Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page In need of a lot of help
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 09-04-2009, 12:10 PM   #1 (permalink)
Registered User
 
Join Date: Jul 2009
Posts: 8
OS: Windows XP


In need of a lot of help
Hello, for sometime my family computer hasn't been working properly. Google links often redirected, and my computer will randomly shut down all the time. I'm not familiar with how this has happened as I have a MacBook, so I haven't been using the family Windows XP computer for over a year. About two months ago the computer would no longer start up so my dad used the backup discs with Windows which worked well, as the computer became normal. However, after a few weeks viruses after viruses began showing up. Currently, I can no longer run my shaw secure scan without my computer restarting, and a certain unknown program keeps wanting to connect to the internet.

I don't know if there is any software I should delete, because, as I stated before, I haven't been using the computer for a year (it is primarily used by my younger brother)

I ran the DDS, but whenever I try to run the GMER my computer shuts down. Here are the results of the dds

DDS (Ver_09-07-30.01) - NTFSx86
Run by Peyton the Great at 12:47:13.62 on Fri 09/04/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.297 [GMT -5:00]

AV: Shaw Secure 8.02 *On-access scanning enabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: Shaw Secure 8.02 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Shaw Secure\Common\FSMB32.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Shaw Secure\Common\FCH32.EXE
C:\WINDOWS\system32\sofatnet.exe
C:\Program Files\Shaw Secure\Common\FAMEH32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe
svchost.exe
C:\Program Files\Shaw Secure\FSPC\fspc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsus.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\DISC\DiscUpdateMgr.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Shaw Secure\Common\FSM32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DISC\DiscGui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Shaw Secure\FSGUI\fsguidll.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\DAEMON Tools Pro\DTProShellHlp.exe
C:\Documents and Settings\Peyton the Great.YOUR-4DACD0EA75\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ask.com?o=14982&l=dis
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [DAEMON Tools Pro Agent] "c:\program files\daemon tools pro\DTProAgent.exe" -autorun
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [DISCover] c:\program files\disc\DISCover.exe
mRun: [DiscUpdateManager] c:\program files\disc\DiscUpdateMgr.exe
mRun: [<NO NAME>]
mRun: [PCDrProfiler]
mRun: [SetDefaultPrinter] c:\hp\bin\cloaker.exe c:\windows\system32\cmd.exe /c c:\hp\bin\defaultprinter\SetDefaultPrinter.cmd
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [F-Secure Manager] "c:\program files\shaw secure\common\FSM32.EXE" /splash
mRun: [F-Secure TNB] "c:\program files\shaw secure\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSxmlHpr] RUNDLL32.EXE c:\windows\system32\msxm192z.dll,w
mRun: [ter8m] RUNDLL32.EXE c:\windows\system32\msxm192z.dll,w
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\casup.lnk - c:\hp\region\CustAtStartUp.wsf
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\extend~1.lnk - c:\windows\ehome\RMSysTry.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll
IE: {200DB664-75B5-47c0-8B45-A44ACCF73C00} - {D68926FD-18FD-4B0E-A1C7-917D13FAB760} - c:\program files\shaw secure\fspc\fspcmsie.dll
IE: {200DB664-75B5-47c0-8B45-A44ACCF73F01} - {D68926FD-18FD-4B0E-A1C7-917D13FAB760} - c:\program files\shaw secure\fspc\fspcmsie.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
LSP: c:\program files\shaw secure\fsps\program\FSLSP.DLL
Trusted Zone: trymedia.com
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2009-5-7 33920]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2009-5-7 79872]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\shaw secure\hips\drivers\fshs.sys [2008-11-6 67808]
R1 ISODisk;ISODisk;c:\windows\system32\drivers\ISODisk.sys [2009-7-2 9600]
R2 EvdoServer;EvdoServer;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
R2 F-Secure Gatekeeper Handler Starter;FSGKHS;c:\program files\shaw secure\anti-virus\fsgk32st.exe [2008-11-4 215648]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 sofatnet;sofatnet Service;c:\windows\system32\sofatnet.exe [2004-8-10 94208]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\shaw secure\anti-virus\minifilter\fsgk.sys [2008-11-4 100472]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\shaw secure\orsp client\fsorsp.exe [2008-11-6 55904]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\shaw secure\anti-virus\win2k\fsfilter.sys [2008-11-4 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\shaw secure\anti-virus\win2k\fsrec.sys [2008-11-4 25184]

=============== Created Last 30 ================

2009-08-21 05:00 268,648 a------- c:\windows\system32\mucltui.dll
2009-08-21 05:00 208,744 a------- c:\windows\system32\muweb.dll
2009-08-21 05:00 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-08-14 03:04 <DIR> --d----- c:\windows\system32\XPSViewer
2009-08-14 03:03 <DIR> --d----- C:\85d681ed01ec36a7c1715561b6ec
2009-08-14 03:03 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-08-14 03:03 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-14 03:03 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-14 03:03 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-08-14 03:03 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-14 03:03 117,760 -------- c:\windows\system32\prntvpt.dll
2009-08-14 03:03 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-14 03:01 <DIR> --d----- c:\program files\MSXML 6.0

==================== Find3M ====================

2009-08-05 04:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 04:11 204,800 a------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-18 11:20 3,062,272 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-18 11:20 1,506,304 a------- c:\windows\system32\dllcache\shdocvw.dll
2009-07-17 13:55 58,880 a------- c:\windows\system32\dllcache\atl.dll
2009-07-17 13:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 10,841,088 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-10 08:42 1,315,328 a------- c:\windows\system32\dllcache\msoe.dll
2009-07-08 03:55 33,920 a------- c:\windows\system32\drivers\fsbts.sys
2009-07-03 03:54 6,778 a------- c:\windows\system32\uacinit.dll
2009-06-25 13:36 661,504 a------- c:\windows\system32\mqqm.dll
2009-06-25 03:44 724,480 a------- c:\windows\system32\lsasrv.dll
2009-06-25 03:44 724,480 a------- c:\windows\system32\dllcache\lsasrv.dll
2009-06-25 03:44 298,496 a------- c:\windows\system32\kerberos.dll
2009-06-25 03:44 298,496 a------- c:\windows\system32\dllcache\kerberos.dll
2009-06-25 03:44 168,448 a------- c:\windows\system32\schannel.dll
2009-06-25 03:44 168,448 a------- c:\windows\system32\dllcache\schannel.dll
2009-06-25 03:44 133,632 a------- c:\windows\system32\msv1_0.dll
2009-06-25 03:44 133,632 a------- c:\windows\system32\dllcache\msv1_0.dll
2009-06-25 03:44 59,392 a------- c:\windows\system32\wdigest.dll
2009-06-25 03:44 59,392 a------- c:\windows\system32\dllcache\wdigest.dll
2009-06-25 03:44 56,320 a------- c:\windows\system32\secur32.dll
2009-06-25 03:44 56,320 a------- c:\windows\system32\dllcache\secur32.dll
2009-06-23 11:14 34 a------- c:\documents and settings\peyton the great.your-4dacd0ea75\jagex_runescape_preferences.dat
2009-06-22 06:49 117,248 a------- c:\windows\system32\mqtgsvc.exe
2009-06-22 06:49 117,248 a------- c:\windows\system32\dllcache\mqtgsvc.exe
2009-06-22 06:49 19,968 a------- c:\windows\system32\mqbkup.exe
2009-06-22 06:49 19,968 a------- c:\windows\system32\dllcache\mqbkup.exe
2009-06-22 06:49 4,608 a------- c:\windows\system32\mqsvc.exe
2009-06-22 06:49 4,608 a------- c:\windows\system32\dllcache\mqsvc.exe
2009-06-22 06:48 91,776 a------- c:\windows\system32\dllcache\mqac.sys
2009-06-22 06:38 18,432 a------- c:\windows\system32\dllcache\iedw.exe
2009-06-22 06:34 92,544 a------- c:\windows\system32\dllcache\ksecdd.sys
2009-06-16 09:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:55 119,808 a------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 09:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-16 09:55 82,432 a------- c:\windows\system32\dllcache\fontsub.dll
2009-06-12 06:50 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 06:50 80,896 a------- c:\windows\system32\dllcache\tlntsess.exe
2009-06-12 06:50 76,288 a------- c:\windows\system32\telnet.exe
2009-06-12 06:50 76,288 a------- c:\windows\system32\dllcache\telnet.exe
2009-06-10 09:21 84,992 a------- c:\windows\system32\dllcache\avifil32.dll
2009-06-10 09:21 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 01:32 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-10 01:32 132,096 a------- c:\windows\system32\dllcache\wkssvc.dll
2009-06-07 12:23 2,362 a------- c:\docume~1\peyton~1.you\applic~1\wklnhst.dat
2007-02-18 04:30 251 a------- c:\program files\wt3d.ini
2006-11-05 13:16 32 a--sh--- c:\windows\sminst\HPCD.SYS

============= FINISH: 12:48:49.48 ===============
Rush102 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 09-04-2009, 11:26 PM   #2 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,908
OS: WinXP and Vista


Re: In need of a lot of help
Hello Rush102,

Lets try another rootkit scanner.

Download RootRepeal
  • Extract RootRepeal.exe from the zip archive.
  • Open on your desktop.
  • Click the tab.
  • Click the button.
  • Check all boxes
  • Click Ok
  • Check the box for your main system drive (Usually C:), and click Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-06-2009, 09:24 AM   #3 (permalink)
Registered User
 
Join Date: Jul 2009
Posts: 8
OS: Windows XP


Re: In need of a lot of help
Thanks for the reply


Here's the report


ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/09/05 09:29
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF0EE5000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7AFC000 Size: 8192 File Visible: No Signed: -
Status: -

Name: hjgruigldsqvud.sys
Image Path: C:\WINDOWS\system32\drivers\hjgruigldsqvud.sys
Address: 0xF1137000 Size: 163840 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: PCI_PNP1126
Image Path: \Driver\PCI_PNP1126
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEC59E000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spmk.sys
Image Path: spmk.sys
Address: 0xF736E000 Size: 1052672 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\install.txt
Status: Size mismatch (API: 274, Raw: 275)

Path: C:\WINDOWS\system32\hjgruibsqmajfg.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruibsqmajfg.dll.uss_dis
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruicdcvomwv.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruilog.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruiufkubyut.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruivmjssiqq.dat
Status: Invisible to the Windows API!

Path: c:\windows\system32\install.txt
Status: Allocation size mismatch (API: 272, Raw: 280)

Path: c:\windows\temp\perflib_perfdata_b50.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\windows\temp\perflib_perfdata_f60.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\WINDOWS\Temp\hjgruidmdtsprquf.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruiinbypuyapk.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruikgymrfymcx.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruincvitegnwe.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruionoymrecni.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruipomyqdmwtm.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruipxolospwts.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruiqitoqapowo.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruirwqpuxdsty.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruisqruyqdnus.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruitkipjipoup.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruixjqvouoiba.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruixuwqpibcrs.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruiynfiqnbjpq.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruiloyagmbute.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\hjgruigldsqvud.sys
Status: Invisible to the Windows API!

Path: c:\documents and settings\hp_administrator\local settings\temp\htt83.tmp
Status: Allocation size mismatch (API: 606208, Raw: 0)

Path: c:\documents and settings\hp_administrator\local settings\temp\perflib_perfdata_c8c.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\peyton the great.your-4dacd0ea75\local settings\temp\123e_appcompat.txt
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\peyton the great.your-4dacd0ea75\local settings\temp\12ee_appcompat.txt
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: c:\documents and settings\peyton the great.your-4dacd0ea75\local settings\temp\5ebf_appcompat.txt
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\peyton the great.your-4dacd0ea75\local settings\temp\perflib_perfdata_5e0.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\peyton the great.your-4dacd0ea75\local settings\temp\perflib_perfdata_b70.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\peyton the great.your-4dacd0ea75\local settings\temp\perflib_perfdata_c08.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\peyton the great.your-4dacd0ea75\local settings\temp\perflib_perfdata_c7c.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\peyton the great.your-4dacd0ea75\local settings\temp\perflib_perfdata_d08.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\peyton the great.your-4dacd0ea75\local settings\temp\perflib_perfdata_e90.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\Peyton the Great.YOUR-4DACD0EA75\My Documents\My Documents\Converted Videos\UFC 63: Hughes vs Penn.mp4
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Peyton the Great.YOUR-4DACD0EA75\My Documents\My Documents\Converted Videos\UFC 63: Hughes vs Penn.mp4
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Peyton the Great.YOUR-4DACD0EA75\My Documents\My Documents\Converted Videos\UFC 63: Hughes vs Penn.mp4
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Peyton the Great.YOUR-4DACD0EA75\My Documents\My Documents\Converted Videos\UFC 63: Hughes vs Penn.mp4
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Peyton the Great.YOUR-4DACD0EA75\My Documents\My Documents\Converted Videos\UFC 63: Hughes vs Penn.mp4
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Peyton the Great.YOUR-4DACD0EA75\My Documents\My Documents\Converted Videos\UFC 76: Knockout.mp4
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Peyton the Great.YOUR-4DACD0EA75\My Documents\My Documents\Converted Videos\UFC 76: Knockout.mp4
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Peyton the Great.YOUR-4DACD0EA75\My Documents\My Documents\Converted Videos\UFC 76: Knockout.mp4
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Peyton the Great.YOUR-4DACD0EA75\My Documents\My Documents\Converted Videos\UFC 83: St. Pierre vs Serra II.mp4
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Peyton the Great.YOUR-4DACD0EA75\My Documents\My Documents\Converted Videos\UFC 83: St. Pierre vs Serra II.mp4
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Peyton the Great.YOUR-4DACD0EA75\My Documents\My Documents\Converted Videos\UFC 83: St. Pierre vs Serra II.mp4
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Peyton the Great.YOUR-4DACD0EA75\My Documents\My Documents\Converted Videos\UFC 83: St. Pierre vs Serra II.mp4
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Peyton the Great.YOUR-4DACD0EA75\My Documents\My Documents\Converted Videos\UFC 83: St. Pierre vs Serra II.mp4
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Peyton the Great.YOUR-4DACD0EA75\My Documents\My Documents\Converted Videos\UFC 83: St. Pierre vs Serra II.mp4
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Peyton the Great.YOUR-4DACD0EA75\My Documents\Red Kawa\Videos\RUSSEL~1: Red White and Brown.mp4
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Peyton the Great.YOUR-4DACD0EA75\My Documents\Red Kawa\Videos\RUSSEL~1: Red White and Brown.mp4
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Peyton the Great.YOUR-4DACD0EA75\My Documents\Red Kawa\Videos\RUSSEL~1: Red White and Brown.mp4
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\92BJS8LZ\welcome_03[1].png
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\HMMEDDED\jackpotcity[1].exe
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Peyton the Great.YOUR-4DACD0EA75\Application Data\Mozilla\Firefox\Profiles\pvk6zuvr.default\sessionstore.js
Status: Could not get file information (Error 0xc0000008)

Stealth Objects
-------------------
Object: Hidden Module [Name: hjgruiufkubyut.dll]
Process: svchost.exe (PID: 828) Address: 0x10000000 Size: 57344

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x859671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x859671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x859671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x859671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x859671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x859671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x859671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x859671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x859671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x859671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x859671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x859671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x859671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x859671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x859671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x859671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x859671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x859671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x859671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x859671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x859671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x859671f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x85237500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x85237500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x85237500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x85237500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x85237500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x85237500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x85237500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x85237500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x85237500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x85237500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x85237500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x85237500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x85237500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85237500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x85237500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x85237500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x85237500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x85237500 Size: 121

Object: Hidden Code [Driver: auofbn13؅క浍瑓蔬, IRP_MJ_CREATE]
Process: System Address: 0x85300500 Size: 121

Object: Hidden Code [Driver: auofbn13؅క浍瑓蔬, IRP_MJ_CLOSE]
Process: System Address: 0x85300500 Size: 121

Object: Hidden Code [Driver: auofbn13؅క浍瑓蔬, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85300500 Size: 121

Object: Hidden Code [Driver: auofbn13؅క浍瑓蔬, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85300500 Size: 121

Object: Hidden Code [Driver: auofbn13؅క浍瑓蔬, IRP_MJ_POWER]
Process: System Address: 0x85300500 Size: 121

Object: Hidden Code [Driver: auofbn13؅క浍瑓蔬, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85300500 Size: 121

Object: Hidden Code [Driver: auofbn13؅క浍瑓蔬, IRP_MJ_PNP]
Process: System Address: 0x85300500 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x859d91f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x859d91f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x859d91f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x859d91f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x859d91f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x859d91f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x859d91f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x852a11f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x852a11f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x852a11f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x852a11f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x852a11f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x852a11f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x852a11f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x852a11f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x852a11f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x852a11f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x852a11f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_CREATE]
Process: System Address: 0x85236500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_CLOSE]
Process: System Address: 0x85236500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_READ]
Process: System Address: 0x85236500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_WRITE]
Process: System Address: 0x85236500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85236500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85236500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_POWER]
Process: System Address: 0x85236500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85236500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_PNP]
Process: System Address: 0x85236500 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x859da1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x859da1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x859da1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x859da1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x859da1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x859da1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x859da1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x859da1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x859da1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x859da1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x859da1f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE]
Process: System Address: 0x854981f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE]
Process: System Address: 0x854981f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x854981f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x854981f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER]
Process: System Address: 0x854981f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x854981f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP]
Process: System Address: 0x854981f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8596a1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8596a1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8596a1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8596a1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8596a1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8596a1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8596a1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8596a1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8596a1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8596a1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8596a1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x8523a500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x8523a500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8523a500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8523a500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x8523a500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x8523a500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x852a41f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x852a41f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x852a41f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x852a41f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x852a41f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x852a41f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x852a41f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x85238500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x85238500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x85238500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x85238500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x85238500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x85238500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x85238500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x85238500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x85238500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x85238500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x85238500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x85238500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x85238500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x85238500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85238500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85238500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x85238500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x85238500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x85238500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x85238500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x85238500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x85238500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x85238500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85238500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x85238500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x85238500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x85238500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x85238500 Size: 121

Object: Hidden Code [Driver: Cdfsȅ潔ȁఙ潐혨跈, IRP_MJ_CREATE]
Process: System Address: 0x84776500 Size: 121

Object: Hidden Code [Driver: Cdfsȅ潔ȁఙ潐혨跈, IRP_MJ_CLOSE]
Process: System Address: 0x84776500 Size: 121

Object: Hidden Code [Driver: Cdfsȅ潔ȁఙ潐혨跈, IRP_MJ_READ]
Process: System Address: 0x84776500 Size: 121

Object: Hidden Code [Driver: Cdfsȅ潔ȁఙ潐혨跈, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x84776500 Size: 121

Object: Hidden Code [Driver: Cdfsȅ潔ȁఙ潐혨跈, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x84776500 Size: 121

Object: Hidden Code [Driver: Cdfsȅ潔ȁఙ潐혨跈, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x84776500 Size: 121

Object: Hidden Code [Driver: Cdfsȅ潔ȁఙ潐혨跈, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x84776500 Size: 121

Object: Hidden Code [Driver: Cdfsȅ潔ȁఙ潐혨跈, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x84776500 Size: 121

Object: Hidden Code [Driver: Cdfsȅ潔ȁఙ潐혨跈, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x84776500 Size: 121

Object: Hidden Code [Driver: Cdfsȅ潔ȁఙ潐혨跈, IRP_MJ_SHUTDOWN]
Process: System Address: 0x84776500 Size: 121

Object: Hidden Code [Driver: Cdfsȅ潔ȁఙ潐혨跈, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x84776500 Size: 121

Object: Hidden Code [Driver: Cdfsȅ潔ȁఙ潐혨跈, IRP_MJ_CLEANUP]
Process: System Address: 0x84776500 Size: 121

Object: Hidden Code [Driver: Cdfsȅ潔ȁఙ潐혨跈, IRP_MJ_PNP]
Process: System Address: 0x84776500 Size: 121

Shadow SSDT
-------------------
#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys" at address 0xf77b45ac

==EOF==
Rush102 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-06-2009, 09:46 AM   #4 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,908
OS: WinXP and Vista


Re: In need of a lot of help
You're welcome, Rush102. = )

Nice rootkit onboard here. It will require more than one round to properly clean your system. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

====================================================


Download ComboFix from one of these locations, but rename it to rush.exe before saving it to the desktop.

Link 1
Link 2

* IMPORTANT - Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal.


====================================================


Double click on combofix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-06-2009, 10:47 AM   #5 (permalink)
Registered User
 
Join Date: Jul 2009
Posts: 8
OS: Windows XP


Re: In need of a lot of help
Okay, here's the report


ComboFix 09-09-05.03 - Peyton the Great 09/06/2009 11:19.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.463 [GMT -5:00]
Running from: c:\documents and settings\Peyton the Great.YOUR-4DACD0EA75\Desktop\rush.exe.exe
AV: Shaw Secure 8.02 *On-access scanning disabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: Shaw Secure 8.02 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Peyton the Great\reader_s.exe
c:\program files\Manson
c:\program files\Mozilla Firefox\extensions\{3EBD3B99-1796-47D1-9CD2-8D3B632DF890}
c:\program files\Mozilla Firefox\extensions\{3EBD3B99-1796-47D1-9CD2-8D3B632DF890}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{3EBD3B99-1796-47D1-9CD2-8D3B632DF890}\chrome\content\overlay.xul
c:\program files\Mozilla Firefox\extensions\{3EBD3B99-1796-47D1-9CD2-8D3B632DF890}\install.rdf
c:\program files\Mozilla Firefox\extensions\{89955447-1B7F-4316-80C7-C7DE81E7379F}
c:\program files\Mozilla Firefox\extensions\{89955447-1B7F-4316-80C7-C7DE81E7379F}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{89955447-1B7F-4316-80C7-C7DE81E7379F}\chrome\content\overlay.xul
c:\program files\Mozilla Firefox\extensions\{89955447-1B7F-4316-80C7-C7DE81E7379F}\install.rdf
c:\recycler\S-1-5-21-91663685-3759453989-866012316-1008
c:\recycler\S-1-5-21-91663685-3759453989-866012316-1009
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Install.txt
c:\windows\Installer\104bc88b.msi
c:\windows\Installer\106baf73.msi
c:\windows\Installer\10da0f6e.msp
c:\windows\Installer\1142c9db.msp
c:\windows\Installer\129678a8.msp
c:\windows\Installer\129678be.msp
c:\windows\Installer\129678d4.msp
c:\windows\Installer\129678e9.msp
c:\windows\Installer\12967902.msp
c:\windows\Installer\135fed8.msi
c:\windows\Installer\13b433ce.msi
c:\windows\Installer\13e1d510.msi
c:\windows\Installer\151df2f9.msi
c:\windows\Installer\154706dd.msi
c:\windows\Installer\159c3fe1.msi
c:\windows\Installer\15a724fd.msi
c:\windows\Installer\15f8e2d8.msi
c:\windows\Installer\15f8e2de.msi
c:\windows\Installer\15f8e2e4.msi
c:\windows\Installer\15f8e2ea.msi
c:\windows\Installer\15f8e2f0.msi
c:\windows\Installer\15f8e2f6.msi
c:\windows\Installer\15f8e2fc.msi
c:\windows\Installer\15f8e303.msi
c:\windows\Installer\15f8e309.msi
c:\windows\Installer\15f8e313.msi
c:\windows\Installer\15f8e31d.msi
c:\windows\Installer\15f8e325.msi
c:\windows\Installer\15f8e32c.msi
c:\windows\Installer\15f8e332.msi
c:\windows\Installer\15f8e339.msi
c:\windows\Installer\15f8e33f.msi
c:\windows\Installer\15f8e345.msi
c:\windows\Installer\15f8e34b.msi
c:\windows\Installer\15f8e351.msi
c:\windows\Installer\15f8e357.msi
c:\windows\Installer\15f8e35d.msi
c:\windows\Installer\15f8e363.msi
c:\windows\Installer\15f8e369.msi
c:\windows\Installer\15f8e36f.msi
c:\windows\Installer\15f8e375.msi
c:\windows\Installer\15f8e37b.msi
c:\windows\Installer\15f8e382.msi
c:\windows\Installer\16f7d8ad.msp
c:\windows\Installer\17aeaa2.msi
c:\windows\Installer\17aeaa8.msi
c:\windows\Installer\17aeaae.msi
c:\windows\Installer\17aeab4.msi
c:\windows\Installer\17aeaba.msi
c:\windows\Installer\182d8980.msp
c:\windows\Installer\182d8996.msp
c:\windows\Installer\182d899f.msp
c:\windows\Installer\182d89b5.msp
c:\windows\Installer\182d89be.msp
c:\windows\Installer\193f69.msi
c:\windows\Installer\1aff0a57.msp
c:\windows\Installer\1b633.msi
c:\windows\Installer\1b639.msi
c:\windows\Installer\1d06855.msi
c:\windows\Installer\1d0686a.msp
c:\windows\Installer\1d06880.msp
c:\windows\Installer\1d06896.msp
c:\windows\Installer\1d997eb4.msi
c:\windows\Installer\1d9980e5.msi
c:\windows\Installer\1d9980ef.msi
c:\windows\Installer\1d9981cd.msi
c:\windows\Installer\1f7d6d.msp
c:\windows\Installer\1f7d75.msi
c:\windows\Installer\202540eb.msp
c:\windows\Installer\20254101.msp
c:\windows\Installer\20254119.msp
c:\windows\Installer\2025412f.msp
c:\windows\Installer\20254145.msp
c:\windows\Installer\2025415c.msp
c:\windows\Installer\20254172.msp
c:\windows\Installer\20254189.msp
c:\windows\Installer\202541b8.msp
c:\windows\Installer\202541b9.msp
c:\windows\Installer\202541d0.msp
c:\windows\Installer\202541e6.msp
c:\windows\Installer\202541fc.msp
c:\windows\Installer\20254212.msp
c:\windows\Installer\21604b20.msp
c:\windows\Installer\2405e0c8.msi
c:\windows\Installer\251895ee.msp
c:\windows\Installer\251895f7.msp
c:\windows\Installer\2518960d.msp
c:\windows\Installer\2560f48.msi
c:\windows\Installer\294e0fd.msi
c:\windows\Installer\2b2e3e.msi
c:\windows\Installer\2b2e41.msi
c:\windows\Installer\2d660030.msi
c:\windows\Installer\2df6e.msi
c:\windows\Installer\2ee38361.msp
c:\windows\Installer\2f6d50.msi
c:\windows\Installer\32e8f.msi
c:\windows\Installer\32e95.msi
c:\windows\Installer\32ee2391.msp
c:\windows\Installer\32ee23ab.msp
c:\windows\Installer\3518642f.msp
c:\windows\Installer\35186445.msp
c:\windows\Installer\356db69.msp
c:\windows\Installer\356db7e.msp
c:\windows\Installer\356db94.msp
c:\windows\Installer\35c7934.msi
c:\windows\Installer\3b944ef5.msp
c:\windows\Installer\3b944f21.msp
c:\windows\Installer\3b944f38.msp
c:\windows\Installer\3b944f4e.msp
c:\windows\Installer\3cb13a30.msi
c:\windows\Installer\42b669ee.msp
c:\windows\Installer\433f371.msi
c:\windows\Installer\452b343.msi
c:\windows\Installer\4a78a7.msi
c:\windows\Installer\4d3cef6a.msp
c:\windows\Installer\4dd5a12.msi
c:\windows\Installer\508066cb.msi
c:\windows\Installer\50a27dcc.msi
c:\windows\Installer\580d8d28.msi
c:\windows\Installer\5891173.msi
c:\windows\Installer\599d2974.msp
c:\windows\Installer\5b53c69c.msp
c:\windows\Installer\5b53c6a5.msp
c:\windows\Installer\5df62e7.msp
c:\windows\Installer\5df62fd.msp
c:\windows\Installer\63cdcccb.msp
c:\windows\Installer\63cdcce0.msp
c:\windows\Installer\63cdccf6.msp
c:\windows\Installer\63cdcd0c.msp
c:\windows\Installer\63cdcd22.msp
c:\windows\Installer\63cdcd2b.msp
c:\windows\Installer\63cdcd35.msp
c:\windows\Installer\63cdcd4b.msp
c:\windows\Installer\660a8.msi
c:\windows\Installer\75c2c.msp
c:\windows\Installer\79523.msp
c:\windows\Installer\898101.msp
c:\windows\Installer\898117.msp
c:\windows\Installer\89812d.msp
c:\windows\Installer\898134.msi
c:\windows\Installer\898149.msp
c:\windows\Installer\89815f.msp
c:\windows\Installer\924d82f.msi
c:\windows\Installer\afa30.msp
c:\windows\Installer\b5720ac9.msp
c:\windows\Installer\b5720adf.msp
c:\windows\Installer\b5720af7.msp
c:\windows\Installer\b5720b0d.msp
c:\windows\Installer\b812fec.msp
c:\windows\Installer\b812ff4.msi
c:\windows\Installer\b813009.msp
c:\windows\Installer\b81301f.msp
c:\windows\Installer\b813027.msp
c:\windows\Installer\b81303d.msp
c:\windows\Installer\b813053.msp
c:\windows\Installer\b81305c.msp
c:\windows\Installer\c7a2a.msi
c:\windows\Installer\d066b9.msp
c:\windows\Installer\d066d0.msp
c:\windows\kb913800.exe
c:\windows\run.log
c:\windows\system32\drivers\hjgruigldsqvud.sys
c:\windows\system32\drivers\UACamlxqaawwckfbty.sys
c:\windows\system32\FInstall.sys
c:\windows\system32\hjgruibsqmajfg.dll
c:\windows\system32\hjgruibsqmajfg.dll.uss_dis
c:\windows\system32\hjgruicdcvomwv.dat
c:\windows\system32\hjgruilog.dat
c:\windows\system32\hjgruiufkubyut.dll
c:\windows\system32\hjgruivmjssiqq.dat
c:\windows\system32\Install.txt
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lowsec\user.ds.lll
c:\windows\system32\msxm192z.dll
c:\windows\system32\ps2.bat
c:\windows\system32\sdra64.exe
c:\windows\system32\UACalkwbgxdowsxqlr.dll
c:\windows\system32\UACfdxfxitgcbcrwmk.dat
c:\windows\system32\UACfkvrchddhvxibsr.db
c:\windows\system32\uacinit.dll
c:\windows\system32\UACksgxqyahyqeypaf.dll
c:\windows\system32\UACooqlpbegnmotfpm.dll
c:\windows\system32\UACteptnqvrjnsfooqbp.log
c:\windows\system32\UACtmhdexcvckagyao.dll
c:\windows\system32\uactmp.db
c:\windows\system32\UACxwaxbvckeapslcp.dll
c:\windows\system32\wiawow32.sys
c:\windows\system32\wiwow64.exe
c:\windows\TEMP\mta79187.dll
D:\Autorun.inf
c:\recycler\S-1-5-21-91663685-3759453989-866012316-1010 . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruivtepuaob
-------\Legacy_hjgruivtepuaob
-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Legacy_MSNCACHE
-------\Legacy_SOPIDKC


((((((((((((((((((((((((( Files Created from 2009-08-06 to 2009-09-06 )))))))))))))))))))))))))))))))
.

2009-09-04 04:33 . 2009-09-04 04:33 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2009-08-31 23:05 . 2009-08-31 23:05 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Adobe
2009-08-22 07:05 . 2009-08-22 07:05 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Identities
2009-08-21 10:00 . 2008-10-16 19:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-08-21 10:00 . 2008-10-16 19:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-08-20 21:03 . 2009-08-20 21:03 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-18 06:22 . 2009-08-18 08:08 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\AskToolbar
2009-08-17 08:40 . 2009-08-17 08:40 -------- d-s---w- c:\documents and settings\LocalService\UserData
2009-08-17 03:09 . 2009-08-26 19:32 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\AskToolbar
2009-08-14 08:04 . 2009-08-14 08:04 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-14 08:04 . 2009-08-14 08:04 -------- d-----w- c:\program files\MSBuild
2009-08-14 08:04 . 2009-08-14 08:04 -------- d-----w- c:\program files\Reference Assemblies
2009-08-14 08:03 . 2009-08-14 08:03 -------- d-----w- C:\85d681ed01ec36a7c1715561b6ec
2009-08-14 08:03 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-14 08:03 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-14 08:03 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-14 08:03 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-14 08:03 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-14 08:03 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-14 08:03 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-14 08:01 . 2009-08-14 08:01 -------- d-----w- c:\program files\MSXML 6.0
2009-08-13 18:04 . 2009-08-13 18:04 -------- d-----w- c:\documents and settings\Peyton the Great.YOUR-4DACD0EA75\Local Settings\Application Data\Identities

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-06 07:57 . 2008-11-05 04:23 -------- d-----w- c:\program files\Shaw Secure
2009-09-04 17:45 . 2008-07-04 03:54 -------- d-----w- c:\program files\BitTorrent
2009-09-04 04:33 . 2009-05-08 21:01 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-24 22:39 . 2008-06-18 16:43 -------- d-----w- c:\program files\QuickTime
2009-08-22 08:01 . 2009-06-18 22:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-14 17:33 . 2009-04-20 08:37 125080 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-14 17:23 . 2005-11-12 16:12 125080 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:11 . 2004-08-10 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 18:55 . 2004-08-10 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-10 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-09 22:32 . 2009-07-09 22:32 -------- d-----w- c:\documents and settings\Peyton the Great.YOUR-4DACD0EA75\Application Data\My Battle for Middle-earth Files
2009-07-08 22:25 . 2009-05-01 21:13 -------- d-----w- c:\documents and settings\Peyton the Great.YOUR-4DACD0EA75\Application Data\Apple Computer
2009-07-08 08:55 . 2009-05-07 21:49 33920 ----a-w- c:\windows\system32\drivers\fsbts.sys
2009-07-04 14:44 . 2009-07-04 14:44 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-06-26 16:18 . 2004-08-10 12:00 659456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-08-10 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 18:36 . 2004-08-10 12:00 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2004-08-10 12:00 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2004-08-10 12:00 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2004-08-10 12:00 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2004-08-10 12:00 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2004-08-10 12:00 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2004-08-10 12:00 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2004-08-10 12:00 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2004-08-10 12:00 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2004-08-10 12:00 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2004-08-10 12:00 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 18:36 . 2004-08-10 12:00 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-25 08:44 . 2004-08-10 12:00 724480 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:44 . 2004-08-10 12:00 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:44 . 2004-08-10 12:00 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:44 . 2004-08-10 12:00 298496 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:44 . 2004-08-10 12:00 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:44 . 2004-08-10 12:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-23 16:14 . 2009-06-23 16:13 34 ----a-w- c:\documents and settings\Peyton the Great.YOUR-4DACD0EA75\jagex_runescape_preferences.dat
2009-06-22 11:49 . 2004-08-10 12:00 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2004-08-10 12:00 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2004-08-10 12:00 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2004-08-10 12:00 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-22 11:34 . 2004-08-10 19:00 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:55 . 2004-08-10 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2004-08-10 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 11:50 . 2004-08-10 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 11:50 . 2004-08-10 19:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2004-08-10 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2004-08-10 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2007-02-18 09:30 . 2007-02-18 09:30 251 ----a-w- c:\program files\wt3d.ini
2006-11-05 18:16 . 2007-02-18 06:56 32 --sha-w- c:\windows\SMINST\HPCD.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2009-04-09 228808]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-03 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"DISCover"="c:\program files\DISC\DISCover.exe" [2005-09-27 1060864]
"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-09-27 61440]
"SetDefaultPrinter"="c:\hp\bin\cloaker.exe" [1999-11-07 27136]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"F-Secure Manager"="c:\program files\Shaw Secure\Common\FSM32.EXE" [2009-02-19 182936]
"F-Secure TNB"="c:\program files\Shaw Secure\FSGUI\TNBUtil.exe" [2009-02-19 957024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-12 27136]

c:\documents and settings\MCX1\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-12 27136]

c:\documents and settings\MCX2\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-12 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [5/7/2009 4:49 PM 33920]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [5/7/2009 4:48 PM 79872]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\Shaw Secure\HIPS\drivers\fshs.sys [11/6/2008 1:38 PM 67808]
R1 ISODisk;ISODisk;c:\windows\system32\drivers\ISODisk.sys [7/2/2009 10:40 PM 9600]
R2 EvdoServer;EvdoServer;c:\windows\system32\svchost.exe -k netsvcs [8/10/2004 7:00 AM 14336]
R2 sofatnet;sofatnet Service;c:\windows\system32\sofatnet.exe [8/10/2004 7:00 AM 94208]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\Shaw Secure\Anti-Virus\minifilter\fsgk.sys [11/4/2008 11:23 PM 100472]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\Shaw Secure\ORSP Client\fsorsp.exe [11/6/2008 1:38 PM 55904]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\Shaw Secure\Anti-Virus\win2k\fsfilter.sys [11/4/2008 11:23 PM 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\Shaw Secure\Anti-Virus\win2k\fsrec.sys [11/4/2008 11:23 PM 25184]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - EVDOSERVER
.
Contents of the 'Scheduled Tasks' folder

2009-09-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-MSxmlHpr - c:\windows\system32\msxm192z.dll
HKLM-Run-PCDrProfiler - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=14982&l=dis
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
LSP: c:\program files\Shaw Secure\FSPS\program\FSLSP.DLL
Trusted Zone: trymedia.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-06 11:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\wiawow32.sys 40960 bytes executable
c:\windows\system32\wiwow64.exe 160256 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(600)
c:\windows\system32\Ati2evxx.dll
c:\program files\Shaw Secure\FWES\Program\fsdc32.dll

- - - - - - - > 'lsass.exe'(660)
c:\program files\Shaw Secure\FSPS\program\FSLSP.DLL
c:\program files\Shaw Secure\FWES\Program\fsdc32.dll

- - - - - - - > 'explorer.exe'(2192)
c:\program files\Shaw Secure\Spam Control\fsscoepl.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll

- - - - - - - > 'csrss.exe'(572)
c:\program files\Shaw Secure\FWES\Program\fsdc32.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Shaw Secure\Anti-Virus\fsgk32st.exe
c:\program files\Shaw Secure\Common\FSMA32.EXE
c:\program files\Shaw Secure\Anti-Virus\fsgk32.exe
c:\program files\Shaw Secure\Common\FSMB32.EXE
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\ehome\mcrdsvc.exe
c:\program files\Shaw Secure\Common\FCH32.EXE
c:\program files\Shaw Secure\Common\FAMEH32.EXE
c:\program files\Shaw Secure\Anti-Virus\fsqh.exe
c:\program files\Shaw Secure\FSPC\fspc.exe
c:\windows\system32\dllhost.exe
c:\program files\Shaw Secure\FSAUA\program\fsaua.exe
c:\program files\Shaw Secure\Anti-Virus\fssm32.exe
c:\program files\Shaw Secure\FWES\program\fsdfwd.exe
c:\program files\Shaw Secure\FSAUA\program\fsus.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\SHAWSE~1\Common\FSM32.EXE
c:\windows\ehome\ehmsas.exe
c:\program files\DISC\DiscGui.exe
c:\progra~1\SHAWSE~1\FSGUI\fsguidll.exe
c:\program files\HP\Digital Imaging\bin\hpqtra08.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\DISC\DiscStreamHub.exe
c:\windows\TEMP\tmp0_538520266420.bk.old
c:\progra~1\SHAWSE~1\ANTI-V~1\fsav32.exe
c:\hp\KBD\kbd.exe
c:\windows\system32\wiawow32.sys
.
**************************************************************************
.
Completion time: 2009-09-06 11:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-06 16:43

Pre-Run: 12,500,688,896 bytes free
Post-Run: 16,846,155,776 bytes free

466 --- E O F --- 2009-08-27 08:00
Rush102 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-06-2009, 11:37 AM   #6 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,908
OS: WinXP and Vista


Re: In need of a lot of help
Hi Rush102,

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


It's IMPORTANT to carry out the instructions in the sequence listed below.


***************************************************

Open notepad and copy/paste the text in the code box below into it:

Quote:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/411087-need-lot-help.html#post2329845

File::
c:\windows\system32\sofatnet.exe

Driver::
EvdoServer
sofatnet

Collect::
c:\windows\system32\wiawow32.sys
c:\windows\system32\wiwow64.exe
Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************





Refering to the picture above, drag CFScript into ComboFix.exe


When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
---------------------------------------------------------------------

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.
Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
Kaspersky results
Update on system behavior
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-07-2009, 02:57 PM   #7 (permalink)
Registered User
 
Join Date: Jul 2009
Posts: 8
OS: Windows XP


Re: In need of a lot of help
Here are the logs

Combofix:

ComboFix 09-09-05.03 - Peyton the Great 09/07/2009 10:25.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.493 [GMT -5:00]
Running from: c:\documents and settings\Peyton the Great.YOUR-4DACD0EA75\Desktop\rush.exe.exe
Command switches used :: c:\documents and settings\Peyton the Great.YOUR-4DACD0EA75\Desktop\CFScript.txt
AV: Shaw Secure 8.02 *On-access scanning disabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: Shaw Secure 8.02 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}

FILE ::
"c:\windows\system32\sofatnet.exe"

file zipped: c:\windows\system32\wiawow32.sys
file zipped: c:\windows\system32\wiwow64.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\FInstall.sys
c:\windows\system32\Install.txt
c:\windows\system32\sofatnet.exe
c:\windows\system32\wiawow32.sys
c:\windows\system32\wiwow64.exe
c:\windows\TEMP\mta27654.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EVDOSERVER
-------\Legacy_SOFATNET
-------\Service_EvdoServer
-------\Service_sofatnet


((((((((((((((((((((((((( Files Created from 2009-08-07 to 2009-09-07 )))))))))))))))))))))))))))))))
.

2009-09-04 04:33 . 2009-09-04 04:33 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2009-08-31 23:05 . 2009-08-31 23:05 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Adobe
2009-08-22 07:05 . 2009-08-22 07:05 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Identities
2009-08-21 10:00 . 2008-10-16 19:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-08-21 10:00 . 2008-10-16 19:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-08-20 21:03 . 2009-08-20 21:03 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-18 06:22 . 2009-08-18 08:08 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\AskToolbar
2009-08-17 08:40 . 2009-08-17 08:40 -------- d-s---w- c:\documents and settings\LocalService\UserData
2009-08-17 03:09 . 2009-08-26 19:32 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\AskToolbar
2009-08-14 08:04 . 2009-08-14 08:04 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-14 08:04 . 2009-08-14 08:04 -------- d-----w- c:\program files\MSBuild
2009-08-14 08:04 . 2009-08-14 08:04 -------- d-----w- c:\program files\Reference Assemblies
2009-08-14 08:03 . 2009-08-14 08:03 -------- d-----w- C:\85d681ed01ec36a7c1715561b6ec
2009-08-14 08:03 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-14 08:03 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-14 08:03 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-14 08:03 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-14 08:03 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-14 08:03 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-14 08:03 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-14 08:01 . 2009-08-14 08:01 -------- d-----w- c:\program files\MSXML 6.0
2009-08-13 18:04 . 2009-08-13 18:04 -------- d-----w- c:\documents and settings\Peyton the Great.YOUR-4DACD0EA75\Local Settings\Application Data\Identities

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-07 12:43 . 2008-11-05 04:23 -------- d-----w- c:\program files\Shaw Secure
2009-09-04 17:45 . 2008-07-04 03:54 -------- d-----w- c:\program files\BitTorrent
2009-09-04 04:33 . 2009-05-08 21:01 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-24 22:39 . 2008-06-18 16:43 -------- d-----w- c:\program files\QuickTime
2009-08-22 08:01 . 2009-06-18 22:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-14 17:33 . 2009-04-20 08:37 125080 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-14 17:23 . 2005-11-12 16:12 125080 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:11 . 2004-08-10 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 18:55 . 2004-08-10 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-10 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-09 22:32 . 2009-07-09 22:32 -------- d-----w- c:\documents and settings\Peyton the Great.YOUR-4DACD0EA75\Application Data\My Battle for Middle-earth Files
2009-07-08 08:55 . 2009-05-07 21:49 33920 ----a-w- c:\windows\system32\drivers\fsbts.sys
2009-07-04 14:44 . 2009-07-04 14:44 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-06-26 16:18 . 2004-08-10 12:00 659456 ------w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-08-10 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 18:36 . 2004-08-10 12:00 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2004-08-10 12:00 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2004-08-10 12:00 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2004-08-10 12:00 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2004-08-10 12:00 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2004-08-10 12:00 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2004-08-10 12:00 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2004-08-10 12:00 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2004-08-10 12:00 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2004-08-10 12:00 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2004-08-10 12:00 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 18:36 . 2004-08-10 12:00 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-25 08:44 . 2004-08-10 12:00 724480 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:44 . 2004-08-10 12:00 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:44 . 2004-08-10 12:00 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:44 . 2004-08-10 12:00 298496 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:44 . 2004-08-10 12:00 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:44 . 2004-08-10 12:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-23 16:14 . 2009-06-23 16:13 34 ----a-w- c:\documents and settings\Peyton the Great.YOUR-4DACD0EA75\jagex_runescape_preferences.dat
2009-06-22 11:49 . 2004-08-10 12:00 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2004-08-10 12:00 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2004-08-10 12:00 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2004-08-10 12:00 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-22 11:34 . 2004-08-10 19:00 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:55 . 2004-08-10 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2004-08-10 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 11:50 . 2004-08-10 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 11:50 . 2004-08-10 19:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2004-08-10 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2004-08-10 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2007-02-18 09:30 . 2007-02-18 09:30 251 ----a-w- c:\program files\wt3d.ini
2006-11-05 18:16 . 2007-02-18 06:56 32 --sha-w- c:\windows\SMINST\HPCD.SYS
.

((((((((((((((((((((((((((((( SnapShot@2009-09-06_16.37.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-06 16:38 . 2009-09-06 16:38 16384 c:\windows\temp\Perflib_Perfdata_df0.dat
+ 2009-09-07 15:39 . 2009-09-07 15:39 16384 c:\windows\temp\Perflib_Perfdata_618.dat
+ 2004-08-10 12:00 . 2004-08-10 12:00 159232 c:\windows\system32\dvdpaly.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2009-04-09 228808]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-03 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"DISCover"="c:\program files\DISC\DISCover.exe" [2005-09-27 1060864]
"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-09-27 61440]
"SetDefaultPrinter"="c:\hp\bin\cloaker.exe" [1999-11-07 27136]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"F-Secure Manager"="c:\program files\Shaw Secure\Common\FSM32.EXE" [2009-02-19 182936]
"F-Secure TNB"="c:\program files\Shaw Secure\FSGUI\TNBUtil.exe" [2009-02-19 957024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-12 27136]

c:\documents and settings\MCX1\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-12 27136]

c:\documents and settings\MCX2\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-12 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [5/7/2009 4:49 PM 33920]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [5/7/2009 4:48 PM 79872]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\Shaw Secure\HIPS\drivers\fshs.sys [11/6/2008 1:38 PM 67808]
R1 ISODisk;ISODisk;c:\windows\system32\drivers\ISODisk.sys [7/2/2009 10:40 PM 9600]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\Shaw Secure\Anti-Virus\minifilter\fsgk.sys [11/4/2008 11:23 PM 100472]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\Shaw Secure\ORSP Client\fsorsp.exe [11/6/2008 1:38 PM 55904]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\Shaw Secure\Anti-Virus\win2k\fsfilter.sys [11/4/2008 11:23 PM 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\Shaw Secure\Anti-Virus\win2k\fsrec.sys [11/4/2008 11:23 PM 25184]
.
Contents of the 'Scheduled Tasks' folder

2009-09-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?o=14982&l=dis
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
LSP: c:\program files\Shaw Secure\FSPS\program\FSLSP.DLL
Trusted Zone: trymedia.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-07 10:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(600)
c:\windows\system32\Ati2evxx.dll
c:\program files\Shaw Secure\FWES\Program\fsdc32.dll

- - - - - - - > 'lsass.exe'(660)
c:\program files\Shaw Secure\FSPS\program\FSLSP.DLL
c:\program files\Shaw Secure\FWES\Program\fsdc32.dll

- - - - - - - > 'explorer.exe'(1160)
c:\program files\Shaw Secure\Spam Control\fsscoepl.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll

- - - - - - - > 'csrss.exe'(572)
c:\program files\Shaw Secure\FWES\Program\fsdc32.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Shaw Secure\Anti-Virus\fsgk32st.exe
c:\program files\Shaw Secure\Common\FSMA32.EXE
c:\program files\Shaw Secure\Anti-Virus\fsgk32.exe
c:\program files\Shaw Secure\Common\FSMB32.EXE
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\ehome\mcrdsvc.exe
c:\program files\Shaw Secure\Common\FCH32.EXE
c:\program files\Shaw Secure\Common\FAMEH32.EXE
c:\program files\Shaw Secure\Anti-Virus\fsqh.exe
c:\program files\Shaw Secure\FSPC\fspc.exe
c:\windows\system32\dllhost.exe
c:\program files\Shaw Secure\FSAUA\program\fsaua.exe
c:\program files\Shaw Secure\Anti-Virus\fssm32.exe
c:\program files\Shaw Secure\FWES\program\fsdfwd.exe
c:\program files\Shaw Secure\FSAUA\program\fsus.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\SHAWSE~1\Common\FSM32.EXE
c:\windows\ehome\ehmsas.exe
c:\program files\DISC\DiscGui.exe
c:\progra~1\SHAWSE~1\FSGUI\fsguidll.exe
c:\program files\HP\Digital Imaging\bin\hpqtra08.exe
c:\progra~1\SHAWSE~1\ANTI-V~1\fsav32.exe
c:\program files\DISC\DiscStreamHub.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-09-07 10:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-07 15:42
ComboFix2.txt 2009-09-06 16:43

Pre-Run: 16,835,543,040 bytes free
Post-Run: 16,815,620,096 bytes free

260 --- E O F --- 2009-08-27 08:00

Kaspersky

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, September 7, 2009
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, September 07, 2009 17:49:14
Records in database: 2756838
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
I:\
J:\
K:\
L:\
M:\
N:\

Scan statistics:
Objects scanned: 200936
Threats found: 8
Infected objects found: 14
Suspicious objects found: 0
Scan duration: 04:49:54


File name / Threat / Threats count
C:\Documents and Settings\Peyton the Great\Local Settings\Temp\3138037217.0xe Infected: Trojan-Downloader.Win32.Suurch.vz 1
C:\Documents and Settings\Peyton the Great\Local Settings\Temp\3148349717.0xe Infected: Trojan-Downloader.Win32.Suurch.vz 1
C:\Qoobox\Quarantine\C\Documents and Settings\Peyton the Great\reader_s.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.vmrj 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\hjgruigldsqvud.sys.vir Infected: Trojan.Win32.TDSS.ameu 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruibsqmajfg.dll.uss_dis.vir Infected: Trojan.Win32.Agent.crez 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruibsqmajfg.dll.vir Infected: Packed.Win32.TDSS.z 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruiufkubyut.dll.vir Infected: Packed.Win32.TDSS.z 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP101\A0013372.sys Infected: Trojan.Win32.TDSS.ameu 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP101\A0013373.dll Infected: Packed.Win32.TDSS.z 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP101\A0013374.dll Infected: Packed.Win32.TDSS.z 1
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP101\A0013410.exe Infected: Trojan-Downloader.Win32.FraudLoad.vmrj 1
C:\WINDOWS\system32\msxm192z.dll.387921 Infected: Trojan-GameThief.Win32.OnLineGames.bmoi 1
C:\WINDOWS\system32\sofatnet.exex Infected: Trojan.Win32.Koblu.axk 1
C:\WINDOWS\system32\tmp474.$ Infected: Trojan-Downloader.Win32.DlfBfkg.abz 1

Selected area has been scanned.





So far the computer's working fine, its been running pretty smoothly but it's hard to tell so soon.
Rush102 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-07-2009, 05:22 PM   #8 (permalink)
Registered User
 
Join Date: Jul 2009
Posts: 8
OS: Windows XP


Re: In need of a lot of help
My Shaw Secure just detected a TrojanWin32 and it could not be disinfected. This is good because my Shaw Secure hadn't been detecting anything before, but bad because its still there.
Rush102 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-07-2009, 07:02 PM   #9 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,908
OS: WinXP and Vista


Re: In need of a lot of help
Hello Rush102,

Where is it finding TrojanWin32?

Open notepad and copy/paste the text in the code box below into it:

Quote:


File::
C:\Documents and Settings\Peyton the Great\Local Settings\Temp\3138037217.0xe
C:\Documents and Settings\Peyton the Great\Local Settings\Temp\3148349717.0xe
C:\WINDOWS\system32\msxm192z.dll.387921
C:\WINDOWS\system32\sofatnet.exex
C:\WINDOWS\system32\tmp474.$
Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, please post the C:\ComboFix.txt
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-07-2009, 08:07 PM   #10 (permalink)
Registered User
 
Join Date: Jul 2009
Posts: 8
OS: Windows XP


Re: In need of a lot of help
I quarantined the file Trojan.Win32.TDSS.ameu and it was located in C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP101\A0013372.0ys

Here's the combofix log

ComboFix 09-09-05.03 - Peyton the Great 09/07/2009 20:48.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.626 [GMT -5:00]
Running from: c:\documents and settings\Peyton the Great.YOUR-4DACD0EA75\Desktop\rush.exe.exe
Command switches used :: c:\documents and settings\Peyton the Great.YOUR-4DACD0EA75\Desktop\CFScript.txt
AV: Shaw Secure 8.02 *On-access scanning disabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: Shaw Secure 8.02 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}

FILE ::
"c:\documents and settings\Peyton the Great\Local Settings\Temp\3138037217.0xe"
"c:\documents and settings\Peyton the Great\Local Settings\Temp\3148349717.0xe"
"c:\windows\system32\msxm192z.dll.387921"
"c:\windows\system32\sofatnet.exex"
"c:\windows\system32\tmp474.$"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Peyton the Great\Local Settings\Temp\3138037217.0xe
c:\documents and settings\Peyton the Great\Local Settings\Temp\3148349717.0xe
c:\windows\system32\msxm192z.dll.387921
c:\windows\system32\sofatnet.exex
c:\windows\system32\tmp474.$

.
((((((((((((((((((((((((( Files Created from 2009-08-08 to 2009-09-08 )))))))))))))))))))))))))))))))
.

2009-09-04 04:33 . 2009-09-04 04:33 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2009-08-31 23:05 . 2009-08-31 23:05 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Adobe
2009-08-22 07:05 . 2009-08-22 07:05 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Identities
2009-08-21 10:00 . 2008-10-16 19:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-08-21 10:00 . 2008-10-16 19:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-08-20 21:03 . 2009-08-20 21:03 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-18 06:22 . 2009-08-18 08:08 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\AskToolbar
2009-08-17 08:40 . 2009-08-17 08:40 -------- d-s---w- c:\documents and settings\LocalService\UserData
2009-08-17 03:09 . 2009-08-26 19:32 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\AskToolbar
2009-08-14 08:04 . 2009-08-14 08:04 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-14 08:04 . 2009-08-14 08:04 -------- d-----w- c:\program files\MSBuild
2009-08-14 08:04 . 2009-08-14 08:04 -------- d-----w- c:\program files\Reference Assemblies
2009-08-14 08:03 . 2009-08-14 08:03 -------- d-----w- C:\85d681ed01ec36a7c1715561b6ec
2009-08-14 08:03 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-14 08:03 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-14 08:03 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-14 08:03 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-14 08:03 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-14 08:03 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-14 08:03 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-14 08:01 . 2009-08-14 08:01 -------- d-----w- c:\program files\MSXML 6.0
2009-08-13 18:04 . 2009-08-13 18:04 -------- d-----w- c:\documents and settings\Peyton the Great.YOUR-4DACD0EA75\Local Settings\Application Data\Identities

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-07 18:44 . 2008-11-05 04:23 -------- d-----w- c:\program files\Shaw Secure
2009-09-04 17:45 . 2008-07-04 03:54 -------- d-----w- c:\program files\BitTorrent
2009-09-04 04:33 . 2009-05-08 21:01 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-24 22:39 . 2008-06-18 16:43 -------- d-----w- c:\program files\QuickTime
2009-08-22 08:01 . 2009-06-18 22:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-14 17:33 . 2009-04-20 08:37 125080 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-14 17:23 . 2005-11-12 16:12 125080 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:11 . 2004-08-10 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 18:55 . 2004-08-10 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-10 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-08 08:55 . 2009-05-07 21:49 33920 ----a-w- c:\windows\system32\drivers\fsbts.sys
2009-07-04 14:44 . 2009-07-04 14:44 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-06-26 16:18 . 2004-08-10 12:00 659456 ------w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-08-10 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 18:36 . 2004-08-10 12:00 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2004-08-10 12:00 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2004-08-10 12:00 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2004-08-10 12:00 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2004-08-10 12:00 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2004-08-10 12:00 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2004-08-10 12:00 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2004-08-10 12:00 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2004-08-10 12:00 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2004-08-10 12:00 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2004-08-10 12:00 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 18:36 . 2004-08-10 12:00 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-25 08:44 . 2004-08-10 12:00 724480 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:44 . 2004-08-10 12:00 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:44 . 2004-08-10 12:00 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:44 . 2004-08-10 12:00 298496 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:44 . 2004-08-10 12:00 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:44 . 2004-08-10 12:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-23 16:14 . 2009-06-23 16:13 34 ----a-w- c:\documents and settings\Peyton the Great.YOUR-4DACD0EA75\jagex_runescape_preferences.dat
2009-06-22 11:49 . 2004-08-10 12:00 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2004-08-10 12:00 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2004-08-10 12:00 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2004-08-10 12:00 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-22 11:34 . 2004-08-10 19:00 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:55 . 2004-08-10 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2004-08-10 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 11:50 . 2004-08-10 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 11:50 . 2004-08-10 19:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2004-08-10 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2004-08-10 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2007-02-18 09:30 . 2007-02-18 09:30 251 ----a-w- c:\program files\wt3d.ini
2006-11-05 18:16 . 2007-02-18 06:56 32 --sha-w- c:\windows\SMINST\HPCD.SYS
.

((((((((((((((((((((((((((((( SnapShot@2009-09-06_16.37.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-07 15:39 . 2009-09-07 15:39 16384 c:\windows\temp\Perflib_Perfdata_618.dat
+ 2004-08-10 12:00 . 2004-08-10 12:00 159232 c:\windows\system32\dvdpaly.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2009-04-09 228808]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-03 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"DISCover"="c:\program files\DISC\DISCover.exe" [2005-09-27 1060864]
"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-09-27 61440]
"SetDefaultPrinter"="c:\hp\bin\cloaker.exe" [1999-11-07 27136]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"F-Secure Manager"="c:\program files\Shaw Secure\Common\FSM32.EXE" [2009-02-19 182936]
"F-Secure TNB"="c:\program files\Shaw Secure\FSGUI\TNBUtil.exe" [2009-02-19 957024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-12 27136]

c:\documents and settings\MCX1\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-12 27136]

c:\documents and settings\MCX2\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-12 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [5/7/2009 4:49 PM 33920]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [5/7/2009 4:48 PM 79872]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\Shaw Secure\HIPS\drivers\fshs.sys [11/6/2008 1:38 PM 67808]
R1 ISODisk;ISODisk;c:\windows\system32\drivers\ISODisk.sys [7/2/2009 10:40 PM 9600]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\Shaw Secure\Anti-Virus\minifilter\fsgk.sys [11/4/2008 11:23 PM 100984]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\Shaw Secure\ORSP Client\fsorsp.exe [11/6/2008 1:38 PM 55904]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\Shaw Secure\Anti-Virus\win2k\fsfilter.sys [11/4/2008 11:23 PM 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\Shaw Secure\Anti-Virus\win2k\fsrec.sys [11/4/2008 11:23 PM 25184]
.
Contents of the 'Scheduled Tasks' folder

2009-09-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?o=14982&l=dis
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
LSP: c:\program files\Shaw Secure\FSPS\program\FSLSP.DLL
Trusted Zone: trymedia.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-07 20:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(600)
c:\windows\system32\Ati2evxx.dll
c:\program files\Shaw Secure\FWES\Program\fsdc32.dll

- - - - - - - > 'lsass.exe'(660)
c:\program files\Shaw Secure\FSPS\program\FSLSP.DLL
c:\program files\Shaw Secure\FWES\Program\fsdc32.dll

- - - - - - - > 'csrss.exe'(572)
c:\program files\Shaw Secure\FWES\Program\fsdc32.dll
.
Completion time: 2009-09-08 20:59
ComboFix-quarantined-files.txt 2009-09-08 01:59
ComboFix2.txt 2009-09-07 15:42
ComboFix3.txt 2009-09-06 16:43

Pre-Run: 16,724,279,296 bytes free
Post-Run: 16,768,438,272 bytes free

209 --- E O F --- 2009-08-27 08:00
Rush102 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-07-2009, 08:16 PM   #11 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,908
OS: WinXP and Vista


Re: In need of a lot of help
Ah, it's as I suspected. C:\System Volume Information\, which is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be resetting/clearing the cache momentarily.

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.


Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------

Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal.

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop
WOT has an addon available for both Firefox and IE.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
  • It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.


- Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

- Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.



- Most importantly, Think Prevention

-----------------------------------------------------


**Kindly respond one more time and let me know if we may consider this thread resolved.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-07-2009, 08:24 PM   #12 (permalink)
Registered User
 
Join Date: Jul 2009
Posts: 8
OS: Windows XP


Re: In need of a lot of help
Okay, thanks a lot!

Just one more question, how do I reset/clear the cache? When I typed in Combofix /u, it just uninstalled Combofix. Was that all I was supposed to do?
Rush102 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-07-2009, 08:30 PM   #13 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,908
OS: WinXP and Vista


Re: In need of a lot of help
During the process of uninstalling ComoFix, your system restore was flushed and a new point created as of that moment.

To verify this, click Start>All Programs>Accessories>System Tools
  • Select System Restore
  • Next, select 'Restore my computer to an earlier time'
  • Look to the calendar on the left hand side and you should see only 1 bolded date, with a time and date of just a few minutes ago.
  • Click Cancel to back out of the System Restore.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-07-2009, 08:36 PM   #14 (permalink)
Registered User
 
Join Date: Jul 2009
Posts: 8
OS: Windows XP


Re: In need of a lot of help
Okay, thank you for clearing that up, and for the time you spent helping me. I think that we can consider this thread resolved.
Rush102 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-07-2009, 08:37 PM   #15 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,908
OS: WinXP and Vista


Re: In need of a lot of help
You're welcome, Rush102.

Take care.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 05:27 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85