22:50:23 311,934 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-09-01 19:49:37 311,934 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2006-06-23 11:02:51 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-06-23 15:38:33 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2006-09-04 06:08:01 1,494,016 ----a-w C:\WINDOWS\system32\shdocvw.dll
+ 2008-06-23 15:38:34 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll
- 2006-06-23 11:02:51 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
+ 2008-06-23 15:38:34 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
- 2006-07-25 20:33:39 613,888 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-06-23 15:38:34 615,936 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2004-08-04 12:00:00 417,792 ----a-w C:\WINDOWS\system32\vbscript.dll
+ 2007-12-18 14:40:58 417,792 ----a-w C:\WINDOWS\system32\vbscript.dll
- 2006-06-23 11:02:52 658,944 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2008-06-23 15:38:34 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
- 2007-10-29 10:04:03 350,720 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2008-07-03 09:14:02 351,744 ----a-w C:\WINDOWS\system32\xpsp3res.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-08-31 10:55 1783808]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-30 00:38 1235736]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111T Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111T\wlan111t.exe [2006-12-30 10:02:20 884840]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2007-09-29 21:22 50528 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 13:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
--a------ 2002-10-23 19:15 86016 c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
--a------ 2002-06-27 02:36 90112 C:\Program Files\Analog Devices\SoundMAX\SMTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-02-12 13:58 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-30 00:37]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-08-15 12:41]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-30 00:37]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-30 00:38]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-17 00:11]
R3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;C:\WINDOWS\system32\DRIVERS\WG11TND5.sys [2005-09-05 12:21]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\DNINDIS5.SYS [2003-07-24 13:10]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2002-10-16 09:11]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-02 13:57:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\TEMP\43f6790a-3687-456d-bda7-c6803fae09ef.tmp

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-09-02 14:08:38 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-09-02 13:08:11
ComboFix2.txt 2008-09-01 19:39:30

Pre-Run: 17,441,619,968 bytes free
Post-Run: 17,431,945,216 bytes free

247 --- E O F --- 2008-09-01 19:54:52

Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:09:10, on 02/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG111T\wlan111t.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/people/Victoria_Smith/733472413
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab55579.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/The%20Mystery%20of%20the%20Crystal%20Portal/Images/stg_drm.ocx
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/bingame/trix/def...x.1.0.0.87.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab55579.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase5036.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://zone.msn.com/bingame/dsh2/def...2.1.0.0.68.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1162907886561
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1164842721390
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/def...jolauncher.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames...1.cab60096.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://zone.msn.com/bingame/fotg/def...g.1.0.0.37.cab
O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (MSN Music Mediabar) - http://sib1.pvw.od2.com/common/music...agerPlugin.CAB
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/def...rsion=1,0,0,10
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mystery%20Case%20Files%20-%20Ravenhearst/Images/armhelper.ocx
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/cnma/default/ct.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 7300 bytes

Thank you :)

**amateur** · 09-02-2008, 01:28 PM

Hi,

What Kaspersky reporting is in the Qoobox folder of Combofix which we'll be clearing shortly.

=================================

Scan with HijackThis and put a checkmark against the following entries:

O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe

The following activeX controls( Downloaded Program Files)will reinstall when(and if) you revisit that website,
UNLESS you know they are from a safe source, check to remove:

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/The%20Mystery%20of%20the%20Crystal%20Portal/Images/stg_drm.ocx
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/bingame/trix/def...x.1.0.0.87.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames...1.cab60096.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://zone.msn.com/bingame/fotg/def...g.1.0.0.37.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/def...rsion=1,0,0,10

Close all browsers other than HijackThis and click on 'fix checked'.

=================================

Open notepad (Start>All programs>accessories>notepad ) (It must be notepad, not wordpad, or it won't work)
Copy the entire contents of the Quote Box below to Notepad.
Name the file as CFScript.txt
Change the Save as Type to All Files
and Save it on the desktop
Click Format and ensure Wordwrap is unchecked.

Code:

KILLALL::



File::

C:\WINDOWS\TEMP\43f6790a-3687-456d-bda7-c6803fae09ef.tmp

Folder::

C:\Program Files\Common Files\Symantec Shared
C:\Documents and Settings\All Users\Application Data\Symantec
C:\Program Files\temp01


Driver::
"LiveUpdate Notice Service"

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

===============================

Please post the Combofix.txt and a fresh HijackThis log taken after a reboot, and let me know how the computer is behaving now.

tillyoulostme · 09-03-2008, 03:55 AM

Hi,

CF log:
ComboFix 08-09-01.05 - Administrator 2008-09-03 9:33:37.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.295 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
.
/wow section - STAGE 30
pv: No matching processes found
The requested operation cannot be performed on a file with a user-mapped section open.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Symantec
C:\Documents and Settings\All Users\Application Data\Symantec\DSA\V_G\DSASL.xml
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Settings.LiveUpdate
C:\Documents and Settings\All Users\Application Data\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PollManager\PollManager_Current.dat
C:\Documents and Settings\All Users\Application Data\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PollManager\PollManager_Job.dat
C:\Documents and Settings\All Users\Application Data\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\SVAR\SVAR_{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}.dat
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{20077E4F-B53D-457C-8FFB-7EB9F2C0FFDF}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{20077E4F-B53D-457C-8FFB-7EB9F2C0FFDF}\{08A7A35D-BBD6-42BB-92F8-D15B61E0CB34}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{20077E4F-B53D-457C-8FFB-7EB9F2C0FFDF}\{08A7A35D-BBD6-42BB-92F8-D15B61E0CB34}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{20077E4F-B53D-457C-8FFB-7EB9F2C0FFDF}\{BF645226-CADC-408E-8443-40AE03F51470}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{20077E4F-B53D-457C-8FFB-7EB9F2C0FFDF}\{BF645226-CADC-408E-8443-40AE03F51470}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{20077E4F-B53D-457C-8FFB-7EB9F2C0FFDF}\{DAD75190-B9D8-495D-AED1-8275ECBFAC1F}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{20077E4F-B53D-457C-8FFB-7EB9F2C0FFDF}\{DAD75190-B9D8-495D-AED1-8275ECBFAC1F}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{28610B5A-06EE-49AD-B159-B25592764DB9}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{28610B5A-06EE-49AD-B159-B25592764DB9}\{401C58ED-5A99-4315-A948-6ACCCF72EBB2}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{28610B5A-06EE-49AD-B159-B25592764DB9}\{401C58ED-5A99-4315-A948-6ACCCF72EBB2}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{28610B5A-06EE-49AD-B159-B25592764DB9}\{43375C4E-1A07-4481-8187-3A158CA1294E}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{28610B5A-06EE-49AD-B159-B25592764DB9}\{43375C4E-1A07-4481-8187-3A158CA1294E}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{28610B5A-06EE-49AD-B159-B25592764DB9}\{C532C2B5-856A-4233-946C-0CE1F077FB8B}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{28610B5A-06EE-49AD-B159-B25592764DB9}\{C532C2B5-856A-4233-946C-0CE1F077FB8B}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{354A4557-6BE0-4508-8AFE-61B72F1E744E}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{354A4557-6BE0-4508-8AFE-61B72F1E744E}\{09E7BE8E-4DC4-432C-9B4E-832EB13C34DC}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{354A4557-6BE0-4508-8AFE-61B72F1E744E}\{09E7BE8E-4DC4-432C-9B4E-832EB13C34DC}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{354A4557-6BE0-4508-8AFE-61B72F1E744E}\{0E11371F-76A8-410E-8FAA-8213A31CE384}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{354A4557-6BE0-4508-8AFE-61B72F1E744E}\{0E11371F-76A8-410E-8FAA-8213A31CE384}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{354A4557-6BE0-4508-8AFE-61B72F1E744E}\{5C6800C9-DACE-4E8D-A750-BDD68B35C350}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{354A4557-6BE0-4508-8AFE-61B72F1E744E}\{5C6800C9-DACE-4E8D-A750-BDD68B35C350}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{3C7BE403-9BF6-4399-9B60-363A4BD87B9E}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{3C7BE403-9BF6-4399-9B60-363A4BD87B9E}\{8AADE8BD-E763-4509-AB38-3F11134BC89D}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{3C7BE403-9BF6-4399-9B60-363A4BD87B9E}\{8AADE8BD-E763-4509-AB38-3F11134BC89D}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{3C7BE403-9BF6-4399-9B60-363A4BD87B9E}\{8D563162-AD52-410D-A312-4FF22218F67C}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{3C7BE403-9BF6-4399-9B60-363A4BD87B9E}\{8D563162-AD52-410D-A312-4FF22218F67C}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{3C7BE403-9BF6-4399-9B60-363A4BD87B9E}\{EF7188BA-D86A-426B-944E-C76DCC5D5DC0}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{3C7BE403-9BF6-4399-9B60-363A4BD87B9E}\{EF7188BA-D86A-426B-944E-C76DCC5D5DC0}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{3C7BE403-9BF6-4399-9B60-363A4BD87B9E}\{F0478BD8-03E3-48B0-BE18-888916C00FF3}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{3C7BE403-9BF6-4399-9B60-363A4BD87B9E}\{F0478BD8-03E3-48B0-BE18-888916C00FF3}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{3E485E8E-4B1B-4C13-B5B2-23D3C250FFF5}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{3E485E8E-4B1B-4C13-B5B2-23D3C250FFF5}\{765C4914-2F8C-4169-97D2-1BE3BCE069D2}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{3E485E8E-4B1B-4C13-B5B2-23D3C250FFF5}\{765C4914-2F8C-4169-97D2-1BE3BCE069D2}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{3E485E8E-4B1B-4C13-B5B2-23D3C250FFF5}\{DEDB32AF-EC18-4D14-95E4-08DB3FEC4E0D}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{3E485E8E-4B1B-4C13-B5B2-23D3C250FFF5}\{DEDB32AF-EC18-4D14-95E4-08DB3FEC4E0D}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{3E485E8E-4B1B-4C13-B5B2-23D3C250FFF5}\{E5110D08-21DC-45A0-8E05-DE18A43ADFEE}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{3E485E8E-4B1B-4C13-B5B2-23D3C250FFF5}\{E5110D08-21DC-45A0-8E05-DE18A43ADFEE}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{3E485E8E-4B1B-4C13-B5B2-23D3C250FFF5}\{EA795890-CD0E-4003-9CE5-3BBAA2F24031}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{3E485E8E-4B1B-4C13-B5B2-23D3C250FFF5}\{EA795890-CD0E-4003-9CE5-3BBAA2F24031}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{3E6FB2E8-616B-4879-80B9-49BED5B3D0FD}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{3E6FB2E8-616B-4879-80B9-49BED5B3D0FD}\{76EBF85E-285C-4508-8722-F86046368326}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{3E6FB2E8-616B-4879-80B9-49BED5B3D0FD}\{76EBF85E-285C-4508-8722-F86046368326}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{3E6FB2E8-616B-4879-80B9-49BED5B3D0FD}\{B4803830-9616-4104-B1AD-FF6CF698CCDB}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{3E6FB2E8-616B-4879-80B9-49BED5B3D0FD}\{B4803830-9616-4104-B1AD-FF6CF698CCDB}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{3E6FB2E8-616B-4879-80B9-49BED5B3D0FD}\{C56A386A-7278-4447-8C40-87B2BCC5523A}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{3E6FB2E8-616B-4879-80B9-49BED5B3D0FD}\{C56A386A-7278-4447-8C40-87B2BCC5523A}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{3E6FB2E8-616B-4879-80B9-49BED5B3D0FD}\{F12C9A0C-C164-4DA5-94E7-035FBD0B2EBC}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{3E6FB2E8-616B-4879-80B9-49BED5B3D0FD}\{F12C9A0C-C164-4DA5-94E7-035FBD0B2EBC}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{48AC39D8-DBBB-46B2-AC31-70F7AFA773E3}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{48AC39D8-DBBB-46B2-AC31-70F7AFA773E3}\{0B66F94B-9096-4763-B64D-60E305263439}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{48AC39D8-DBBB-46B2-AC31-70F7AFA773E3}\{0B66F94B-9096-4763-B64D-60E305263439}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{48AC39D8-DBBB-46B2-AC31-70F7AFA773E3}\{5AB67DA9-EC19-432A-BCAC-C731DDEA5E67}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{48AC39D8-DBBB-46B2-AC31-70F7AFA773E3}\{5AB67DA9-EC19-432A-BCAC-C731DDEA5E67}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{48AC39D8-DBBB-46B2-AC31-70F7AFA773E3}\{94EC6E67-A757-40D2-8436-DC641D1C840B}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{48AC39D8-DBBB-46B2-AC31-70F7AFA773E3}\{94EC6E67-A757-40D2-8436-DC641D1C840B}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{596567CB-3EE1-4DFA-8D79-5433456F21B0}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{596567CB-3EE1-4DFA-8D79-5433456F21B0}\{6820E8A8-3AD7-4F38-A3F9-0D9B0110F5DC}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{596567CB-3EE1-4DFA-8D79-5433456F21B0}\{6820E8A8-3AD7-4F38-A3F9-0D9B0110F5DC}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{596567CB-3EE1-4DFA-8D79-5433456F21B0}\{86E40A37-FBB5-4D82-8D3C-F1DB06D58DB5}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{596567CB-3EE1-4DFA-8D79-5433456F21B0}\{86E40A37-FBB5-4D82-8D3C-F1DB06D58DB5}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{596567CB-3EE1-4DFA-8D79-5433456F21B0}\{9CBFFDAE-2148-4B84-A758-9884D58E5E46}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{596567CB-3EE1-4DFA-8D79-5433456F21B0}\{9CBFFDAE-2148-4B84-A758-9884D58E5E46}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{596567CB-3EE1-4DFA-8D79-5433456F21B0}\{E533CE66-F1A2-4EA3-AD75-D2D7EEB45B23}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{596567CB-3EE1-4DFA-8D79-5433456F21B0}\{E533CE66-F1A2-4EA3-AD75-D2D7EEB45B23}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{5E7EA790-9A4B-41FA-843E-D724DE9AC862}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{5E7EA790-9A4B-41FA-843E-D724DE9AC862}\{2AC6764E-92CE-43AC-B2D8-E585BDFBE974}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{5E7EA790-9A4B-41FA-843E-D724DE9AC862}\{2AC6764E-92CE-43AC-B2D8-E585BDFBE974}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{5E7EA790-9A4B-41FA-843E-D724DE9AC862}\{99FB6463-227E-48AD-9377-CF94123603BE}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{5E7EA790-9A4B-41FA-843E-D724DE9AC862}\{99FB6463-227E-48AD-9377-CF94123603BE}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{5E7EA790-9A4B-41FA-843E-D724DE9AC862}\{A15D1D07-67D7-4E24-BCF4-365215937BC0}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{5E7EA790-9A4B-41FA-843E-D724DE9AC862}\{A15D1D07-67D7-4E24-BCF4-365215937BC0}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{61803B1F-EBE2-44F3-A8CC-63C9013DB3A1}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{61803B1F-EBE2-44F3-A8CC-63C9013DB3A1}\{486DE418-7E51-4DBE-BE7D-37C3AE7D34A1}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{61803B1F-EBE2-44F3-A8CC-63C9013DB3A1}\{486DE418-7E51-4DBE-BE7D-37C3AE7D34A1}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{61803B1F-EBE2-44F3-A8CC-63C9013DB3A1}\{F6CBF5BE-6271-4D01-A441-A81C8E062B67}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{61803B1F-EBE2-44F3-A8CC-63C9013DB3A1}\{F6CBF5BE-6271-4D01-A441-A81C8E062B67}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{61803B1F-EBE2-44F3-A8CC-63C9013DB3A1}\{F9363D5F-B08A-4D0F-A850-3F135B58552D}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{61803B1F-EBE2-44F3-A8CC-63C9013DB3A1}\{F9363D5F-B08A-4D0F-A850-3F135B58552D}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{7106CAD4-038A-4CBE-9766-8FE95EC2604D}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{7106CAD4-038A-4CBE-9766-8FE95EC2604D}\{04CC6554-F437-43AF-A1F0-5ABDC9CC6E0E}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{7106CAD4-038A-4CBE-9766-8FE95EC2604D}\{04CC6554-F437-43AF-A1F0-5ABDC9CC6E0E}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{7106CAD4-038A-4CBE-9766-8FE95EC2604D}\{65ADC5C8-35EB-4A14-93BC-DC472838B97B}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{7106CAD4-038A-4CBE-9766-8FE95EC2604D}\{65ADC5C8-35EB-4A14-93BC-DC472838B97B}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{7106CAD4-038A-4CBE-9766-8FE95EC2604D}\{D64A4EC1-2C31-4EF3-929E-81C5A8DAC78E}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{7106CAD4-038A-4CBE-9766-8FE95EC2604D}\{D64A4EC1-2C31-4EF3-929E-81C5A8DAC78E}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{74E485A5-535C-468B-BF8C-12D07EF85E77}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{74E485A5-535C-468B-BF8C-12D07EF85E77}\{0AC4C9C8-54E2-4334-9A16-9673CBAB5DB8}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{74E485A5-535C-468B-BF8C-12D07EF85E77}\{0AC4C9C8-54E2-4334-9A16-9673CBAB5DB8}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{74E485A5-535C-468B-BF8C-12D07EF85E77}\{A6A535C5-08DA-4B7F-8DE7-859650B5BD04}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{74E485A5-535C-468B-BF8C-12D07EF85E77}\{A6A535C5-08DA-4B7F-8DE7-859650B5BD04}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{74E485A5-535C-468B-BF8C-12D07EF85E77}\{ADBE0763-EE4F-48AC-90A7-8D1018703750}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{74E485A5-535C-468B-BF8C-12D07EF85E77}\{ADBE0763-EE4F-48AC-90A7-8D1018703750}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{7C8A70D2-EB22-494C-8943-D06DCA587B55}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{7C8A70D2-EB22-494C-8943-D06DCA587B55}\{3C56A778-8EAD-451D-B420-6B740F7F77A4}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{7C8A70D2-EB22-494C-8943-D06DCA587B55}\{3C56A778-8EAD-451D-B420-6B740F7F77A4}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{7C8A70D2-EB22-494C-8943-D06DCA587B55}\{CE0AEDB7-EC93-4672-A105-BCB137342579}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{7C8A70D2-EB22-494C-8943-D06DCA587B55}\{CE0AEDB7-EC93-4672-A105-BCB137342579}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{7C8A70D2-EB22-494C-8943-D06DCA587B55}\{FCD75C15-5717-4087-A69F-AD49937C8931}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{7C8A70D2-EB22-494C-8943-D06DCA587B55}\{FCD75C15-5717-4087-A69F-AD49937C8931}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{993A3406-6CB9-4FE7-B004-C3B60C42876C}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{993A3406-6CB9-4FE7-B004-C3B60C42876C}\{83C4189B-6AF4-402B-B0A1-39C1AA324A0D}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{993A3406-6CB9-4FE7-B004-C3B60C42876C}\{83C4189B-6AF4-402B-B0A1-39C1AA324A0D}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{993A3406-6CB9-4FE7-B004-C3B60C42876C}\{DE003011-CF47-4292-8C09-4D5BAF7F43D9}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{993A3406-6CB9-4FE7-B004-C3B60C42876C}\{DE003011-CF47-4292-8C09-4D5BAF7F43D9}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{993A3406-6CB9-4FE7-B004-C3B60C42876C}\{F0BD9555-4A64-4DC9-92D9-B933144B5356}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{993A3406-6CB9-4FE7-B004-C3B60C42876C}\{F0BD9555-4A64-4DC9-92D9-B933144B5356}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{9F0A2600-B2AE-4A8C-9381-3E8FAD58E445}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{9F0A2600-B2AE-4A8C-9381-3E8FAD58E445}\{38081AFC-8821-4125-83DD-1E4C64F4A34F}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{9F0A2600-B2AE-4A8C-9381-3E8FAD58E445}\{38081AFC-8821-4125-83DD-1E4C64F4A34F}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{9F0A2600-B2AE-4A8C-9381-3E8FAD58E445}\{8BCEF57F-931C-4241-9A65-333364A956B6}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{9F0A2600-B2AE-4A8C-9381-3E8FAD58E445}\{8BCEF57F-931C-4241-9A65-333364A956B6}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{9F0A2600-B2AE-4A8C-9381-3E8FAD58E445}\{8EE5DEA3-CD3D-4D16-BAAC-C299EFFD0450}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{9F0A2600-B2AE-4A8C-9381-3E8FAD58E445}\{8EE5DEA3-CD3D-4D16-BAAC-C299EFFD0450}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{9F0A2600-B2AE-4A8C-9381-3E8FAD58E445}\{C9572031-10B0-47B2-BBD1-D770AE44BFE3}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{9F0A2600-B2AE-4A8C-9381-3E8FAD58E445}\{C9572031-10B0-47B2-BBD1-D770AE44BFE3}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{A0AE76F2-149A-4151-A4BC-D3BC57BFC9C1}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{A0AE76F2-149A-4151-A4BC-D3BC57BFC9C1}\{C1827D45-0429-41B6-A81C-0B398DAB4BF3}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{A0AE76F2-149A-4151-A4BC-D3BC57BFC9C1}\{C1827D45-0429-41B6-A81C-0B398DAB4BF3}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{A0AE76F2-149A-4151-A4BC-D3BC57BFC9C1}\{C434E0F2-E910-4838-8225-DBCDCF1BF8F4}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{A0AE76F2-149A-4151-A4BC-D3BC57BFC9C1}\{C434E0F2-E910-4838-8225-DBCDCF1BF8F4}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{A0AE76F2-149A-4151-A4BC-D3BC57BFC9C1}\{EAD00638-AA33-4C36-BA65-B48CE476DCDF}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{A0AE76F2-149A-4151-A4BC-D3BC57BFC9C1}\{EAD00638-AA33-4C36-BA65-B48CE476DCDF}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{A5058B2C-7172-451D-8BA3-05D74D093C14}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{A5058B2C-7172-451D-8BA3-05D74D093C14}\{652C4EB3-A8D1-48D3-82D9-BB60FDF9963E}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{A5058B2C-7172-451D-8BA3-05D74D093C14}\{652C4EB3-A8D1-48D3-82D9-BB60FDF9963E}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{A5058B2C-7172-451D-8BA3-05D74D093C14}\{7002F84A-C61C-46CD-9669-934E477AF684}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{A5058B2C-7172-451D-8BA3-05D74D093C14}\{7002F84A-C61C-46CD-9669-934E477AF684}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{A5058B2C-7172-451D-8BA3-05D74D093C14}\{759F874F-CD54-42E0-9344-CCB6F6043374}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{A5058B2C-7172-451D-8BA3-05D74D093C14}\{759F874F-CD54-42E0-9344-CCB6F6043374}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{A5058B2C-7172-451D-8BA3-05D74D093C14}\{B3AA007A-28A9-4C3A-AC3A-EE42DDD2AFF9}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{A5058B2C-7172-451D-8BA3-05D74D093C14}\{B3AA007A-28A9-4C3A-AC3A-EE42DDD2AFF9}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{B3827958-D860-488E-8E6B-DBD131089E12}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{B3827958-D860-488E-8E6B-DBD131089E12}\{1DC95BF0-05D5-4615-BB40-88672E92BB00}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{B3827958-D860-488E-8E6B-DBD131089E12}\{1DC95BF0-05D5-4615-BB40-88672E92BB00}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{B3827958-D860-488E-8E6B-DBD131089E12}\{C64F58C2-3214-4F40-B51E-10FE9E20E538}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{B3827958-D860-488E-8E6B-DBD131089E12}\{C64F58C2-3214-4F40-B51E-10FE9E20E538}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{B3827958-D860-488E-8E6B-DBD131089E12}\{CA63F6DA-BDCB-43C5-860C-2D933C98951B}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{B3827958-D860-488E-8E6B-DBD131089E12}\{CA63F6DA-BDCB-43C5-860C-2D933C98951B}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{B3827958-D860-488E-8E6B-DBD131089E12}\{EEC68A95-1BCF-4F11-9BA2-248F857FC2E5}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{B3827958-D860-488E-8E6B-DBD131089E12}\{EEC68A95-1BCF-4F11-9BA2-248F857FC2E5}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{B3827958-D860-488E-8E6B-DBD131089E12}\{FCA191E4-E88D-4677-9830-77BFF7038BAC}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{B3827958-D860-488E-8E6B-DBD131089E12}\{FCA191E4-E88D-4677-9830-77BFF7038BAC}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{BC338A96-93D3-458F-8CA7-301E5EB83E3C}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{BC338A96-93D3-458F-8CA7-301E5EB83E3C}\{0DA0B749-897B-4C6E-A55B-71AC1F00A81F}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{BC338A96-93D3-458F-8CA7-301E5EB83E3C}\{0DA0B749-897B-4C6E-A55B-71AC1F00A81F}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{BC338A96-93D3-458F-8CA7-301E5EB83E3C}\{209C487F-77D4-4D60-ACB5-6364A424ED9B}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{BC338A96-93D3-458F-8CA7-301E5EB83E3C}\{209C487F-77D4-4D60-ACB5-6364A424ED9B}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{BC338A96-93D3-458F-8CA7-301E5EB83E3C}\{55168363-2079-414F-8512-CAEE9C089446}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{BC338A96-93D3-458F-8CA7-301E5EB83E3C}\{55168363-2079-414F-8512-CAEE9C089446}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{C5D4E921-1D63-4228-B686-646ABCB84953}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{C5D4E921-1D63-4228-B686-646ABCB84953}\{1D38D1BA-068E-4978-9EB1-D925AE0FDD32}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{C5D4E921-1D63-4228-B686-646ABCB84953}\{1D38D1BA-068E-4978-9EB1-D925AE0FDD32}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{C5D4E921-1D63-4228-B686-646ABCB84953}\{30A5C781-8681-470E-964F-3D47A9308EA8}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{C5D4E921-1D63-4228-B686-646ABCB84953}\{30A5C781-8681-470E-964F-3D47A9308EA8}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{C5D4E921-1D63-4228-B686-646ABCB84953}\{79945231-33B7-4383-921F-E34ED2ECA12F}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{C5D4E921-1D63-4228-B686-646ABCB84953}\{79945231-33B7-4383-921F-E34ED2ECA12F}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{C5D4E921-1D63-4228-B686-646ABCB84953}\{B89E1FE1-C7C6-4729-A315-1D7636260063}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{C5D4E921-1D63-4228-B686-646ABCB84953}\{B89E1FE1-C7C6-4729-A315-1D7636260063}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{C5D4E921-1D63-4228-B686-646ABCB84953}\{DF4B4565-6538-4A24-9565-B518C0F228AA}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{C5D4E921-1D63-4228-B686-646ABCB84953}\{DF4B4565-6538-4A24-9565-B518C0F228AA}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{E4BD28BE-E162-438F-877F-A203AADD6882}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{E4BD28BE-E162-438F-877F-A203AADD6882}\{12D0340F-483C-4E71-846F-FE1683B9A3BD}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{E4BD28BE-E162-438F-877F-A203AADD6882}\{12D0340F-483C-4E71-846F-FE1683B9A3BD}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{E4BD28BE-E162-438F-877F-A203AADD6882}\{7D860B54-24CB-4E21-9B57-86D731A8060E}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{E4BD28BE-E162-438F-877F-A203AADD6882}\{7D860B54-24CB-4E21-9B57-86D731A8060E}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{E4BD28BE-E162-438F-877F-A203AADD6882}\{CAC5148A-6FDB-4808-8E18-81FE3FE9EA4A}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{E4BD28BE-E162-438F-877F-A203AADD6882}\{CAC5148A-6FDB-4808-8E18-81FE3FE9EA4A}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{FC0D3C71-7A0F-4F28-BE26-0E3A0905310E}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{FC0D3C71-7A0F-4F28-BE26-0E3A0905310E}\{09208F11-4F65-42A5-9E61-1491436CA3C2}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{FC0D3C71-7A0F-4F28-BE26-0E3A0905310E}\{09208F11-4F65-42A5-9E61-1491436CA3C2}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{FC0D3C71-7A0F-4F28-BE26-0E3A0905310E}\{89AB43C6-893C-4956-ACF6-05239ED1A866}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{FC0D3C71-7A0F-4F28-BE26-0E3A0905310E}\{89AB43C6-893C-4956-ACF6-05239ED1A866}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{FC0D3C71-7A0F-4F28-BE26-0E3A0905310E}\{C9C45FD6-4FA1-4717-A848-4961426C1337}.qbd
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{FC0D3C71-7A0F-4F28-BE26-0E3A0905310E}\{C9C45FD6-4FA1-4717-A848-4961426C1337}.qbi
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\LightningSand.CFD
C:\Program Files\Common Files\Symantec Shared
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll
C:\Program Files\Common Files\Symantec Shared\COH\EraserAHS.log
C:\Program Files\Common Files\Symantec Shared\COH\EraserAHS.tlg
C:\Program Files\Common Files\Symantec Shared\Help\LUALL.CHM
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertUi.dll
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\dcGlobal.dll
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\dcmhSvar.dll
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\dcProd.dll
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\Languages\09\01\AlertEng.loc
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\Languages\fallback.dat
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\lun.ico
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\mhDSA.dll
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\mhSched.dll
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\mhUpgr.dll
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\pifCrawl.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifPep06.dll
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifPep07.dll
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PollMgr.dll
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\readme.txt
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\SymHTML.dll
C:\Program Files\Common Files\Symantec Shared\SPManifests\AlertEng.grd
C:\Program Files\Common Files\Symantec Shared\SPManifests\AlertEng.sig
C:\Program Files\Common Files\Symantec Shared\SPManifests\AlertEng.spm
C:\Program Files\Common Files\Symantec Shared\SPManifests\PifCore.grd
C:\Program Files\Common Files\Symantec Shared\SPManifests\PifCore.sig
C:\Program Files\Common Files\Symantec Shared\SPManifests\PifCore.spm
C:\Program Files\Common Files\Symantec Shared\SymSetup\{830D8CBD-C668-49e2-A969-C2C2106332E0}_14_0_0_89\{83413A.tmp
C:\Program Files\Common Files\Symantec Shared\SymSetup\{830D8CBD-C668-49e2-A969-C2C2106332E0}_14_0_0_89\{834188.tmp
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\CATALOG.DAT
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\CCERASER.DLL
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\ECBOOTIL.VXD
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\ECMSVR32.DLL
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\EECTRL.SYS
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\ERASER.GRD
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\ERASER.SIG
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\ERASER.SPM
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\ERASER.SYS
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\ESRDEF.BIN
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\HH
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\NAVENG.EXP
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\NAVENG.SYS
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\NAVENG.VXD
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\NAVENG32.DLL
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\NAVEX15.EXP
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\NAVEX15.SYS
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\NAVEX15.VXD
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\NAVEX32A.DLL
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\NCSACERT.TXT
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\SCRAUTH.DAT
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\SYMAVENG.CAT
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\SYMAVENG.INF
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\SYMERASE.CAT
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\SYMERASE.INF
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\TCDEFS.DAT
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\TCSCAN7.DAT
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\TCSCAN8.DAT
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\TCSCAN9.DAT
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\TECHNOTE.TXT
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\TINF.DAT
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\TINFIDX.DAT
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\TINFL.DAT
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\TSCAN1.DAT
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\TSCAN1HD.DAT
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\V.GRD
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\V.SIG
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\VIRSCAN.INF
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\VIRSCAN1.DAT
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\VIRSCAN2.DAT
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\VIRSCAN3.DAT
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\VIRSCAN4.DAT
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\VIRSCAN5.DAT
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\VIRSCAN6.DAT
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\VIRSCAN7.DAT
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\VIRSCAN8.DAT
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\VIRSCAN9.DAT
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\VIRSCANT.DAT
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\WHATSNEW.TXT
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080613.023\ZDONE.DAT
C:\Program Files\temp01\

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LIVEUPDATE_NOTICE_SERVICE
-------\Service_LiveUpdate Notice Service

((((((((((((((((((((((((( Files Created from 2008-08-03 to 2008-09-03 )))))))))))))))))))))))))))))))
.

2008-09-02 14:19 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-02 14:17 . 2008-09-02 14:19 <DIR> d-------- C:\Program Files\Java
2008-09-02 14:14 . 2008-09-02 14:14 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-31 23:56 . 2008-08-31 23:56 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-08-21 02:24 . 2008-08-21 02:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-20 23:24 . 2008-04-29 11:33 16,952 --------- C:\WINDOWS\system32\drivers\RkPavproc1.sys
2008-08-20 22:55 . 2008-08-31 23:50 <DIR> d-------- C:\Program Files\Panda Security
2008-08-17 01:08 . 2008-09-02 19:34 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-17 00:11 . 2008-09-03 00:15 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-17 00:11 . 2008-08-30 00:37 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-17 00:11 . 2008-08-17 00:11 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-08-17 00:11 . 2008-08-17 00:11 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-08-17 00:09 . 2008-08-17 00:09 <DIR> d-------- C:\Program Files\AVG
2008-08-17 00:09 . 2008-08-17 00:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-15 13:27 . 2008-08-15 13:27 <DIR> d-------- C:\Program Files\CCleaner
2008-08-15 12:57 . 2008-09-03 09:45 <DIR> d-------- C:\Program Files\WinClamAVShield
2008-08-15 12:41 . 2008-09-02 17:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-08-15 12:41 . 2008-09-02 17:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Spyware Terminator
2008-08-15 12:41 . 2008-08-15 12:41 141,312 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-08-15 12:40 . 2008-09-01 08:49 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-08-14 16:17 . 2008-08-14 16:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\GameHouse
2008-08-14 16:14 . 2008-08-14 16:14 <DIR> d-------- C:\WINDOWS\Cate West The Vanishing Files
2008-08-11 19:27 . 2008-08-15 01:31 <DIR> d-------- C:\Program Files\DNA
2008-08-10 13:03 . 2008-08-10 13:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-08-10 12:59 . 2008-08-10 12:59 <DIR> d-------- C:\Program Files\AOL Games
2008-08-09 11:56 . 2008-08-09 11:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FloodLightGames
2008-08-09 11:56 . 2008-08-09 11:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\FloodLightGames
2008-08-08 09:24 . 2008-08-08 09:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Gogii
2008-08-08 00:55 . 2008-08-08 00:55 268 --ah----- C:\sqmdata16.sqm
2008-08-08 00:55 . 2008-08-08 00:55 244 --ah----- C:\sqmnoopt16.sqm
2008-08-07 22:51 . 2008-08-07 22:51 4,096 --a------ C:\WINDOWS\d3dx.dat
2008-08-07 00:38 . 2008-08-07 00:38 268 --ah----- C:\sqmdata15.sqm
2008-08-07 00:38 . 2008-08-07 00:38 244 --ah----- C:\sqmnoopt15.sqm
2008-08-06 02:11 . 2008-08-06 02:11 268 --ah----- C:\sqmdata14.sqm
2008-08-06 02:11 . 2008-08-06 02:11 244 --ah----- C:\sqmnoopt14.sqm
2008-08-05 02:14 . 2008-08-05 02:14 268 --ah----- C:\sqmdata13.sqm
2008-08-05 02:14 . 2008-08-05 02:14 244 --ah----- C:\sqmnoopt13.sqm
2008-08-04 01:28 . 2008-08-04 01:28 268 --ah----- C:\sqmdata12.sqm
2008-08-04 01:28 . 2008-08-04 01:28 244 --ah----- C:\sqmnoopt12.sqm
2008-08-03 03:50 . 2008-08-03 03:50 268 --ah----- C:\sqmdata11.sqm
2008-08-03 03:50 . 2008-08-03 03:50 244 --ah----- C:\sqmnoopt11.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-17 00:08 --------- d-----w C:\Program Files\AIM6
2008-08-16 11:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-08-15 00:55 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-08-11 17:34 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-11 14:01 --------- d-----w C:\Documents and Settings\Administrator\Application Data\PlayFirst
2008-08-09 12:48 --------- d-----w C:\Program Files\MSN Games
2008-08-07 16:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Flood Light Games
2008-08-07 16:20 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Flood Light Games
2008-07-12 22:48 --------- d-----w C:\Program Files\Mario Forever
2008-05-16 22:01 0 ----a-w C:\Program Files\temp01
2008-02-14 15:00 43,832 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-12-13 13:59 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((( snapshot_2008-09-02_14.06.57.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-10 00:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 00:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 01:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-08-31 1783808]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-30 1235736]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111T Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111T\wlan111t.exe [2006-12-30 884840]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2007-09-29 21:22 50528 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 13:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
--a------ 2002-10-23 19:15 86016 c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
--a------ 2002-06-27 02:36 90112 C:\Program Files\Analog Devices\SoundMAX\SMTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-02-12 13:58 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-30 97928]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-08-15 141312]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-30 875288]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-30 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-17 76040]
R3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;C:\WINDOWS\system32\DRIVERS\WG11TND5.sys [2005-09-05 362944]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\DNINDIS5.SYS [2003-07-24 17149]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2002-10-16 19968]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-03 09:43:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-09-03 9:52:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-03 08:52:16
ComboFix2.txt 2008-09-02 13:08:42
ComboFix3.txt 2008-09-01 19:39:30

Pre-Run: 17,229,996,032 bytes free
Post-Run: 17,255,821,312 bytes free

423 --- E O F --- 2008-09-01 19:54:52

Hijackthis log after reboot:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:50:56, on 03/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG111T\wlan111t.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/people/Victoria_Smith/733472413
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase5036.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1162907886561
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1164842721390
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/def...jolauncher.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames...1.cab60096.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (MSN Music Mediabar) - http://sib1.pvw.od2.com/common/music...agerPlugin.CAB
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mystery%20Case%20Files%20-%20Ravenhearst/Images/armhelper.ocx
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 5659 bytes

My computer seems to running much quicker and I'm having less problems

Is everything clean now?

Thank you!

**amateur** · 09-03-2008, 04:24 AM

Quote:

My computer seems to running much quicker and I'm having less problems Is everything clean now?

Yes, it appears to be clean, but when you say "less problems", do you mean that you still have problems?

Please note that your resident antivirus AVG8 has an anti-spyware component, previously known as AVG Anti-Spyware. Therefore, I believe that you really don't need to have the Spyware Terminator and it's integrated partner WinClamAVShield. They may be conflicting with each other. I would recommend that you remove Spyware Terminator and WinClamAVShield via Add or Remove Programs in Control Panel.

Once you removed them, you can delete their folders too, if still present:

C:\Program Files\WinClamAVShield
C:\Program Files\Spyware Terminator

tillyoulostme · 09-03-2008, 04:30 AM

Hi,

First off, thank you, so much, for everything you've done. My computer is my lifeline as I'm agoraphobic and have to do everything via the web. My computer seems to running fine right now and hopefully it will stay that way. I'll delete spyware terminator too. Do you think it would be worth it to subscribe to the fully paid AVG8?

Again, thank you.

**amateur** · 09-03-2008, 04:57 AM

Hi,

Many people are happy and content with the free version of AVG8. It's a matter of personal choice. I am sure both the free version and the paid version have the same database, but the paid subscribers may receive better support and quicker updates.

There is a dedicated AVG support forum where you might get answers to all of your questions about their products.

http://freeforum.avg.com/read.php?12...,backpage=,sv=

==========================

If you have no further malware issues, you're all set to go. The logs are clean.

Click Start then Run
Now type Combofix /u in the runbox and click OK. Notice the space between the Combofix and the /

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore to prevent reinfection from old restore points.

A colleague of ours has excellent information and tips on the prevention of malware here for your future reference.

Please respond to this thread one more time so we can mark this thread as resolved.

Happy Surfing!

tillyoulostme · 09-03-2008, 07:51 AM

Hi,

I've uninstalled ComboFix so I think I'm all done

Thanks for all your help

I shall get straight to the referred post on preventing malware, so hopefully I'll never have to bother any of you again

Thanks so much,

Tori

**amateur** · 09-03-2008, 07:59 AM

Hi,

You're welcome. Glad we could help.

Stay safe!

08-20-2008, 07:04 PM	#1 (permalink)
tillyoulostme Registered User Join Date: Aug 2008 Posts: 8 OS: XP Home	virus list from Panda. What do I do now? I've run a scan with Panda ActiveScan 2.0 and it's come up with a list of things. 1. C:\WINDOWS\system32\ruftgx.dll 2. C:\WINDOWS\system32\rakgef.dll 3. C:\WINDOWS\system32\fajjiqvc.dll 4. C:\WINDOWS\system32\tcufbbjy.dll 1. C:\WINDOWS\system32\pdgujm.dll 2. C:\WINDOWS\system32\wrngpoos.dll 3. C:\WINDOWS\system32\qsaumt.dll 4. C:\WINDOWS\system32\wgpbxatv.dll C:\WINDOWS\system32\vrvrmywn.dll C:\WINDOWS\system32\ijmgjfip.dll C:\WINDOWS\system32\hhtjmvkx.dll C:\WINDOWS\system32\gevqxjxb.dll C:\WINDOWS\system32\cljdymlr.dll C:\WINDOWS\system32\agffmusx.dll C:\WINDOWS\SysNotifier.exe C:\WINDOWS\system32\vrvrmywn.dll C:\WINDOWS\system32\vrvrmywn.dll What do I do now? Delete them? How do I go about it? I'm afraid I'm pretty new to all this stuff and haven't got the first clue how to go about solving these problems. Could these be the reason I can't access googlemail, facebook and other, rather more random, websites. I'm also running Norton Internet Security 2008, AVG Free and SpywareTerminator. Could it be the multiple antivirus' causing the blocks on certain pages as there's nothing unusual in the hosts file. Thanks, Tori

08-25-2008, 02:22 AM	#2 (permalink)
amateur Moderator, Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Jun 2006 Location: USA Posts: 7,450 OS: XP SP3	Re: virus list from Panda. What do I do now? Hello and welcome to TSF. Apologies for the long delay in response. We have a large number of HijackThis logs to handle and it’s taking us longer to catch up. If you haven’t received help elsewhere already and still require assistance please follow the instructions in IMPORTANT - Read This Before Posting A Log and post a fresh HijackThis log. __________________ My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006

08-31-2008, 05:05 PM	#3 (permalink)
tillyoulostme Registered User Join Date: Aug 2008 Posts: 8 OS: XP Home	Re: virus list from Panda. What do I do now? Hi, Thanks so much for replying. I've had a few more problems and I've only just got everything going again, so I'm sorry for the delay. Here's the log from Hijack This: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 00:01:45, on 01/09/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\NETGEAR\WG111T\wlan111t.exe C:\Program Files\Microsoft Office\Office10\WINWORD.EXE C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe C:\Program Files\Windows Media Player\wmplayer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/people/Victoria_Smith/733472413 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: (no name) - {19AE98E2-910B-4B15-8AA4-0FB60079588F} - (no file) O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: {fa2c3785-8440-5199-67c4-87dec9002f49} - {94f2009c-ed78-4c76-9915-04485873c2af} - (no file) O2 - BHO: (no name) - {CC628875-53FE-4DE3-9CA8-E61652820398} - (no file) O2 - BHO: (no name) - {F1079574-5D98-4990-9ECB-36AE259CB2C8} - (no file) O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\RunOnce: [IERESETATTRIB] %SystemRoot%\system32\cmd.exe /d /q /c %SystemRoot%\system32\ieudinit.exe -ResetFileAttributes O4 - HKLM\..\RunOnce: [IERESETICONS] %SystemRoot%\system32\cmd.exe /d /q /c %SystemRoot%\iereseticons.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ? O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab55579.cab O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/The%20Mystery%20of%20the%20Crystal%20Portal/Images/stg_drm.ocx O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/bingame/trix/def...x.1.0.0.87.cab O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab55579.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase5036.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://zone.msn.com/bingame/dsh2/def...2.1.0.0.68.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1162907886561 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1164842721390 O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/def...jolauncher.cab O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames...1.cab60096.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://zone.msn.com/bingame/fotg/def...g.1.0.0.37.cab O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (MSN Music Mediabar) - http://sib1.pvw.od2.com/common/music...agerPlugin.CAB O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/def...rsion=1,0,0,10 O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mystery%20Case%20Files%20-%20Ravenhearst/Images/armhelper.ocx O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/cnma/default/ct.cab O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/popcaploader_v10.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: hgGyYsrP - hgGyYsrP.dll (file missing) O20 - Winlogon Notify: nietdraw - C:\Program Files\Windows Media Player\Network Sharing\nietdraw.dll (file missing) O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe -- End of file - 9130 bytes Hope this helps Thanks again

09-01-2008, 02:40 AM	#4 (permalink)
amateur Moderator, Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Jun 2006 Location: USA Posts: 7,450 OS: XP SP3	Re: virus list from Panda. What do I do now? Hi, The system is infected. But, first of all, you should not be running two antivirus applications, i.e. Norton Internet Security Suit and AVG8. Multiple antivirus programs can bog down your system, interfere with each other, and may even cause crashes. Before you do anything else, please remove one of them immediately via Add or Remove Programs in Control Panel. ================================== Next, download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/comb...o-use-combofix Link 1 Link 2 Link 3 Note: It is important that it is saved directly to your desktop -------------------------------------------------------------------- 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you're unsure how to do that, visit this page. -------------------------------------------------------------------- Double click on ComboFix.exe & follow the prompts. When finished, it will produce a report for you. Please post the C:\ComboFix.txt along with a new HijackThis log for further review. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall __________________ My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006

09-01-2008, 01:46 PM	#5 (permalink)
tillyoulostme Registered User Join Date: Aug 2008 Posts: 8 OS: XP Home	Re: virus list from Panda. What do I do now? Hi, Thanks for the advice, I've removed Norton as it isn't doing much for me, I must admit. Here's the combo log: ComboFix 08-08-31.01 - Administrator 2008-09-01 18:59:13.1 - NTFSx86 Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\BM2f7466e7.txt C:\WINDOWS\BM2f7466e7.xml C:\WINDOWS\cookies.ini C:\WINDOWS\Downloaded Program Files\setup.inf C:\WINDOWS\pskt.ini C:\WINDOWS\system32\bxjxqveg.ini C:\WINDOWS\system32\EdeggOYb.ini C:\WINDOWS\system32\EdeggOYb.ini2 C:\WINDOWS\system32\fajjiqvc.dll C:\WINDOWS\system32\hhtjmvkx.dll C:\WINDOWS\system32\ijmgjfip.dll C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\mfagdikd.ini C:\WINDOWS\system32\qvhjtjcp.ini C:\WINDOWS\system32\rakgef.dll C:\WINDOWS\system32\ruftgx.dll C:\WINDOWS\system32\tcufbbjy.dll C:\WINDOWS\system32\vmnchvor.ini C:\WINDOWS\system32\vxegimlg.ini C:\WINDOWS\system32\xsumffga.ini . ((((((((((((((((((((((((( Files Created from 2008-08-01 to 2008-09-01 ))))))))))))))))))))))))))))))) . 2008-08-31 23:56 . 2008-08-31 23:56 230 --a------ C:\WINDOWS\system32\spupdsvc.inf 2008-08-21 02:24 . 2008-08-21 02:24 <DIR> d-------- C:\Program Files\Trend Micro 2008-08-20 23:24 . 2008-04-29 11:33 16,952 --------- C:\WINDOWS\system32\drivers\RkPavproc1.sys 2008-08-20 22:55 . 2008-08-31 23:50 <DIR> d-------- C:\Program Files\Panda Security 2008-08-17 01:08 . 2008-09-01 14:17 <DIR> d--h----- C:\$AVG8.VAULT$ 2008-08-17 00:11 . 2008-09-01 11:26 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg 2008-08-17 00:11 . 2008-08-30 00:37 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys 2008-08-17 00:11 . 2008-08-17 00:11 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys 2008-08-17 00:11 . 2008-08-17 00:11 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll 2008-08-17 00:09 . 2008-08-17 00:09 <DIR> d-------- C:\Program Files\AVG 2008-08-17 00:09 . 2008-08-17 00:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8 2008-08-15 13:27 . 2008-08-15 13:27 <DIR> d-------- C:\Program Files\CCleaner 2008-08-15 12:57 . 2008-09-01 08:52 <DIR> d-------- C:\Program Files\WinClamAVShield 2008-08-15 12:41 . 2008-09-01 08:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator 2008-08-15 12:41 . 2008-09-01 11:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Spyware Terminator 2008-08-15 12:41 . 2008-08-15 12:41 141,312 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys 2008-08-15 12:40 . 2008-09-01 08:49 <DIR> d-------- C:\Program Files\Spyware Terminator 2008-08-14 16:17 . 2008-08-14 16:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\GameHouse 2008-08-14 16:14 . 2008-08-14 16:14 <DIR> d-------- C:\WINDOWS\Cate West The Vanishing Files 2008-08-11 19:27 . 2008-08-15 01:31 <DIR> d-------- C:\Program Files\DNA 2008-08-10 13:03 . 2008-08-10 13:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia 2008-08-10 12:59 . 2008-08-10 12:59 <DIR> d-------- C:\Program Files\AOL Games 2008-08-09 11:56 . 2008-08-09 11:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FloodLightGames 2008-08-09 11:56 . 2008-08-09 11:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\FloodLightGames 2008-08-08 09:24 . 2008-08-08 09:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Gogii 2008-08-08 00:55 . 2008-08-08 00:55 268 --ah----- C:\sqmdata16.sqm 2008-08-08 00:55 . 2008-08-08 00:55 244 --ah----- C:\sqmnoopt16.sqm 2008-08-07 22:51 . 2008-08-07 22:51 4,096 --a------ C:\WINDOWS\d3dx.dat 2008-08-07 00:38 . 2008-08-07 00:38 268 --ah----- C:\sqmdata15.sqm 2008-08-07 00:38 . 2008-08-07 00:38 244 --ah----- C:\sqmnoopt15.sqm 2008-08-06 02:11 . 2008-08-06 02:11 268 --ah----- C:\sqmdata14.sqm 2008-08-06 02:11 . 2008-08-06 02:11 244 --ah----- C:\sqmnoopt14.sqm 2008-08-05 02:14 . 2008-08-05 02:14 268 --ah----- C:\sqmdata13.sqm 2008-08-05 02:14 . 2008-08-05 02:14 244 --ah----- C:\sqmnoopt13.sqm 2008-08-04 01:28 . 2008-08-04 01:28 268 --ah----- C:\sqmdata12.sqm 2008-08-04 01:28 . 2008-08-04 01:28 244 --ah----- C:\sqmnoopt12.sqm 2008-08-03 03:50 . 2008-08-03 03:50 268 --ah----- C:\sqmdata11.sqm 2008-08-03 03:50 . 2008-08-03 03:50 244 --ah----- C:\sqmnoopt11.sqm 2008-08-02 02:08 . 2008-08-02 02:08 268 --ah----- C:\sqmdata10.sqm 2008-08-02 02:08 . 2008-08-02 02:08 244 --ah----- C:\sqmnoopt10.sqm 2008-08-01 01:07 . 2008-08-01 01:07 268 --ah----- C:\sqmdata09.sqm 2008-08-01 01:07 . 2008-08-01 01:07 244 --ah----- C:\sqmnoopt09.sqm . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-01 18:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-09-01 18:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2008-08-21 02:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint 2008-08-17 00:08 --------- d-----w C:\Program Files\AIM6 2008-08-16 11:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype 2008-08-15 00:55 --------- d-----w C:\Program Files\Windows Live Safety Center 2008-08-11 17:34 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-08-11 14:01 --------- d-----w C:\Documents and Settings\Administrator\Application Data\PlayFirst 2008-08-09 12:48 --------- d-----w C:\Program Files\MSN Games 2008-08-07 16:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Flood Light Games 2008-08-07 16:20 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Flood Light Games 2008-07-12 22:48 --------- d-----w C:\Program Files\Mario Forever 2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll 2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll 2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll 2008-05-16 22:01 0 ----a-w C:\Program Files\temp01 2008-02-14 15:00 43,832 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT 2007-12-13 13:59 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-08-31 10:55 1783808] "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-30 00:38 1235736] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2007-11-28 20:51 583048] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ NETGEAR WG111T Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111T\wlan111t.exe [2006-12-30 10:02:20 884840] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6] --a------ 2007-09-29 21:22 50528 C:\Program Files\AIM6\aim6.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2004-08-04 13:00 15360 C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe] --a------ 2002-10-23 19:15 86016 c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp] --a------ 2002-06-27 02:36 90112 C:\Program Files\Analog Devices\SoundMAX\SMTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2008-02-12 13:58 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"= R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-30 00:37] R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-08-15 12:41] R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-30 00:37] R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-30 00:38] R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-17 00:11] R3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;C:\WINDOWS\system32\DRIVERS\WG11TND5.sys [2005-09-05 12:21] R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\DNINDIS5.SYS [2003-07-24 13:10] S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2002-10-16 09:11] Newly Created Service - LIVEUPDATE_NOTICE_SERVICE . - - - - ORPHANS REMOVED - - - - Notify-nietdraw - C:\Program Files\Windows Media Player\Network Sharing\nietdraw.dll Notify-hgGyYsrP - hgGyYsrP.dll MSConfigStartUp-ccApp - C:\Program Files\Common Files\Symantec Shared\ccApp.exe MSConfigStartUp-osCheck - C:\Program Files\Norton Internet Security\osCheck.exe MSConfigStartUp-QuickTime Task - C:\Program Files\QuickTime\qttask.exe . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nbgu0iyg.default\ . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-01 19:08:23 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\Spyware Terminator\sp_rsser.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\system32\wscntfy.exe . ************************************************************************ . Completion time: 2008-09-01 20:39:29 - machine was rebooted ComboFix-quarantined-files.txt 2008-09-01 19:38:56 Pre-Run: 16,916,701,184 bytes free Post-Run: 17,602,002,944 bytes free 189 --- E O F --- 2008-08-13 23:54:18 And the HiJack log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:41:45, on 01/09/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\Spyware Terminator\sp_rsser.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\NETGEAR\WG111T\wlan111t.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/people/Victoria_Smith/733472413 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file) O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ? O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab55579.cab O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/The%20Mystery%20of%20the%20Crystal%20Portal/Images/stg_drm.ocx O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/bingame/trix/def...x.1.0.0.87.cab O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab55579.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase5036.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://zone.msn.com/bingame/dsh2/def...2.1.0.0.68.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1162907886561 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1164842721390 O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/def...jolauncher.cab O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames...1.cab60096.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://zone.msn.com/bingame/fotg/def...g.1.0.0.37.cab O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (MSN Music Mediabar) - http://sib1.pvw.od2.com/common/music...agerPlugin.CAB O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/def...rsion=1,0,0,10 O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mystery%20Case%20Files%20-%20Ravenhearst/Images/armhelper.ocx O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/cnma/default/ct.cab O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe -- End of file - 7120 bytes Thanks for your help, I really do appreciate it

09-02-2008, 01:28 PM	#8 (permalink)
amateur Moderator, Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Jun 2006 Location: USA Posts: 7,450 OS: XP SP3	Re: virus list from Panda. What do I do now? Hi, What Kaspersky reporting is in the Qoobox folder of Combofix which we'll be clearing shortly. ================================= Scan with HijackThis and put a checkmark against the following entries: O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file) O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing) O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe The following activeX controls( Downloaded Program Files)will reinstall when(and if) you revisit that website, UNLESS you know they are from a safe source, check to remove: O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/The%20Mystery%20of%20the%20Crystal%20Portal/Images/stg_drm.ocx O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/bingame/trix/def...x.1.0.0.87.cab O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames...1.cab60096.cab O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://zone.msn.com/bingame/fotg/def...g.1.0.0.37.cab O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/def...rsion=1,0,0,10 Close all browsers other than HijackThis and click on 'fix checked'. ================================= Open notepad (Start>All programs>accessories>notepad ) (It must be notepad, not wordpad, or it won't work) Copy the entire contents of the Quote Box below to Notepad. Name the file as CFScript.txt Change the Save as Type to All Files and Save it on the desktop Click Format and ensure Wordwrap is unchecked. Code: KILLALL:: File:: C:\WINDOWS\TEMP\43f6790a-3687-456d-bda7-c6803fae09ef.tmp Folder:: C:\Program Files\Common Files\Symantec Shared C:\Documents and Settings\All Users\Application Data\Symantec C:\Program Files\temp01 Driver:: "LiveUpdate Notice Service" Registry:: [-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] Save this as CFScript.txt, in the same location as ComboFix.exe Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall =============================== Please post the Combofix.txt and a fresh HijackThis log taken after a reboot, and let me know how the computer is behaving now. __________________ My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006

09-03-2008, 04:30 AM	#11 (permalink)
tillyoulostme Registered User Join Date: Aug 2008 Posts: 8 OS: XP Home	Re: virus list from Panda. What do I do now? Hi, First off, thank you, so much, for everything you've done. My computer is my lifeline as I'm agoraphobic and have to do everything via the web. My computer seems to running fine right now and hopefully it will stay that way. I'll delete spyware terminator too. Do you think it would be worth it to subscribe to the fully paid AVG8? Again, thank you.

09-03-2008, 04:57 AM	#12 (permalink)
amateur Moderator, Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Jun 2006 Location: USA Posts: 7,450 OS: XP SP3	Re: virus list from Panda. What do I do now? Hi, Many people are happy and content with the free version of AVG8. It's a matter of personal choice. I am sure both the free version and the paid version have the same database, but the paid subscribers may receive better support and quicker updates. There is a dedicated AVG support forum where you might get answers to all of your questions about their products. http://freeforum.avg.com/read.php?12...,backpage=,sv= ========================== If you have no further malware issues, you're all set to go. The logs are clean. Click Start then Run Now type Combofix /u in the runbox and click OK. Notice the space between the Combofix and the / This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore to prevent reinfection from old restore points. A colleague of ours has excellent information and tips on the prevention of malware *here* for your future reference. Please respond to this thread one more time so we can mark this thread as resolved. Happy Surfing! __________________ My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006 Last edited by amateur; 09-03-2008 at 05:05 AM.

09-03-2008, 07:51 AM	#13 (permalink)
tillyoulostme Registered User Join Date: Aug 2008 Posts: 8 OS: XP Home	Re: virus list from Panda. What do I do now? Hi, I've uninstalled ComboFix so I think I'm all done Thanks for all your help I shall get straight to the referred post on preventing malware, so hopefully I'll never have to bother any of you again Thanks so much, Tori

09-03-2008, 07:59 AM	#14 (permalink)
amateur Moderator, Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Jun 2006 Location: USA Posts: 7,450 OS: XP SP3	Re: virus list from Panda. What do I do now? Hi, You're welcome. Glad we could help. Stay safe! __________________ My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006