Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

frostwire and pop ups

This is a discussion on frostwire and pop ups within the Resolved HJT Threads forums, part of the Tech Support Forum category. hi. i attempted to download and install winzip from frostwire (i know, dumb move.) in the process i must have


 
 
Thread Tools Search this Thread
Old 10-09-2008, 04:26 PM   #1
 
Join Date: Oct 2008
Posts: 12
OS:



hi. i attempted to download and install winzip from frostwire (i know, dumb move.) in the process i must have loaded a ton of viruses. now, even though i have uninstalled frostwire, it continues to attempt to launch on its own, showing the loading screen. then a java runtime error comes up when it can't open all the way. also, i have a large amount of pop ups, i wouldn't say constant, but still, a lot. before i found this site, i did try to fix some things on my own, i deleted some files and stuff, probably doing more damage than good. i deleted the folder c:\WINDOWS\Fonts\' which had a ton, several thousand, of the url pages that the pop ups load. anyway, this did nothing. i've been through the first five steps now. i've attached the activescan log from step 2. i am unable to update my xp. i followed all the steps in step 4 and the microsoft site tells me it cannot update, i followed the steps there to start autoupdate, background intelligent transfer service, and event log. however, i am only able to start background service and event log. an error comes up when i try to start auto update that says an unspecified error occured it provdes this url res://C:\WINDOWS\System32\mmcndmgr.dll/views.htm anyway, this is probably getting long for my inital post, just trying to be as informative as i can. below is my copy of the hijackthis log. thanks a lot for the help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:11:00 PM, on 10/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\program files\powerstrip\pstrip.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: AudioGizmo Toolbar - {C6BB606F-232D-4957-8AFF-7D4F4A220F67} - C:\Program Files\AudioGizmo Extension\v3.2.0.0\AudioGizmo_Toolbar.dll
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] "REGSVR32.EXE" /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] "C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PowerStrip] "c:\program files\powerstrip\pstrip.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [24cd6cd3] rundll32.exe "C:\WINDOWS\system32\pbgfmfxb.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] :C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Policies\Explorer\Run: [{24CD6C7C-0978-1033-0113-030113200001}] "C:\Program Files\Common Files\{24CD6C7C-0978-1033-0113-030113200001}\Update.exe" mc-110-12-0000137
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - https://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - https://upload.facebook.com/controls/...toUploader.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: egzsno.dll
O22 - SharedTaskScheduler: homina - {df8c3aed-b58e-4bcb-96b3-aa1b7bbdbbd4} - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7633 bytes
Attached Files
File Type: txt ActiveScan.txt (90.9 KB, 21 views)
disastertourism is offline  
Sponsored Links
Advertisement
 
Old 10-12-2008, 02:43 PM   #2
 
Join Date: Oct 2008
Posts: 12
OS:



bump, please. it's been 72+ hours and i could really use some help. thanks a lot.
disastertourism is offline  
Old 10-12-2008, 06:22 PM   #3
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Hello and Welcome, disastertourism. Apologies for any delay in replying, but we have been rather busy lately.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

---------------------------------------------------------------------------------------------

If you still require assistance with this issue, and since it's been several days since your original log was posted, please do this:
  • Download RSIT by random/random and save it to your desktop.
  • Double click RSIT.exe to start the tool and click Continue at the disclaimer.
  • When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized.
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of log.txt here.
  • Please attach info.txt to your post.
To attach a file to a new post, simply
  1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
  2. copy and paste the following into the "Upload File from your Computer" box:
    C:\rsit\info.txt
  3. Click Upload.

---------------------------------------------------------------------------------------------

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Sponsored Links
Advertisement
 
Old 10-12-2008, 06:37 PM   #4
 
Join Date: Oct 2008
Posts: 12
OS:



hey tetonbob, thanks for the response, here are the logs you asked for.

Logfile of random's system information tool 1.04 (written by random/random)
Run by Mr. Garry at 2008-10-12 19:28:28
Microsoft Windows XP Professional Service Pack 2
System drive C: has 25 GB (32%) free of 78 GB
Total RAM: 2047 MB (76% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:30:33 PM, on 10/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\program files\powerstrip\pstrip.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Mr. Garry\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Mr. Garry.exe
C:\Program Files\frostwire\frostwire.exe
C:\WINDOWS\system32\rundll32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {166BE28B-0297-42F3-80AF-0D756ED7F583} - C:\WINDOWS\system32\hgGyvvSl.dll
O2 - BHO: (no name) - {319E315A-2DB7-4DFE-9585-B3F536E3128E} - C:\WINDOWS\system32\ssqOFXrP.dll
O2 - BHO: {73045b96-70d7-5778-8c14-ff935dc095f4} - {4f590cd5-39ff-41c8-8775-7d0769b54037} - C:\WINDOWS\system32\uslrmt.dll
O2 - BHO: AudioGizmo Toolbar Helper - {5980B104-CA68-4A9F-9E78-80ADBD2CA53B} - C:\Program Files\AudioGizmo Extension\v3.2.0.0\AudioGizmo_Toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: AudioGizmo Toolbar - {C6BB606F-232D-4957-8AFF-7D4F4A220F67} - C:\Program Files\AudioGizmo Extension\v3.2.0.0\AudioGizmo_Toolbar.dll
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] "REGSVR32.EXE" /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] "C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PowerStrip] "c:\program files\powerstrip\pstrip.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [24cd6cd3] rundll32.exe "C:\WINDOWS\system32\fonwnjat.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] :C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Policies\Explorer\Run: [{24CD6C7C-0978-1033-0113-030113200001}] "C:\Program Files\Common Files\{24CD6C7C-0978-1033-0113-030113200001}\Update.exe" mc-110-12-0000137
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - https://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - https://upload.facebook.com/controls/...toUploader.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: uslrmt.dll
O20 - Winlogon Notify: hgGyvvSl - C:\WINDOWS\SYSTEM32\hgGyvvSl.dll
O22 - SharedTaskScheduler: homina - {df8c3aed-b58e-4bcb-96b3-aa1b7bbdbbd4} - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8539 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\SOFTWARE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{166BE28B-0297-42F3-80AF-0D756ED7F583}]
C:\WINDOWS\system32\hgGyvvSl.dll [2008-09-04 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{319E315A-2DB7-4DFE-9585-B3F536E3128E}]
C:\WINDOWS\system32\ssqOFXrP.dll [2008-09-04 284160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4f590cd5-39ff-41c8-8775-7d0769b54037}]
C:\WINDOWS\system32\uslrmt.dll [2008-10-12 115200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5980B104-CA68-4A9F-9E78-80ADBD2CA53B}]
AudioGizmo Toolbar Helper - C:\Program Files\AudioGizmo Extension\v3.2.0.0\AudioGizmo_Toolbar.dll [2008-07-25 798720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-04-17 323904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{0BF43445-2F28-4351-9252-17FE6E806AA0}
{C6BB606F-232D-4957-8AFF-7D4F4A220F67} - AudioGizmo Toolbar - C:\Program Files\AudioGizmo Extension\v3.2.0.0\AudioGizmo_Toolbar.dll [2008-07-25 798720]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"=C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe [2003-07-02 57344]
"CTDVDDET"=C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE [2003-06-18 45056]
"CTHelper"=C:\WINDOWS\system32\CTHELPER.EXE [2003-06-19 24576]
"AsioReg"=REGSVR32.EXE /S CTASIO.DLL []
"SBDrvDet"=C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe [2002-12-03 45056]
"UpdReg"=C:\WINDOWS\UpdReg.EXE [2000-05-11 90112]
"PinnacleDriverCheck"=C:\WINDOWS\System32\PSDrvCheck.exe [2003-08-28 396800]
"DAEMON Tools"=C:\Program Files\DAEMON Tools\daemon.exe [2005-11-08 128920]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2006-11-07 185896]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2007-06-29 286720]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2007-06-29 81920]
"MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe [2004-08-04 158208]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2007-09-07 267064]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"PowerStrip"=c:\program files\powerstrip\pstrip.exe [2008-02-16 802552]
"Host Process"=C:\WINDOWS\Fonts\svchost.exe [2008-09-04 278539]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2007-06-29 8466432]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"rare"= []
"user32.dll"= []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"H/PC Connection Agent"=C:\Program Files\Microsoft ActiveSync\wcescomm.exe [2006-11-13 1289000]
"Uniblue RegistryBooster 2"=:C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"{24CD6C7C-0978-1033-0113-030113200001}"=C:\Program Files\Common Files\{24CD6C7C-0978-1033-0113-030113200001}\Update.exe mc-110-12-0000137 []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\24cd6cd3]
C:\WINDOWS\system32\gqqqdmwm.dll [2008-09-23 85504]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe --force_start_minimized []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeluxeCommunications]
C:\Program Files\DeluxeCommunications\Dxc.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\system32\scntmtdl.exe [2008-09-04 548928]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Host Process]
C:\WINDOWS\Fonts\svchost.exe [2008-09-04 278539]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1153846249\ee\AOLSoftware.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
C:\WINDOWS\system32\NvCpl.dll [2007-06-29 8466432]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pest-Capture]
C:\Program Files\PestCapture\PestCapture.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe [2007-03-30 25263144]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
C:\Program Files\Valve\Steam\Steam.exe [2008-03-24 1266936]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{b1fc4211-372f-1ad0-c55f-3b46701ed044}]
C:\WINDOWS\system32\azgzhqqpjvqosxfc.dll DllStub []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{D6-6C-C7-7C-DW}]
C:\windows\system32\rnwnw64j.exe [2008-09-04 200734]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE [2002-08-06 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\ACROBA~2.0\Reader\READER~1.EXE []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
C:\PROGRA~1\WinZip\WZQKPICK.EXE [2008-04-28 415072]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mr. Garry^Start Menu^Programs^Startup^Deewoo.lnk]
C:\WINDOWS\system32\scntmtdl.exe [2008-09-04 548928]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mr. Garry^Start Menu^Programs^Startup^DW_Start.lnk]
C:\WINDOWS\system32\rnwnw64j.exe [2008-09-04 200734]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMP54GSSVC"=2
"RasAuto"=3
"RasMan"=3
"RDSessMgr"=3
"RemoteRegistry"=2
"WMPNetworkSvc"=3

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
HPAiODevice(hp psc 700 series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="uslrmt.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hgGyvvSl]
C:\WINDOWS\system32\hgGyvvSl.dll [2008-09-04 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-02-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
homina - {df8c3aed-b58e-4bcb-96b3-aa1b7bbdbbd4}

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{166BE28B-0297-42F3-80AF-0D756ED7F583}"=C:\WINDOWS\system32\hgGyvvSl.dll [2008-09-04 34816]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\ssqOFXrP

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=255

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\Xfire\Xfire.exe"="C:\Program Files\Xfire\Xfire.exe:*:Enabled:Xfire"
"C:\Program Files\Soulseek\slsk.exe"="C:\Program Files\Soulseek\slsk.exe:*:Enabled:SoulSeek"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Valve\Steam\SteamApps\ufr8ecat\counter-strike source\hl2.exe"="C:\Program Files\Valve\Steam\SteamApps\ufr8ecat\counter-strike source\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\Common Files\AOL\1153846249\ee\aolsoftware.exe"="C:\Program Files\Common Files\AOL\1153846249\ee\aolsoftware.exe:*:Enabled:AOL Services"
"C:\Program Files\Common Files\AOL\1153846249\ee\aim6.exe"="C:\Program Files\Common Files\AOL\1153846249\ee\aim6.exe:*:Enabled:AIM"
"C:\Documents and Settings\Mr. Garry\Local Settings\Temporary Internet Files\Content.IE5\0KHXQT56\wowclient-downloader[1].exe"="C:\Documents and Settings\Mr. Garry\Local Settings\Temporary Internet Files\Content.IE5\0KHXQT56\wowclient-downloader[1].exe:*:Enabled:Blizzard Downloader"
"C:\Documents and Settings\Mr. Garry\Desktop\wowclient-downloader.exe"="C:\Documents and Settings\Mr. Garry\Desktop\wowclient-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"C:\Program Files\World of Warcraft\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"="C:\Program Files\World of Warcraft\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\Azureus\Azureus.exe"="C:\Program Files\Azureus\Azureus.exe:*:Enabled:Azureus"
"C:\Program Files\World of Warcraft\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"="C:\Program Files\World of Warcraft\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"="C:\Program Files\World of Warcraft\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"="C:\Program Files\World of Warcraft\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\World of Warcraft\BackgroundDownloader.exe"="C:\Program Files\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"="C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"="C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\Program Files\Valve\Steam\SteamApps\ufr8ecat\counter-strike\hl.exe"="C:\Program Files\Valve\Steam\SteamApps\ufr8ecat\counter-strike\hl.exe:*:Enabled:Half-Life Launcher"
"C:\Program Files\FrostWire\FrostWire.exe"="C:\Program Files\FrostWire\FrostWire.exe:*:Enabled:LimeWire"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"="C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"="C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

======List of files/folders created in the last 1 months======

2008-10-12 19:29:20 ----SH---- C:\WINDOWS\system32\wqhhnksk.ini
2008-10-12 19:29:17 ----A---- C:\WINDOWS\system32\ksknhhqw.dll
2008-10-12 19:28:28 ----D---- C:\rsit
2008-10-12 19:27:05 ----A---- C:\WINDOWS\system32\uslrmt.dll
2008-10-12 19:27:02 ----A---- C:\WINDOWS\system32\ouaiqjbx.dll
2008-10-12 19:25:59 ----SH---- C:\WINDOWS\system32\tajnwnof.ini
2008-10-12 19:25:57 ----N---- C:\WINDOWS\system32\fonwnjat.dll
2008-10-10 02:24:48 ----SH---- C:\WINDOWS\system32\sdtprelh.ini
2008-10-10 02:24:47 ----N---- C:\WINDOWS\system32\hlerptds.dll
2008-10-10 02:21:49 ----A---- C:\WINDOWS\system32\zlqdpv.dll
2008-10-10 02:21:48 ----A---- C:\WINDOWS\system32\onmuqfgl.dll
2008-10-09 17:08:13 ----D---- C:\Program Files\Trend Micro
2008-10-09 16:44:34 ----D---- C:\ie-spyad_zo
2008-10-09 16:35:07 ----D---- C:\Program Files\Zoned Out
2008-10-09 16:20:36 ----D---- C:\Program Files\SpywareBlaster
2008-10-09 08:53:40 ----D---- C:\Program Files\Panda Security
2008-10-09 02:32:27 ----D---- C:\Program Files\XoftSpySE
2008-10-09 02:21:51 ----SH---- C:\WINDOWS\system32\bxfmfgbp.ini
2008-10-09 02:21:47 ----N---- C:\WINDOWS\system32\pbgfmfxb.dll
2008-10-09 02:21:00 ----A---- C:\WINDOWS\system32\egzsno.dll
2008-10-09 02:20:57 ----A---- C:\WINDOWS\system32\stqmapdi.dll
2008-09-23 10:34:57 ----A---- C:\WINDOWS\system32\khfEUkIb.dll
2008-09-23 09:15:07 ----SH---- C:\WINDOWS\system32\mwmdqqqg.ini
2008-09-23 09:15:06 ----A---- C:\WINDOWS\system32\gqqqdmwm.dll
2008-09-23 09:12:06 ----A---- C:\WINDOWS\system32\uixhjr.dll
2008-09-23 09:12:05 ----A---- C:\WINDOWS\system32\eixoaove.dll
2008-09-23 09:09:05 ----A---- C:\WINDOWS\system32\eltkqunf.dll
2008-09-22 09:15:06 ----A---- C:\WINDOWS\system32\hxceso.dll
2008-09-22 09:15:05 ----A---- C:\WINDOWS\system32\tmdlydmw.dll
2008-09-22 09:12:06 ----SH---- C:\WINDOWS\system32\bixmsjsg.ini
2008-09-22 09:09:05 ----A---- C:\WINDOWS\system32\wyykbbuu.dll
2008-09-21 09:12:07 ----A---- C:\WINDOWS\system32\awtqnlKE.dll
2008-09-21 09:12:05 ----A---- C:\WINDOWS\system32\oxajaevp.dll
2008-09-21 09:09:07 ----A---- C:\WINDOWS\system32\qccuto.dll
2008-09-21 09:09:06 ----A---- C:\WINDOWS\system32\ipheytlv.dll
2008-09-21 0922 ----A---- C:\WINDOWS\system32\mpegajia.dll
2008-09-20 09:12:06 ----A---- C:\WINDOWS\system32\vfjmeq.dll
2008-09-20 09:12:06 ----A---- C:\WINDOWS\system32\ntiluugj.dll
2008-09-20 09:09:16 ----SH---- C:\WINDOWS\system32\vEMpYcdd.ini
2008-09-20 09:09:06 ----A---- C:\WINDOWS\system32\nxfdneyx.dll
2008-09-20 0906 ----A---- C:\WINDOWS\system32\jcucqxww.dll
2008-09-19 09:08:48 ----SH---- C:\WINDOWS\system32\AycLknnn.ini
2008-09-19 09:08:37 ----A---- C:\WINDOWS\system32\nnnkLcyA.dll
2008-09-19 09:08:37 ----A---- C:\WINDOWS\system32\efcAQiiG.dll
2008-09-19 09:08:36 ----A---- C:\WINDOWS\system32\unhoptaa.dll
2008-09-19 09:05:40 ----A---- C:\WINDOWS\system32\puoadd.dll
2008-09-19 09:05:39 ----A---- C:\WINDOWS\system32\fmnmbcir.dll
2008-09-19 09:05:26 ----A---- C:\WINDOWS\system32\jvxqrray.dll
2008-09-19 09:05:15 ----A---- C:\WINDOWS\system32\yayvUonK.dll
2008-09-19 09:05:13 ----A---- C:\WINDOWS\system32\awtssrRI.dll
2008-09-19 09:04:56 ----A---- C:\WINDOWS\system32\mcrh.tmp
2008-09-17 01:50:18 ----A---- C:\WINDOWS\system32\cnkybf.dll
2008-09-17 01:50:17 ----A---- C:\WINDOWS\system32\unscgvyq.dll
2008-09-17 01:47:19 ----SH---- C:\WINDOWS\system32\sjwragka.ini
2008-09-17 01:44:17 ----A---- C:\WINDOWS\system32\fbdibdfj.dll
2008-09-16 01:47:18 ----SH---- C:\WINDOWS\system32\wftjbntv.ini
2008-09-15 01:50:18 ----SH---- C:\WINDOWS\system32\qblooqmv.ini
2008-09-15 01:47:18 ----A---- C:\WINDOWS\system32\ijilyj.dll
2008-09-15 01:47:17 ----A---- C:\WINDOWS\system32\vyjmacss.dll
2008-09-15 01:44:17 ----A---- C:\WINDOWS\system32\mvbxtkmq.dll
2008-09-14 01:46:48 ----SH---- C:\WINDOWS\system32\gwmnyvvp.ini
2008-09-14 01:43:35 ----A---- C:\WINDOWS\system32\ztgtll.dll
2008-09-14 01:43:34 ----A---- C:\WINDOWS\system32\fgtqgumq.dll
2008-09-14 01:42:03 ----A---- C:\WINDOWS\system32\mlJcbYpn.dll
2008-09-14 01:42:03 ----A---- C:\WINDOWS\system32\byXrqQHA.dll

======List of files/folders modified in the last 1 months======

2008-10-12 19:30:26 ----ASH---- C:\WINDOWS\system32\PrXFOqss.ini
2008-10-12 19:29:29 ----SHD---- C:\WINDOWS\system32
2008-10-12 19:29:29 ----ASH---- C:\WINDOWS\system32\PrXFOqss.ini2
2008-10-12 19:26:38 ----D---- C:\WINDOWS\Temp
2008-10-12 19:26:32 ----A---- C:\WINDOWS\system32\2feea8ad-.txt
2008-10-10 02:31:42 ----D---- C:\Program Files\Mozilla Firefox 3 Beta 4
2008-10-10 02:25:00 ----D---- C:\WINDOWS\Prefetch
2008-10-09 17:08:13 ----AD---- C:\Program Files
2008-10-09 16:55:15 ----D---- C:\WINDOWS\system32\CatRoot2
2008-10-09 16:48:18 ----RSD---- C:\WINDOWS\Fonts
2008-10-09 16:48:18 ----D---- C:\Documents and Settings\Mr. Garry\Application Data\LimeWire
2008-10-09 16:48:18 ----D---- C:\Documents and Settings\Mr. Garry\Application Data\FrostWire
2008-10-09 16:47:02 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-10-09 16:43:31 ----D---- C:\WINDOWS
2008-10-09 16:14:38 ----D---- C:\WINDOWS\system32\mC02
2008-10-09 16:14:35 ----D---- C:\WINDOWS\system32\hcp
2008-10-09 13:35:16 ----D---- C:\WINDOWS\system32\drivers
2008-10-09 13:29:44 ----RASH---- C:\boot.ini
2008-10-09 13:29:44 ----A---- C:\WINDOWS\win.ini
2008-10-09 13:29:44 ----A---- C:\WINDOWS\system.ini
2008-10-09 13:29:18 ----D---- C:\WINDOWS\system32\appmgmt
2008-10-09 13:13:33 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-10-09 09:04:20 ----HD---- C:\WINDOWS\inf
2008-10-09 08:36:56 ----SD---- C:\WINDOWS\Tasks
2008-10-09 08:24:37 ----D---- C:\WINDOWS\system32\LogFiles
2008-10-09 08:24:35 ----D---- C:\WINDOWS\Debug
2008-10-09 03:02:22 ----D---- C:\Documents and Settings
2008-10-06 21:53:52 ----D---- C:\Program Files\WAR extract
2008-09-23 09:09:12 ----A---- C:\WINDOWS\BM27fe5f4f.txt
2008-09-23 09:09:07 ----A---- C:\WINDOWS\pskt.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 InCDPass;InCDPass; C:\WINDOWS\System32\DRIVERS\InCDPass.sys [2004-11-26 28928]
R1 incdrm;InCD Reader; C:\WINDOWS\system32\drivers\incdrm.sys [2004-11-26 27648]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\System32\DRIVERS\kbdhid.sys [2004-08-04 14848]
R1 StarOpen;StarOpen; C:\WINDOWS\system32\drivers\StarOpen.sys [2006-07-24 5632]
R1 tdii;tdii; C:\WINDOWS\System32\drivers\tdii.sys [2008-09-04 86144]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.2.0.3; C:\WINDOWS\System32\DRIVERS\AegisP.sys [2006-06-13 17801]
R2 MCSTRM;MCSTRM; C:\WINDOWS\system32\drivers\MCSTRM.sys [2007-05-12 8413]
R2 PStrip;PStrip; C:\WINDOWS\system32\drivers\pstrip.sys [2007-07-14 27992]
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R3 BCM43XX;Linksys Wireless-G PCI Network Adapter Driver; C:\WINDOWS\System32\DRIVERS\bcmwl5.sys [2004-12-22 369024]
R3 CA561;ICatch (VI) PC Camera; C:\WINDOWS\System32\Drivers\SPCA561.SYS [2002-10-01 119798]
R3 ctac32k;Creative AC3 Software Decoder; C:\WINDOWS\system32\drivers\ctac32k.sys [2003-07-10 651792]
R3 ctaud2k;Creative Audio Driver (WDM); C:\WINDOWS\system32\drivers\ctaud2k.sys [2003-06-19 509328]
R3 ctprxy2k;Creative Proxy Driver; C:\WINDOWS\system32\drivers\ctprxy2k.sys [2003-06-19 6144]
R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\system32\drivers\ctsfm2k.sys [2003-06-19 136016]
R3 dtscsi;dtscsi; C:\WINDOWS\System32\Drivers\dtscsi.sys [2006-04-18 223128]
R3 emupia;E-mu Plug-in Architecture Driver; C:\WINDOWS\system32\drivers\emupia2k.sys [2003-07-10 145232]
R3 GEARAspiWDM;GEAR CDRom Filter; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2006-09-19 15664]
R3 ha10kx2k;Creative Hardware Abstract Layer Driver; C:\WINDOWS\system32\drivers\ha10kx2k.sys [2003-06-27 860592]
R3 hap16v2k;Creative P16V HAL Driver; C:\WINDOWS\system32\drivers\hap16v2k.sys [2003-06-27 159040]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2003-03-31 9600]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2007-06-29 6807328]
R3 ossrv;Creative OS Services Driver; C:\WINDOWS\system32\drivers\ctoss2k.sys [2003-06-19 190208]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-08-11 14604]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2004-08-04 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-04 20480]
R4 InCDfs;InCD File System; C:\WINDOWS\system32\drivers\InCDfs.sys [2004-11-26 98176]
S3 61883;61883 Unit Device; C:\WINDOWS\System32\DRIVERS\61883.sys [2004-08-04 48128]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2004-08-04 60800]
S3 Avc;AVC Device; C:\WINDOWS\System32\DRIVERS\avc.sys [2004-08-04 38912]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [2004-08-04 17024]
S3 ctdvda2k;Creative DVD-Audio Device Driver; C:\WINDOWS\system32\drivers\ctdvda2k.sys [2003-03-26 287920]
S3 dot4;MS IEEE-1284.4 Driver; C:\WINDOWS\System32\DRIVERS\Dot4.sys [2004-08-04 207360]
S3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\WINDOWS\System32\DRIVERS\Dot4Prt.sys [2001-08-17 12928]
S3 Dot4Scan;Scan Class Driver for IEEE-1284.4; C:\WINDOWS\System32\DRIVERS\Dot4Scan.sys [2001-08-17 8704]
S3 dot4usb;Dot4USB Filter Dot4USB Filter; C:\WINDOWS\System32\DRIVERS\dot4usb.sys [2001-08-17 23808]
S3 ENTECH;ENTECH; \??\C:\WINDOWS\system32\DRIVERS\ENTECH.sys []
S3 gkmixern;gkmixern; \??\C:\DOCUME~1\MRCAEA~1.GAR\LOCALS~1\Temp\gkmixern.sys []
S3 GTNDIS5;GTNDIS5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\GTNDIS5.SYS []
S3 MSDV;Microsoft DV Camera and VCR; C:\WINDOWS\System32\DRIVERS\msdv.sys [2004-08-04 51328]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-04 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\System32\DRIVERS\NABTSFEC.sys [2004-08-04 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [2004-08-04 10880]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2004-08-04 61824]
S3 Point32;Microsoft IntelliPoint Filter Driver; C:\WINDOWS\System32\DRIVERS\point32.sys [2004-06-03 20352]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [2004-08-04 20992]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\System32\DRIVERS\SLIP.sys [2004-08-04 11136]
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM); C:\WINDOWS\system32\DRIVERS\sscdbus.sys [2005-12-22 80272]
S3 sscdmdfl;SAMSUNG CDMA Modem Filter; C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys [2005-12-22 10864]
S3 sscdmdm;SAMSUNG CDMA Modem Drivers; C:\WINDOWS\system32\DRIVERS\sscdmdm.sys [2005-12-22 137884]
S3 streamip;BDA IPSink; C:\WINDOWS\System32\DRIVERS\StreamIP.sys [2004-08-04 15360]
S3 usb_rndisx;USB RNDIS Adapter; C:\WINDOWS\System32\DRIVERS\usb8023x.sys [2005-10-20 12800]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2007-09-06 30336]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2004-08-04 59264]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2004-08-04 15104]
S3 usbstor;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S3 wceusbsh;Windows CE USB Serial Host Driver; C:\WINDOWS\system32\DRIVERS\wceusbsh.sys [2005-06-14 104576]
S3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S3 winusb;WinUSB Service; C:\WINDOWS\system32\DRIVERS\WinUSB.SYS [2006-11-02 39368]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\System32\DRIVERS\WSTCODEC.SYS [2004-08-04 19328]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S3 XDva143;XDva143; \??\C:\WINDOWS\system32\XDva143.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\System32\DRIVERS\sr.sys [2004-08-04 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2007-09-06 110592]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2007-07-24 229376]
R2 Creative Service for CDROM Access;Creative Service for CDROM Access; C:\WINDOWS\System32\CTsvcCDA.exe [1999-12-13 44032]
R2 InCDsrvR;InCD Helper (read only); C:\Program Files\Ahead\InCD\InCDsrv.exe [2004-11-26 812032]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2007-06-29 155716]
R2 WMDM PMSP Service;WMDM PMSP Service; C:\WINDOWS\System32\MsPMSPSv.exe [2000-06-26 53520]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2007-09-07 503608]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
S4 WMP54GSSVC;WMP54GSSVC; C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe [2004-02-07 41025]
S4 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]

-----------------EOF-----------------
Attached Files
File Type: txt info.txt (32.7 KB, 18 views)
disastertourism is offline  
Old 10-12-2008, 06:44 PM   #5
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



I see no evidence of an AntiVirus program on your system. This must be resolved. Connecting to the Internet without antivirus protection is a "Welcome" doormat for malware. It can take as little as eight seconds to infect an unprotected computer.

We will address that during the course of this fix.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

---------------------------------------------------------------------------------------------

Please visit this webpage for instructions for downloading and running ComboFix:

https://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery mode if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

As part of installing the Recovery Console, ComboFix will begin to run. Follow the prompts to install the Recovery Console. Your desktop may disappear. This is normal. It will return.

Once the Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.



Please continue as follows:

Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

If you have any questions along the way, STOP and ask them before proceeding.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 10-12-2008, 07:59 PM   #6
 
Join Date: Oct 2008
Posts: 12
OS:



i installed the recovery console following the instructions, however, it gave me an error when installation had finished, i scanned anyway and have included the logs. combofix log is first followed by a new hijackthis log. performance on the pc is greatly improved.

ComboFix 08-10-11.04 - Mr. Garry 2008-10-12 20:29:55.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1549 [GMT -5:00]
Running from: C:\Documents and Settings\Mr. Garry\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mr. Garry\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\Common Files\{24CD6~1
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\BM27fe5f4f.txt
C:\WINDOWS\BM27fe5f4f.xml
C:\WINDOWS\Fonts\'
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\Fonts\Setup.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\apxcdrjj.dll
C:\WINDOWS\system32\awtqnlKE.dll
C:\WINDOWS\system32\awtqoLeE.dll
C:\WINDOWS\system32\awtssrRI.dll
C:\WINDOWS\system32\awttsPge.dll
C:\WINDOWS\system32\awttsPiI.dll
C:\WINDOWS\system32\AycLknnn.ini
C:\WINDOWS\system32\bcwvwlht.dll
C:\WINDOWS\system32\beoooyat.ini
C:\WINDOWS\system32\bixmsjsg.ini
C:\WINDOWS\system32\bjecexye.dll
C:\WINDOWS\system32\bnacjwgi.dll
C:\WINDOWS\system32\btjtzq.dll
C:\WINDOWS\system32\bxfmfgbp.ini
C:\WINDOWS\system32\bylwmhth.dll
C:\WINDOWS\system32\byXrqQHA.dll
C:\WINDOWS\system32\cbXNEVom.dll
C:\WINDOWS\system32\cerftcqu.dll
C:\WINDOWS\system32\cfgakmwl.dll
C:\WINDOWS\system32\cnkybf.dll
C:\WINDOWS\system32\cutupofj.dll
C:\WINDOWS\system32\dgjqio.dll
C:\WINDOWS\system32\dlohaofu.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\tdii.sys
C:\WINDOWS\system32\dwwnw64r.exe
C:\WINDOWS\system32\ebijgwlx.ini
C:\WINDOWS\system32\efcAQiiG.dll
C:\WINDOWS\system32\egzsno.dll
C:\WINDOWS\system32\eixoaove.dll
C:\WINDOWS\system32\eltkqunf.dll
C:\WINDOWS\system32\enrpuwbd.dll
C:\WINDOWS\system32\erhfvpdd.ini
C:\WINDOWS\system32\eyifldsd.ini
C:\WINDOWS\system32\fbdibdfj.dll
C:\WINDOWS\system32\fgtqgumq.dll
C:\WINDOWS\system32\fmnmbcir.dll
C:\WINDOWS\system32\fonwnjat.dll
C:\WINDOWS\system32\frgvsqof.dll
C:\WINDOWS\system32\gjiektpv.dll
C:\WINDOWS\system32\gqqqdmwm.dll
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\gwmnyvvp.ini
C:\WINDOWS\system32\hgGyvvSl.dll
C:\WINDOWS\system32\hlerptds.dll
C:\WINDOWS\system32\htgbsjou.ini
C:\WINDOWS\system32\hxceso.dll
C:\WINDOWS\system32\igwjcanb.ini
C:\WINDOWS\system32\ihimbngg.dll
C:\WINDOWS\system32\ijilyj.dll
C:\WINDOWS\system32\ipheytlv.dll
C:\WINDOWS\system32\jcucqxww.dll
C:\WINDOWS\system32\jdilnk.dll
C:\WINDOWS\system32\jvxqrray.dll
C:\WINDOWS\system32\khfEUkIb.dll
C:\WINDOWS\system32\kreulpqa.ini
C:\WINDOWS\system32\ksknhhqw.dll
C:\WINDOWS\system32\lgqdeffi.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mlJcbYpn.dll
C:\WINDOWS\system32\mpegajia.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\mvbxtkmq.dll
C:\WINDOWS\system32\mwmdqqqg.ini
C:\WINDOWS\system32\ndnluc.dll
C:\WINDOWS\system32\nnnkLcyA.dll
C:\WINDOWS\system32\ntiluugj.dll
C:\WINDOWS\system32\nxfdneyx.dll
C:\WINDOWS\system32\onmuqfgl.dll
C:\WINDOWS\system32\ouaiqjbx.dll
C:\WINDOWS\system32\oxajaevp.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pbgfmfxb.dll
C:\WINDOWS\system32\pmnoMcBu.dll
C:\WINDOWS\system32\PrXFOqss.ini
C:\WINDOWS\system32\PrXFOqss.ini2
C:\WINDOWS\system32\puoadd.dll
C:\WINDOWS\system32\qblooqmv.ini
C:\WINDOWS\system32\qccuto.dll
C:\WINDOWS\system32\quqkmd.dll
C:\WINDOWS\system32\rhfkngbf.dll
C:\WINDOWS\system32\rnwnw64j.exe
C:\WINDOWS\system32\rqRKcaaY.dll
C:\WINDOWS\system32\sdtprelh.ini
C:\WINDOWS\system32\sebyel.dll
C:\WINDOWS\system32\sjwragka.ini
C:\WINDOWS\system32\skdhcz.dll
C:\WINDOWS\system32\slncreej.dll
C:\WINDOWS\system32\ssqOFXrP.dll
C:\WINDOWS\system32\stqmapdi.dll
C:\WINDOWS\system32\tajnwnof.ini
C:\WINDOWS\system32\tmdlydmw.dll
C:\WINDOWS\system32\tmgxisry.dll
C:\WINDOWS\system32\tuvSkJBR.dll
C:\WINDOWS\system32\uamgvhdn.dll
C:\WINDOWS\system32\uixhjr.dll
C:\WINDOWS\system32\umpsrkjn.ini
C:\WINDOWS\system32\unhoptaa.dll
C:\WINDOWS\system32\unscgvyq.dll
C:\WINDOWS\system32\uqctfrec.ini
C:\WINDOWS\system32\uslrmt.dll
C:\WINDOWS\system32\vblofspa.dll
C:\WINDOWS\system32\vEMpYcdd.ini
C:\WINDOWS\system32\vfjmeq.dll
C:\WINDOWS\system32\vptkeijg.ini
C:\WINDOWS\system32\vyjmacss.dll
C:\WINDOWS\system32\wftjbntv.ini
C:\WINDOWS\system32\wqhhnksk.ini
C:\WINDOWS\system32\wyqxrdbo.ini
C:\WINDOWS\system32\wyykbbuu.dll
C:\WINDOWS\system32\xhrnjb.dll
C:\WINDOWS\system32\xlwgjibe.dll
C:\WINDOWS\system32\yayvUonK.dll
C:\WINDOWS\system32\zkwfce.dll
C:\WINDOWS\system32\zlqdpv.dll
C:\WINDOWS\system32\ztgtll.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NETWORK_MONITOR
-------\Legacy_TDII
-------\Legacy_WINDOWS_OVERLAY_COMPONENTS
-------\Service_tdii


((((((((((((((((((((((((( Files Created from 2008-09-13 to 2008-10-13 )))))))))))))))))))))))))))))))
.

2008-10-12 19:28 . 2008-10-12 19:30 <DIR> d-------- C:\rsit
2008-10-09 17:08 . 2008-10-09 17:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-09 16:44 . 2008-10-09 16:44 <DIR> d-------- C:\ie-spyad_zo
2008-10-09 16:35 . 2008-10-09 16:35 <DIR> d-------- C:\Program Files\Zoned Out
2008-10-09 16:20 . 2008-10-09 16:20 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-10-09 09:04 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-10-09 08:53 . 2008-10-09 08:53 <DIR> d-------- C:\Program Files\Panda Security
2008-10-09 03:32 . 2008-10-09 03:56 <DIR> d-------- C:\Documents and Settings\Mr. Garry\.housecall6.6
2008-10-09 02:32 . 2008-10-09 08:36 <DIR> d-------- C:\Program Files\XoftSpySE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-13 00:32 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 4
2008-10-09 21:48 --------- d-----w C:\Documents and Settings\Mr. Garry\Application Data\LimeWire
2008-10-09 21:48 --------- d-----w C:\Documents and Settings\Mr. Garry\Application Data\FrostWire
2008-10-09 08:32 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2008-10-07 02:53 --------- d-----w C:\Program Files\WAR extract
2008-09-23 21:58 17 ----a-w C:\Program Files\stinger.opt
2008-09-06 01:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-06 00:41 --------- d-----w C:\Program Files\FrostWire
2008-09-04 20:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-09-04 20:42 --------- d-----w C:\Program Files\Outspark
2008-09-04 20:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Outspark
2008-09-04 16:41 --------- d-----w C:\Program Files\Incomplete
2008-09-04 15:22 --------- d-----w C:\Program Files\Java
2008-09-04 15:17 --------- d-----w C:\Documents and Settings\Mr. Garry\Application Data\Uniblue
2008-09-04 15:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-09-04 15:13 153,484 ----a-w C:\WINDOWS\system32\g92.exe
2008-09-04 15:07 147,456 ----a-w C:\WINDOWS\system32\vbzip10.dll
2008-09-04 15:02 548,928 ----a-w C:\WINDOWS\system32\scntmtdl.exe
2008-09-04 03:24 --------- d-----w C:\Program Files\Download Manager
2008-08-19 08:00 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-07-31 15:41 68,616 ----a-w C:\WINDOWS\system32\XAPOFX1_1.dll
2008-07-31 15:41 238,088 ----a-w C:\WINDOWS\system32\xactengine3_2.dll
2008-07-31 15:40 509,448 ----a-w C:\WINDOWS\system32\XAudio2_2.dll
2008-07-26 02:43 235,884 ----a-w C:\WINDOWS\AudioGizmo_Toolbar_Uninstaller_906.exe
2007-08-27 00:45 769,031 ----a-w C:\Program Files\stinger.exe
2007-01-11 20:07 58,032,562 ----a-w C:\Program Files\Samsung_PC_Studio_311_FKB.exe
2003-03-31 12:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 07:56 50,688 --sh--w C:\WINDOWS\twain_32.dll
2005-08-02 21:46 187,904 --sha-r C:\WINDOWS\R2FyeQ\asappsrv.dll
2005-08-02 21:58 293,888 --sha-r C:\WINDOWS\R2FyeQ\command.exe
2005-07-29 21:24 472 --sha-r C:\WINDOWS\R2FyeQ\lZIVyk.vbs
2004-08-04 07:56 1,028,096 --sha-w C:\WINDOWS\system32\mfc42.dll
2004-08-04 07:56 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 07:56 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 07:56 343,040 --sha-w C:\WINDOWS\system32\msvcrt.dll
2007-12-04 18:38 550,912 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 07:56 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-08-04 07:56 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-07-02 57344]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 90112]
"PinnacleDriverCheck"="C:\WINDOWS\System32\PSDrvCheck.exe" [2003-08-28 396800]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-11-08 128920]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-07 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 286720]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 81920]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 267064]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"PowerStrip"="c:\program files\powerstrip\pstrip.exe" [2008-02-16 802552]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 8466432]
"CTHelper"="CTHELPER.EXE" [2003-06-19 C:\WINDOWS\system32\CTHELPER.EXE]
"AsioReg"="CTASIO.DLL" [2003-06-19 C:\WINDOWS\system32\CTASIO.DLL]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HPAiODevice(hp psc 700 series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe [2002-04-24 487484]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=uslrmt.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mr. Garry^Start Menu^Programs^Startup^Deewoo.lnk]
path=C:\Documents and Settings\Mr. Garry\Start Menu\Programs\Startup\Deewoo.lnk
backup=C:\WINDOWS\pss\Deewoo.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Mr. Garry^Start Menu^Programs^Startup^DW_Start.lnk]
path=C:\Documents and Settings\Mr. Garry\Start Menu\Programs\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
--a------ 2008-09-04 10:02 548928 C:\WINDOWS\system32\scntmtdl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-06-29 00:43 8466432 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2007-03-30 13:34 25263144 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-03-24 01:30 1266936 C:\Program Files\Valve\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-06-29 00:43 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMP54GSSVC"=2 (0x2)
"RasAuto"=3 (0x3)
"RasMan"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Soulseek\\slsk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\ufr8ecat\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Valve\\Steam\\SteamApps\\ufr8ecat\\counter-strike\\hl.exe"=
"C:\\Program Files\\FrostWire\\FrostWire.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 28544]
R2 PStrip;PStrip;C:\WINDOWS\system32\drivers\pstrip.sys [2007-07-14 27992]
S3 gkmixern;gkmixern;C:\DOCUME~1\MRCAEA~1.GAR\LOCALS~1\Temp\gkmixern.sys [ ]
S3 XDva143;XDva143;C:\WINDOWS\system32\XDva143.sys [ ]
.
Contents of the 'Scheduled Tasks' folder

2008-09-30 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{166BE28B-0297-42F3-80AF-0D756ED7F583} - C:\WINDOWS\system32\hgGyvvSl.dll
BHO-{319E315A-2DB7-4DFE-9585-B3F536E3128E} - C:\WINDOWS\system32\ssqOFXrP.dll
BHO-{4f590cd5-39ff-41c8-8775-7d0769b54037} - C:\WINDOWS\system32\uslrmt.dll
HKCU-Run-Uniblue RegistryBooster 2 - :C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
HKLM-Run-24cd6cd3 - C:\WINDOWS\system32\ksknhhqw.dll
HKCU-Explorer_Run-{24CD6C7C-0978-1033-0113-030113200001} - C:\Program Files\Common Files\{24CD6C7C-0978-1033-0113-030113200001}\Update.exe
ShellExecuteHooks-{166BE28B-0297-42F3-80AF-0D756ED7F583} - C:\WINDOWS\system32\hgGyvvSl.dll
MSConfigStartUp-24cd6cd3 - C:\WINDOWS\system32\gqqqdmwm.dll
MSConfigStartUp-BitTorrent - C:\Program Files\BitTorrent\bittorrent.exe
MSConfigStartUp-DeluxeCommunications - C:\Program Files\DeluxeCommunications\Dxc.exe
MSConfigStartUp-Host Process - C:\WINDOWS\Fonts\svchost.exe
MSConfigStartUp-HostManager - C:\Program Files\Common Files\AOL\1153846249\ee\AOLSoftware.exe
MSConfigStartUp-Pest-Capture - C:\Program Files\PestCapture\PestCapture.exe
MSConfigStartUp-{b1fc4211-372f-1ad0-c55f-3b46701ed044} - C:\WINDOWS\system32\azgzhqqpjvqosxfc.dll
MSConfigStartUp-{D6-6C-C7-7C-DW} - C:\windows\system32\rnwnw64j.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Mr. Garry\Application Data\Mozilla\Firefox\Profiles\8ubd325t.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF -: plugin - C:\Program Files\Download Manager\npfpdlm.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npLegitCheckPlugin.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npnul32.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npqtplugin.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npqtplugin2.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npqtplugin3.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npqtplugin4.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npqtplugin5.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npqtplugin6.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npqtplugin7.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2008-10-12 20:42:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\DOCUME~1\MRCAEA~1.GAR\LOCALS~1\Temp\temp0.exe

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\Bin\hposts07.exe
.
**************************************************************************
.
Completion time: 2008-10-12 20:52:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-13 01:51:57

Pre-Run: 26,377,588,736 bytes free
Post-Run: 26,419,810,304 bytes free

359 --- E O F --- 2008-08-23 05:45:20


here is the hijackthis log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:57:19 PM, on 10/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\program files\powerstrip\pstrip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: AudioGizmo Toolbar Helper - {5980B104-CA68-4A9F-9E78-80ADBD2CA53B} - C:\Program Files\AudioGizmo Extension\v3.2.0.0\AudioGizmo_Toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: AudioGizmo Toolbar - {C6BB606F-232D-4957-8AFF-7D4F4A220F67} - C:\Program Files\AudioGizmo Extension\v3.2.0.0\AudioGizmo_Toolbar.dll
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] "REGSVR32.EXE" /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] "C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PowerStrip] "c:\program files\powerstrip\pstrip.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - https://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - https://upload.facebook.com/controls/...toUploader.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: uslrmt.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7194 bytes
disastertourism is offline  
Old 10-12-2008, 08:29 PM   #7
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Quote:
however, it gave me an error when installation had finished,
What sort of error? Exact error message if possible, please.


Please go to: VirusTotal
  • On the page you'll find a "Browse" button.
  • Next to the browse button you'll see a box to enter text.
  • Please copy/paste the following:

    C:\WINDOWS\system32\g92.exe

  • Then click the "Send File " button just below.
  • This will scan the file. Please be patient.
  • Once scanned, copy and paste the results in your next reply.
  • Please repeat for the following files:

    • C:\WINDOWS\system32\scntmtdl.exe
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 10-12-2008, 08:39 PM   #8
 
Join Date: Oct 2008
Posts: 12
OS:



i don't remember the exact error message, i'm sorry. i believe it was something like a certain file did not exist. here are the two scan results...


File g92.exe_ received on 10.13.2008 04:32:11 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 18/36 (50%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 46 and 66 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.10.10.1 2008.10.10 -
AntiVir 7.8.1.34 2008.10.12 DR/Click.Agent.bso.1
Authentium 5.1.0.4 2008.10.12 -
Avast 4.8.1248.0 2008.10.12 Win32:Agent-ABKG
AVG 8.0.0.161 2008.10.12 Clicker.PDU
BitDefender 7.2 2008.10.13 Trojan.Generic.693182
CAT-QuickHeal 9.50 2008.10.13 -
ClamAV 0.93.1 2008.10.13 Trojan.BHO-3774
DrWeb 4.44.0.09170 2008.10.13 -
eSafe 7.0.17.0 2008.10.12 -
eTrust-Vet 31.6.6139 2008.10.09 -
Ewido 4.0 2008.10.12 -
F-Prot 4.4.4.56 2008.10.12 -
F-Secure 8.0.14332.0 2008.10.13 Trojan-Clicker.Win32.Agent.bso
Fortinet 3.113.0.0 2008.10.13 Adware/AdClicker
GData 19 2008.10.13 Trojan.Generic.693182
Ikarus T3.1.1.34.0 2008.10.13 Trojan-Clicker.Win32.Agent.bso
K7AntiVirus 7.10.491 2008.10.11 -
Kaspersky 7.0.0.125 2008.10.13 Trojan-Clicker.Win32.Agent.bso
McAfee 5403 2008.10.11 -
Microsoft 1.4005 2008.10.13 Adware:Win32/AdRotator
NOD32 3516 2008.10.13 a variant of Win32/Adware.GooochiBiz
Norman 5.80.02 2008.10.10 -
Panda 9.0.0.4 2008.10.12 -
PCTools 4.4.2.0 2008.10.12 -
Prevx1 V2 2008.10.13 -
Rising 20.65.42.00 2008.10.10 Trojan.Clicker.Win32.Agent.yrd
SecureWeb-Gateway 6.7.6 2008.10.12 Trojan.Dropper.Click.Agent.bso.1
Sophos 4.34.0 2008.10.13 AdRotate
Sunbelt 3.1.1719.1 2008.10.13 -
Symantec 10 2008.10.13 Trojan.Adclicker
TheHacker 6.3.1.0.108 2008.10.11 -
TrendMicro 8.700.0.1004 2008.10.10 -
VBA32 3.12.8.6 2008.10.12 Trojan-Clicker.Win32.Agent.btf
ViRobot 2008.10.10.1416 2008.10.10 -
VirusBuster 4.5.11.0 2008.10.12 Adware.Rotator.Gen.2
Additional information
File size: 153484 bytes
MD5...: 6f6da22900c45df3c3c9a59763f195c4
SHA1..: b594614542f1419e7d33406a0fb059ecd08b3ba1
SHA256: 4529dff4b017f389cb080a715f1c41b652fa798d279e30f58617cabef84f65ab
SHA512: fadd504b3c66589630d8fb89c820f33297cac11105b94c802773cdcbd34e1280
250b243affa8020c9d00aa738cc8201048bc005e421e6bd4eaef31982a6537be
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x403225
timedatestamp.....: 0x481c71ea (Sat May 03 14:08:42 2008)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x5934 0x5a00 6.46 663546ac41801daf2dc51f560ec05a56
.rdata 0x7000 0x1190 0x1200 5.18 db16645055619c0cc73276ff5c3adb75
.data 0x9000 0x1af98 0x400 4.70 f0511f18783910813a0de0de02bc1206
.ndata 0x24000 0xc000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x30000 0x908 0xa00 3.95 c0a106c18db3869de8209da342c73e62

( 8 imports )
> KERNEL32.dll: CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
> USER32.dll: EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
> GDI32.dll: SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
> SHELL32.dll: SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
> ADVAPI32.dll: RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
> COMCTL32.dll: ImageList_AddMasked, ImageList_Destroy, -, ImageList_Create
> ole32.dll: CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
> VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

( 0 exports )



File scntmtdl.exe_ received on 10.13.2008 04:37:15 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 22/36 (61.12%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 37 and 53 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.10.10.1 2008.10.10 Win-Trojan/Agent.548934
AntiVir 7.8.1.34 2008.10.12 TR/Agent.tzh
Authentium 5.1.0.4 2008.10.12 -
Avast 4.8.1248.0 2008.10.12 Win32:Trojan-gen {Other}
AVG 8.0.0.161 2008.10.12 Generic11.ADC
BitDefender 7.2 2008.10.13 Trojan.Downloader.Agent.ZPK
CAT-QuickHeal 9.50 2008.10.13 -
ClamAV 0.93.1 2008.10.13 Trojan.Agent-43142
DrWeb 4.44.0.09170 2008.10.13 -
eSafe 7.0.17.0 2008.10.12 -
eTrust-Vet 31.6.6141 2008.10.10 -
Ewido 4.0 2008.10.12 Not-A-Virus.Adware.ZenoSearch
F-Prot 4.4.4.56 2008.10.12 -
F-Secure 8.0.14332.0 2008.10.13 W32/Malware
Fortinet 3.113.0.0 2008.10.13 -
GData 19 2008.10.13 Trojan.Downloader.Agent.ZPK
Ikarus T3.1.1.34.0 2008.10.13 Trojan.Agent.tzh
K7AntiVirus 7.10.491 2008.10.11 not-a-virus:AdWare.Win32.ZenoSearch.ca
Kaspersky 7.0.0.125 2008.10.13 not-a-virus:AdWare.Win32.ZenoSearch.ca
McAfee 5403 2008.10.11 -
Microsoft 1.4005 2008.10.13 Adware:Win32/ZenoSearch
NOD32 3516 2008.10.13 -
Norman 5.80.02 2008.10.10 W32/Malware.DJCZ
Panda 9.0.0.4 2008.10.12 Adware/Zenosearch
PCTools 4.4.2.0 2008.10.12 -
Prevx1 V2 2008.10.13 Worm
Rising 20.65.42.00 2008.10.10 -
SecureWeb-Gateway 6.7.6 2008.10.12 Trojan.Agent.tzh
Sophos 4.34.0 2008.10.13 ZenoSearch
Sunbelt 3.1.1719.1 2008.10.13 -
Symantec 10 2008.10.13 Trojan.Adclicker
TheHacker 6.3.1.0.108 2008.10.11 Adware/ZenoSearch.ca
TrendMicro 8.700.0.1004 2008.10.10 TROJ_ADCLICKE.IB
VBA32 3.12.8.6 2008.10.12 AdWare.Win32.ZenoSearch.ca
ViRobot 2008.10.10.1416 2008.10.10 -
VirusBuster 4.5.11.0 2008.10.12 -
Additional information
File size: 548928 bytes
MD5...: 78e055b9cdeed039b43fd9f14147d134
SHA1..: 1e8fa33df9a3c18cefe5d4b05b80875ee47f96a3
SHA256: 413ebc194ddbd243ccb052ca0e68992d2e287d8c7634819486b02c3c6be51830
SHA512: 281d725502dcbc271ff5cef60f8d44e7a974164cde8ca462943f7e1971547149
9cb2ff094ec4a00936f2560e4d39dec8cef2f52183e7ce429c32e38697214020
PEiD..: Armadillo v1.71
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x423c14
timedatestamp.....: 0x488c5b38 (Sun Jul 27 11:25:44 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x5b4d1 0x5c000 6.54 0fcdf5e3362c45d8d4fa876694988990
.rdata 0x5d000 0x17276 0x18000 5.04 98e1f00d2b526d0f5a83869713f8e9dd
.data 0x75000 0xebc8 0x9000 4.36 75d6b4370743f2cc0265ba5b7bb73d0e
.rsrc 0x84000 0x7d90 0x8000 3.86 9ac4274e5e1f28ca69538a87d842f14f

( 13 imports )
> WININET.dll: InternetSetStatusCallback, InternetGetLastResponseInfoA, InternetOpenUrlA, InternetOpenA, GopherFindFirstFileA, InternetFindNextFileA, FtpFindFirstFileA, HttpQueryInfoA, HttpSendRequestExA, HttpEndRequestA, HttpSendRequestA, HttpAddRequestHeadersA, InternetErrorDlg, HttpOpenRequestA, GopherOpenFileA, GopherGetAttributeA, GopherCreateLocatorA, FtpGetFileA, FtpPutFileA, FtpOpenFileA, FtpGetCurrentDirectoryA, FtpSetCurrentDirectoryA, FtpRemoveDirectoryA, FtpCreateDirectoryA, FtpRenameFileA, FtpDeleteFileA, InternetConnectA, InternetQueryDataAvailable, InternetWriteFile, InternetSetFilePointer, InternetGetCookieA, InternetSetCookieA, InternetReadFile, InternetSetOptionExA, InternetCloseHandle, InternetCrackUrlA, InternetCanonicalizeUrlA, InternetQueryOptionA
> KERNEL32.dll: SetFileTime, SetFileAttributesA, SetErrorMode, GetPrivateProfileIntA, GetPrivateProfileStringA, WritePrivateProfileStringA, GetCurrentDirectoryA, RtlUnwind, GetTimeZoneInformation, GetSystemTime, GetLocalTime, ExitProcess, GetStartupInfoA, GetCommandLineA, RaiseException, CreateThread, ExitThread, GetACP, HeapReAlloc, HeapSize, SetStdHandle, GetFileType, FatalAppExitA, LCMapStringA, LCMapStringW, UnhandledExceptionFilter, SystemTimeToFileTime, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, HeapCreate, VirtualFree, SetUnhandledExceptionFilter, GetStringTypeA, GetStringTypeW, VirtualAlloc, IsBadWritePtr, GetDriveTypeA, IsBadReadPtr, IsBadCodePtr, IsValidLocale, IsValidCodePage, GetLocaleInfoA, EnumSystemLocalesA, GetUserDefaultLCID, SetConsoleCtrlHandler, GetLocaleInfoW, CompareStringA, CompareStringW, SetEnvironmentVariableA, LocalFileTimeToFileTime, GetFileTime, GetFileSize, CopyFileA, GlobalSize, GetOEMCP, GetCPInfo, TlsGetValue, LocalReAlloc, TlsSetValue, GlobalReAlloc, TlsFree, GlobalHandle, TlsAlloc, SizeofResource, GlobalFlags, GetProcessVersion, FindNextFileA, GlobalAlloc, GetCurrentThread, lstrcmpA, GetShortPathNameA, GetStringTypeExA, FindFirstFileA, FindClose, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, ReadFile, GetCurrentProcess, DuplicateHandle, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSection, LocalAlloc, EnterCriticalSection, lstrcpynA, FileTimeToLocalFileTime, FileTimeToSystemTime, CreateEventA, SuspendThread, SetThreadPriority, ResumeThread, SetEvent, GetThreadLocale, FormatMessageA, LocalFree, InterlockedDecrement, InterlockedIncrement, GetVersion, GetProfileStringA, lstrcatA, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, MulDiv, GetModuleHandleA, GlobalLock, GlobalUnlock, GlobalFree, LockResource, FindResourceA, LoadResource, GetFileAttributesA, MoveFileA, DeleteFileA, HeapAlloc, HeapFree, WideCharToMultiByte, SetLastError, OpenProcess, WaitForSingleObject, TerminateProcess, GetModuleFileNameA, GetSystemDirectoryA, CreateMutexA, lstrcmpiA, FreeLibrary, LoadLibraryA, GetProcAddress, CreateFileA, WriteFile, CloseHandle, lstrcpyA, GetFullPathNameA, MultiByteToWideChar, lstrlenW, GetVolumeInformationA, GetLastError, GetTickCount, GetCurrentThreadId, lstrlenA, Sleep, FreeEnvironmentStringsA
> USER32.dll: ReleaseCapture, WaitMessage, WindowFromPoint, DeleteMenu, GetNextDlgGroupItem, MessageBeep, InflateRect, DestroyIcon, SetRectEmpty, LoadAcceleratorsA, TranslateAcceleratorA, LoadMenuA, SetMenu, ReuseDDElParam, UnpackDDElParam, InvalidateRect, BringWindowToTop, GetDialogBaseUnits, PtInRect, GetClassNameA, GetSysColorBrush, LoadCursorA, MapDialogRect, SetWindowContextHelpId, SetCursor, ShowOwnedPopups, PostQuitMessage, CharUpperA, GetDesktopWindow, RegisterClipboardFormatA, GetMessageA, TranslateMessage, ValidateRect, GetCursorPos, wvsprintfA, CharNextA, OemToCharA, CharToOemA, ShowWindow, MoveWindow, IsDialogMessageA, ScrollWindowEx, IsDlgButtonChecked, SetDlgItemTextA, SetDlgItemInt, GetDlgItemTextA, GetDlgItemInt, CheckRadioButton, CheckDlgButton, LoadIconA, UpdateWindow, SendDlgItemMessageA, MapWindowPoints, GetSysColor, PeekMessageA, DispatchMessageA, SetFocus, AdjustWindowRectEx, EqualRect, DeferWindowPos, SetCapture, CopyRect, EndDeferWindowPos, IsWindowVisible, ScrollWindow, GetScrollInfo, SetScrollInfo, ShowScrollBar, GetScrollRange, SetScrollRange, GetScrollPos, SetScrollPos, MessageBoxA, IsChild, GetCapture, WinHelpA, wsprintfA, GetClassInfoA, RegisterClassA, LoadStringA, GetMenuItemCount, GetSubMenu, GetMenuItemID, TrackPopupMenu, SetWindowPlacement, GetDlgCtrlID, GetKeyState, CreateWindowExA, SetWindowsHookExA, CallNextHookEx, GetClassLongA, SetPropA, UnhookWindowsHookEx, GetPropA, CallWindowProcA, RemovePropA, DefWindowProcA, GetMessageTime, GetMessagePos, GetLastActivePopup, GetWindow, UnregisterClassA, HideCaret, ShowCaret, ExcludeUpdateRgn, DrawFocusRect, DefDlgProcA, IsWindowUnicode, SetWindowLongA, SetWindowPos, RegisterWindowMessageA, IntersectRect, SystemParametersInfoA, IsIconic, GetWindowPlacement, GrayStringA, DrawTextA, TabbedTextOutA, EndPaint, BeginPaint, GetWindowDC, ReleaseDC, RemoveMenu, GetMenuStringA, AppendMenuA, InsertMenuA, PostThreadMessageA, SetRect, BeginDeferWindowPos, CopyAcceleratorTableA, GetDC, ScreenToClient, EndDialog, GetActiveWindow, SetActiveWindow, CreateDialogIndirectParamA, DestroyWindow, GetWindowLongA, GetDlgItem, IsWindowEnabled, GetMenuCheckMarkDimensions, LoadBitmapA, GetMenuState, ModifyMenuA, SetMenuItemBitmaps, CheckMenuItem, SendMessageA, EnableMenuItem, GetFocus, GetParent, GetNextDlgTabItem, PostMessageA, EnumWindows, GetWindowTextLengthA, GetWindowTextA, IsWindow, SetWindowTextA, EnableWindow, GetForegroundWindow, GetWindowThreadProcessId, AttachThreadInput, SetForegroundWindow, OffsetRect, ClientToScreen, GetWindowRect, GetClientRect, SetTimer, GetSystemMetrics, GetMenu, DestroyMenu, KillTimer, GetTopWindow
> GDI32.dll: GetViewportExtEx, GetWindowExtEx, CreatePen, SetColorAdjustment, ExtCreatePen, CreateSolidBrush, CreateHatchBrush, CreatePatternBrush, CreateDIBPatternBrushPt, PtVisible, RectVisible, TextOutA, ExtTextOutA, Escape, GetDCOrgEx, GetObjectA, GetDeviceCaps, GetBkColor, BitBlt, CreateCompatibleDC, GetTextExtentPoint32A, GetTextMetricsA, CreateFontIndirectA, DPtoLP, LPtoDP, CopyMetaFileA, CreateDCA, GetMapMode, PatBlt, SetRectRgn, CombineRgn, CreateRectRgnIndirect, PlayMetaFile, EnumMetaFile, GetObjectType, PlayMetaFileRecord, ExtSelectClipRgn, SelectClipPath, CreateRectRgn, GetClipRgn, DeleteObject, GetTextExtentPointA, CreateDIBitmap, DeleteDC, CreateBitmap, GetTextColor, CreateFontA, PolylineTo, PolyDraw, SetArcDirection, ArcTo, GetCurrentPositionEx, SetMapperFlags, SetTextCharacterExtra, SetTextJustification, SetTextAlign, LineTo, MoveToEx, OffsetClipRgn, IntersectClipRect, ExcludeClipRect, SelectClipRgn, GetClipBox, ScaleWindowExtEx, SetWindowExtEx, OffsetWindowOrgEx, SetWindowOrgEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SetMapMode, SetTextColor, SetStretchBltMode, SetROP2, SetPolyFillMode, SetBkMode, SetBkColor, SelectPalette, GetStockObject, SelectObject, RestoreDC, SaveDC, StartDocA, PolyBezierTo
> comdlg32.dll: GetOpenFileNameA, GetFileTitleA, GetSaveFileNameA
> WINSPOOL.DRV: OpenPrinterA, DocumentPropertiesA, ClosePrinter
> ADVAPI32.dll: RegDeleteValueA, RegCreateKeyA, RegEnumKeyA, RegQueryValueA, RegSetValueA, RegOpenKeyA, RegCloseKey, RegDeleteKeyA, RegOpenKeyExA, RegQueryValueExA, RegCreateKeyExA, RegSetValueExA
> SHELL32.dll: DragFinish, ExtractIconA, SHGetFileInfoA, DragAcceptFiles, SHGetSpecialFolderLocation, SHGetPathFromIDListA, DragQueryFileA
> COMCTL32.dll: -
> oledlg.dll: -
> ole32.dll: CLSIDFromProgID, CLSIDFromString, CoDisconnectObject, CoGetClassObject, StgOpenStorageOnILockBytes, StgCreateDocfileOnILockBytes, CreateILockBytesOnHGlobal, CoTaskMemFree, CoTaskMemAlloc, CoRegisterMessageFilter, CoRegisterClassObject, CoFreeUnusedLibraries, ReleaseStgMedium, OleSetClipboard, OleIsCurrentClipboard, OleDuplicateData, CreateBindCtx, SetConvertStg, WriteFmtUserTypeStg, WriteClassStg, OleRegGetUserType, ReadFmtUserTypeStg, OleUninitialize, OleInitialize, OleRun, CoCreateInstance, CoUninitialize, CreateStreamOnHGlobal, CoRevokeClassObject, OleFlushClipboard, ReadClassStg, StringFromCLSID, CoTreatAsClass
> OLEPRO32.DLL: -
> OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -

( 0 exports )
disastertourism is offline  
Old 10-12-2008, 08:55 PM   #9
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Let's try once more to install the Recovery Console.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

J2SE Development Kit 5.0 Update 10
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) SE Runtime Environment 6 Update 1


These are all outdated, and security risks by having them installed still. Unfortunately, Java does not uninstall previous version when you update, nor tell you that you should.

Leave Java(TM) 6 Update 7 alone, as it is the most recent.

---------------------------------------------------------------------------------------------

Please delete the existing, and download again, the Recovery Console file from Microsoft, in case the first one was somehow corrupted.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.


  • Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it as indicated in the above image. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

    ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

    As part of installing the Recovery Console, ComboFix will begin to run. Follow the prompts to install the Recovery Console. Your desktop may disappear. This is normal. It will return.

    Once the Recovery Console is installed using ComboFix, you should see a message that says:

    The Recovery Console was successfully installed.



    Click on No.

    When complete, a log named CF_RC.txt will open. Please post the contents of that log in your next reply, after these next instructions.

    Note: If there's an error again, please make note of the exact error.

    ---------------------------------------------------------------------------------------------

  • Open notepad and copy/paste the text in the quotebox below into it:

    Quote:
    https://www.techsupportforum.com/security-center/hijackthis-log-help/300674-frostwire-pop-ups.html#post1752711

    File::
    C:\WINDOWS\pss\Deewoo.lnkStartup
    C:\Documents and Settings\Mr. Garry\Start Menu\Programs\Startup\Deewoo.lnk
    C:\Documents and Settings\Mr. Garry\Start Menu\Programs\Startup\DW_Start.lnk
    C:\WINDOWS\pss\DW_Start.lnkStartup
    Folder::
    C:\WINDOWS\R2FyeQ
    C:\Program Files\frostwire
    C:\Documents and Settings\Mr. Garry\Application Data\LimeWire
    C:\Documents and Settings\Mr. Garry\Application Data\FrostWire
    C:\Program Files\Incomplete

    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "C:\\Program Files\\FrostWire\\FrostWire.exe"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=-
    [-HKLM\~\startupfolder\C:^Documents and Settings^Mr. Garry^Start Menu^Programs^Startup^Deewoo.lnk]
    [-HKLM\~\startupfolder\C:^Documents and Settings^Mr. Garry^Start Menu^Programs^Startup^DW_Start.lnk]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]

    Collect::
    C:\WINDOWS\system32\g92.exe
    C:\WINDOWS\system32\scntmtdl.exe



    Save this as CFScript.txt




    Referring to the picture above, drag CFScript.txt into ComboFix.exe


  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

    Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.

    ---------------------------------------------------------------------------------------------
  • Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

    ---------------------------------------------------------------------------------------------

Please return with logs from:

C:\CF_RC.txt
ComboFix (C:\ComboFix.txt if it's been closed)
HijackThis
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 10-12-2008, 09:34 PM   #10
 
Join Date: Oct 2008
Posts: 12
OS:



it gave me the error again. it says, error the installation file c:/documents and settings/Mr. Garry/Desktop/"whatever the full name of that recovery console is" does not exist. even though i have saved it directly to my desktop. since i couldn't install that i cannot give you the first report you asked for. i did submit that file online and here are the combofix and hijackthis scans.



ComboFix 08-10-11.04 - Mr. Garry 2008-10-12 22:21:05.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1633 [GMT -5:00]
Running from: C:\Documents and Settings\Mr. Garry\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mr. Garry\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Mr. Garry\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Mr. Garry\Start Menu\Programs\Startup\DW_Start.lnk
C:\WINDOWS\pss\Deewoo.lnkStartup
C:\WINDOWS\pss\DW_Start.lnkStartup
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Mr. Garry\Application Data\FrostWire
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\.NetworkShare\LimeWireWin4.16.6.exe
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\checkandupdate.txt
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\createtimes.cache
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\data.ser
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\downloads.dat
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\fileurns.bak
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\fileurns.cache
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\filters.props
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\frostwire.props
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\gnutella.net
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\installation.props
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\intent.props
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\library.dat
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\mojito.props
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\pub1.key
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\public.key
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\questions.props
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\responses.cache
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\secureMessage.key
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\simpp.xml
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\spam.dat
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\tables.props
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\themes\frostwire_theme.skin
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\themes\frostwire_theme\kill.png
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\themes\frostwire_theme\kill_on.png
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\themes\frostwire_theme\theme.txt
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\themes\frostwirePro_theme.fwtp
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\themes\frostwirePro_theme\theme.txt
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\themes\frostwirePro_theme\version.txt
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\ttree.cache
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\ttrees.cache
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\ttroot.cache
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\version.key
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\version.xml
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\xml\data\audio.sxml2
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\xml\data\delete_me
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\xml\data\video.sxml2
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\xml\misc\application.gif
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\xml\misc\audio.gif
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\xml\misc\document.gif
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\xml\misc\image.gif
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\xml\misc\video.gif
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\xml\schemas\application.xsd
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\xml\schemas\audio.xsd
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\xml\schemas\document.xsd
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\xml\schemas\image.xsd
C:\Documents and Settings\Mr. Garry\Application Data\FrostWire\xml\schemas\video.xsd
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\.NetworkShare\LimeWireWin4.14.10.exe
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\412splashpro.png
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\414splashfree.png
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\active.mojito
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\createtimes.cache
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\data.ser
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\fileurns.bak
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\fileurns.cache
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\filters.props
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\gnutella.net
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\installation.props
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\library.dat
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\limewire.props
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\mojito.props
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\passive.mojito
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\pub1.key
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\public.key
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\questions.props
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\responses.cache
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\secureMessage.key
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\simpp.xml
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\spam.dat
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\tables.props
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\black_theme.lwtp
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\black_theme\01_star.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\black_theme\02_star.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\black_theme\03_star.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\black_theme\04_star.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\black_theme\05_star.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\black_theme\chat.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\black_theme\dir_closed.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\black_theme\dir_open.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\black_theme\forward_dn.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\black_theme\forward_up.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\black_theme\kill.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\black_theme\kill_on.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\black_theme\lime.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\black_theme\logo.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\black_theme\notsearching.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\black_theme\pause_dn.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\black_theme\pause_up.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\black_theme\play_dn.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\black_theme\play_up.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\black_theme\question.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\black_theme\rewind_dn.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\black_theme\rewind_up.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\black_theme\searching.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\black_theme\splash.png
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\black_theme\splashpro.png
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\black_theme\stop_dn.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\black_theme\stop_up.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\black_theme\theme.txt
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\black_theme\warning.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\classic_theme.lwtp
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\classic_theme\01_star.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\classic_theme\02_star.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\classic_theme\03_star.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\classic_theme\04_star.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\classic_theme\05_star.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\classic_theme\chat.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\classic_theme\dir_closed.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\classic_theme\dir_open.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\classic_theme\forward_dn.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\classic_theme\forward_up.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\classic_theme\kill.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\classic_theme\logo.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\classic_theme\notsearching.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\classic_theme\pause_dn.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\classic_theme\pause_up.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\classic_theme\play_dn.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\classic_theme\play_up.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\classic_theme\question.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\classic_theme\rewind_dn.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\classic_theme\rewind_up.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\classic_theme\search.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\classic_theme\searching.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\classic_theme\splash.png
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\classic_theme\splashpro.png
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\classic_theme\stop_dn.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\classic_theme\stop_up.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\classic_theme\theme.txt
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\classic_theme\warning.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewire_theme.lwtp
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewire_theme\01_star.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewire_theme\02_star.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewire_theme\03_star.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewire_theme\04_star.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewire_theme\05_star.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewire_theme\chat.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewire_theme\dir_closed.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewire_theme\dir_open.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewire_theme\forward_dn.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewire_theme\forward_up.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewire_theme\kill.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewire_theme\kill_on.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewire_theme\lime.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewire_theme\logo.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewire_theme\notsearching.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewire_theme\pause_dn.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewire_theme\pause_up.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewire_theme\play_dn.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewire_theme\play_up.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewire_theme\question.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewire_theme\rewind_dn.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewire_theme\rewind_up.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewire_theme\searching.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewire_theme\splash.png
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewire_theme\splashpro.png
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewire_theme\stop_dn.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewire_theme\stop_up.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewire_theme\theme.txt
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewire_theme\warning.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewirePro_theme.lwtp
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewirePro_theme\01_star.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewirePro_theme\02_star.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewirePro_theme\03_star.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewirePro_theme\04_star.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewirePro_theme\05_star.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewirePro_theme\chat.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewirePro_theme\dir_closed.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewirePro_theme\dir_open.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewirePro_theme\forward_dn.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewirePro_theme\forward_up.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewirePro_theme\kill.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewirePro_theme\kill_on.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewirePro_theme\lime.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewirePro_theme\logo.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewirePro_theme\notsearching.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewirePro_theme\pause_dn.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewirePro_theme\pause_up.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewirePro_theme\play_dn.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewirePro_theme\play_up.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewirePro_theme\question.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewirePro_theme\rewind_dn.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewirePro_theme\rewind_up.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewirePro_theme\searching.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewirePro_theme\splash.png
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewirePro_theme\splashpro.png
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewirePro_theme\stop_dn.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewirePro_theme\stop_up.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewirePro_theme\theme.txt
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\limewirePro_theme\warning.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\other_theme.lwtp
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\other_theme\01_star.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\other_theme\02_star.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\other_theme\03_star.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\other_theme\04_star.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\other_theme\05_star.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\other_theme\chat.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\other_theme\forward_dn.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\other_theme\forward_up.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\other_theme\kill.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\other_theme\kill_on.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\other_theme\logo.png
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\other_theme\notsearching.png
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\other_theme\pause_dn.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\other_theme\pause_up.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\other_theme\play_dn.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\other_theme\play_up.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\other_theme\question.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\other_theme\rewind_dn.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\other_theme\rewind_up.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\other_theme\searching.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\other_theme\splash.png
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\other_theme\splashpro.png
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\other_theme\stop_dn.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\other_theme\stop_up.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\other_theme\theme.txt
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\other_theme\warning.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\windows_theme.lwtp
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\windows_theme\01_star.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\windows_theme\02_star.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\windows_theme\03_star.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\windows_theme\04_star.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\windows_theme\05_star.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\windows_theme\chat.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\windows_theme\forward_up.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\windows_theme\kill.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\windows_theme\kill_on.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\windows_theme\logo.png
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\windows_theme\notsearching.png
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\windows_theme\pause_up.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\windows_theme\play_dn.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\windows_theme\play_up.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\windows_theme\question.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\windows_theme\searching.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\windows_theme\splash.png
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\windows_theme\splashpro.png
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\windows_theme\stop_up.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\windows_theme\theme.txt
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\windows_theme\version.txt
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\themes\windows_theme\warning.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\ttree.cache
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\update.xml
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\version.key
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\version.xml
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\xml\data\audio.sxml
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\xml\data\delete_me
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\xml\data\image.sxml
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\xml\data\video.sxml
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\xml\misc\application.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\xml\misc\audio.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\xml\misc\document.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\xml\misc\image.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\xml\misc\video.gif
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\xml\schemas\application.xsd
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\xml\schemas\audio.xsd
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\xml\schemas\document.xsd
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\xml\schemas\image.xsd
C:\Documents and Settings\Mr. Garry\Application Data\LimeWire\xml\schemas\video.xsd
C:\Program Files\frostwire
C:\Program Files\frostwire\aopalliance.jar
C:\Program Files\frostwire\clink.jar
C:\Program Files\frostwire\commons-codec-1.3.jar
C:\Program Files\frostwire\commons-logging.jar
C:\Program Files\frostwire\daap.jar
C:\Program Files\frostwire\forms.jar
C:\Program Files\frostwire\foxtrot.jar
C:\Program Files\frostwire\FrostWire.exe
C:\Program Files\frostwire\FrostWire.jar
C:\Program Files\frostwire\gettext-commons.jar
C:\Program Files\frostwire\guice-1.0.jar
C:\Program Files\frostwire\hs_err_pid916.log
C:\Program Files\frostwire\httpclient-4.0-alpha3.jar
C:\Program Files\frostwire\httpcore-4.0-beta2.jar
C:\Program Files\frostwire\httpcore-nio-4.0-beta2.jar
C:\Program Files\frostwire\httpcore-niossl-4.0-alpha7.jar
C:\Program Files\frostwire\icu4j.jar
C:\Program Files\frostwire\jaudiotagger.jar
C:\Program Files\frostwire\jcraft.jar
C:\Program Files\frostwire\jdic.dll
C:\Program Files\frostwire\jdic.jar
C:\Program Files\frostwire\jdic_stub.jar
C:\Program Files\frostwire\jflac.jar
C:\Program Files\frostwire\jl.jar
C:\Program Files\frostwire\jmdns.jar
C:\Program Files\frostwire\jogg.jar
C:\Program Files\frostwire\jorbis.jar
C:\Program Files\frostwire\log.txt
C:\Program Files\frostwire\log4j.jar
C:\Program Files\frostwire\looks.jar
C:\Program Files\frostwire\messages.jar
C:\Program Files\frostwire\mp3spi.jar
C:\Program Files\frostwire\onion-common.jar
C:\Program Files\frostwire\onion-fec.jar
C:\Program Files\frostwire\ProgressTabs.jar
C:\Program Files\frostwire\seenMessages.dat
C:\Program Files\frostwire\swt.jar
C:\Program Files\frostwire\SystemUtilities.dll
C:\Program Files\frostwire\themes.jar
C:\Program Files\frostwire\tray.dll
C:\Program Files\frostwire\tritonus.jar
C:\Program Files\frostwire\vorbisspi.jar
C:\Program Files\Incomplete
C:\Program Files\Incomplete\.LimeWireIconFinder.htm
C:\WINDOWS\pss\Deewoo.lnkStartup
C:\WINDOWS\pss\DW_Start.lnkStartup
C:\WINDOWS\R2FyeQ
C:\WINDOWS\R2FyeQ\asappsrv.dll
C:\WINDOWS\R2FyeQ\command.exe
C:\WINDOWS\R2FyeQ\lZIVyk.vbs
C:\WINDOWS\system32\g92.exe
C:\WINDOWS\system32\scntmtdl.exe

.
((((((((((((((((((((((((( Files Created from 2008-09-13 to 2008-10-13 )))))))))))))))))))))))))))))))
.

2008-10-12 19:28 . 2008-10-12 19:30 <DIR> d-------- C:\rsit
2008-10-09 17:08 . 2008-10-09 17:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-09 16:44 . 2008-10-09 16:44 <DIR> d-------- C:\ie-spyad_zo
2008-10-09 16:35 . 2008-10-09 16:35 <DIR> d-------- C:\Program Files\Zoned Out
2008-10-09 16:20 . 2008-10-09 16:20 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-10-09 09:04 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-10-09 08:53 . 2008-10-09 08:53 <DIR> d-------- C:\Program Files\Panda Security
2008-10-09 03:32 . 2008-10-09 03:56 <DIR> d-------- C:\Documents and Settings\Mr. Garry\.housecall6.6
2008-10-09 02:32 . 2008-10-09 08:36 <DIR> d-------- C:\Program Files\XoftSpySE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-13 03:16 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 4
2008-10-13 03:09 --------- d-----w C:\Program Files\Java
2008-10-09 08:32 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2008-10-07 02:53 --------- d-----w C:\Program Files\WAR extract
2008-09-23 21:58 17 ----a-w C:\Program Files\stinger.opt
2008-09-06 01:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-04 20:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-09-04 20:42 --------- d-----w C:\Program Files\Outspark
2008-09-04 20:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Outspark
2008-09-04 15:17 --------- d-----w C:\Documents and Settings\Mr. Garry\Application Data\Uniblue
2008-09-04 15:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-09-04 15:07 147,456 ----a-w C:\WINDOWS\system32\vbzip10.dll
2008-09-04 03:24 --------- d-----w C:\Program Files\Download Manager
2008-08-19 08:00 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-07-31 15:41 68,616 ----a-w C:\WINDOWS\system32\XAPOFX1_1.dll
2008-07-31 15:41 238,088 ----a-w C:\WINDOWS\system32\xactengine3_2.dll
2008-07-31 15:40 509,448 ----a-w C:\WINDOWS\system32\XAudio2_2.dll
2008-07-26 02:43 235,884 ----a-w C:\WINDOWS\AudioGizmo_Toolbar_Uninstaller_906.exe
2007-08-27 00:45 769,031 ----a-w C:\Program Files\stinger.exe
2007-01-11 20:07 58,032,562 ----a-w C:\Program Files\Samsung_PC_Studio_311_FKB.exe
2003-03-31 12:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 07:56 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 07:56 1,028,096 --sha-w C:\WINDOWS\system32\mfc42.dll
2004-08-04 07:56 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 07:56 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 07:56 343,040 --sha-w C:\WINDOWS\system32\msvcrt.dll
2007-12-04 18:38 550,912 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 07:56 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-08-04 07:56 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe
.

((((((((((((((((((((((((((((( [email protected]_20.51.23.88 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-09 21:47:02 60,828 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-10-13 03:22:45 60,828 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-10-09 21:47:02 400,794 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-10-13 03:22:46 400,794 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-07-02 57344]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 90112]
"PinnacleDriverCheck"="C:\WINDOWS\System32\PSDrvCheck.exe" [2003-08-28 396800]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-11-08 128920]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-07 185896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 286720]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 81920]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 267064]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"PowerStrip"="c:\program files\powerstrip\pstrip.exe" [2008-02-16 802552]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 8466432]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"CTHelper"="CTHELPER.EXE" [2003-06-19 C:\WINDOWS\system32\CTHELPER.EXE]
"AsioReg"="CTASIO.DLL" [2003-06-19 C:\WINDOWS\system32\CTASIO.DLL]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HPAiODevice(hp psc 700 series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe [2002-04-24 487484]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-06-29 00:43 8466432 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2007-03-30 13:34 25263144 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-03-24 01:30 1266936 C:\Program Files\Valve\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-06-29 00:43 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMP54GSSVC"=2 (0x2)
"RasAuto"=3 (0x3)
"RasMan"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Soulseek\\slsk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\ufr8ecat\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Valve\\Steam\\SteamApps\\ufr8ecat\\counter-strike\\hl.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 28544]
R2 PStrip;PStrip;C:\WINDOWS\system32\drivers\pstrip.sys [2007-07-14 27992]
S3 gkmixern;gkmixern;C:\DOCUME~1\MRCAEA~1.GAR\LOCALS~1\Temp\gkmixern.sys [ ]
S3 XDva143;XDva143;C:\WINDOWS\system32\XDva143.sys [ ]
.
Contents of the 'Scheduled Tasks' folder

2008-09-30 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2008-10-12 22:24:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-12 22:26:52
ComboFix-quarantined-files.txt 2008-10-13 03:26:41
ComboFix2.txt 2008-10-13 01:55:20

Pre-Run: 26,783,494,144 bytes free
Post-Run: 26,762,117,120 bytes free

480 --- E O F --- 2008-08-23 05:45:20






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:04 PM, on 10/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\program files\powerstrip\pstrip.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: AudioGizmo Toolbar Helper - {5980B104-CA68-4A9F-9E78-80ADBD2CA53B} - C:\Program Files\AudioGizmo Extension\v3.2.0.0\AudioGizmo_Toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: AudioGizmo Toolbar - {C6BB606F-232D-4957-8AFF-7D4F4A220F67} - C:\Program Files\AudioGizmo Extension\v3.2.0.0\AudioGizmo_Toolbar.dll
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] "REGSVR32.EXE" /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] "C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PowerStrip] "c:\program files\powerstrip\pstrip.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - https://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - https://upload.facebook.com/controls/...toUploader.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7195 bytes
disastertourism is offline  
Old 10-12-2008, 09:42 PM   #11
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Thanks for uploading the file, and for the information.

If you don't mind satisfying my curiosity, I'd like you to try this. We've made it through the malware removal process. There is a bit more work to do, but for the most part, we're looking for remnants. However, Recovery Console is a good thing to have preinstalled for future situations, for any tech. So...

Go to Start > Run > copy/paste the following, then press Enter:

Quote:
"C:\Documents and Settings\Mr. Garry\Desktop\ComboFix.exe" "C:\Documents and Settings\Mr. Garry\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe"
I should think the Recovery Console process would begin. If it does, follow the prompts as indicated before. Once RC is installed, click on No, and report back. If it fails again, report back, and we'll move on.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 10-12-2008, 09:49 PM   #12
 
Join Date: Oct 2008
Posts: 12
OS:



nope, no luck, combofix starts and it does the same recovery console process but then it gives me the same error message.
disastertourism is offline  
Old 10-12-2008, 10:02 PM   #13
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



New instructions, please disregard previous post. (made after your Post #12)

OK, thanks for trying. I'll try to reproduce it on one of my machines.

Install this FREE AntiVirus program, update it, and run a full system scan.

Avira AntiVir Personal

Here is a tutorial on it's setup and use:

https://www.techsupportforum.com/cont...ticles/64.html

When the scan is complete, click on the Report button. A log file will open. Please post that in your next reply.

Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

---------------------------------------------------------------------------------------------


Also post a new HijackThis log.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 10-12-2008, 10:18 PM   #14
 
Join Date: Oct 2008
Posts: 12
OS:



i've downloaded antivir and am performing a full system scan now. I'll post the results when it finishes, though it may be in the morning depending on how long it takes as it is getting late here. thanks again for all the help so far.
disastertourism is offline  
Old 10-13-2008, 05:11 AM   #15
 
Join Date: Oct 2008
Posts: 12
OS:



morning. here is the report from the virus scan.


Avira AntiVir Personal
Report file date: Sunday, October 12, 2008 23:15

Scanning for 1678561 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: JOMUSIC

Version information:
BUILD.DAT : 8.1.0.331 16934 Bytes 8/12/2008 11:46:00
AVSCAN.EXE : 8.1.4.7 315649 Bytes 6/26/2008 15:57:53
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 14:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 19:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 14:58:52
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 17:33:34
ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 6/24/2008 20:54:15
ANTIVIR2.VDF : 7.0.7.12 4066816 Bytes 10/8/2008 04:13:16
ANTIVIR3.VDF : 7.0.7.29 137728 Bytes 10/12/2008 04:13:19
Engineversion : 8.1.1.35
AEVDF.DLL : 8.1.0.5 102772 Bytes 2/25/2008 16:58:21
AESCRIPT.DLL : 8.1.0.76 319867 Bytes 10/13/2008 04:13:45
AESCN.DLL : 8.1.0.23 119156 Bytes 7/10/2008 19:44:49
AERDL.DLL : 8.1.1.2 438644 Bytes 10/13/2008 04:13:43
AEPACK.DLL : 8.1.2.3 364918 Bytes 10/13/2008 04:13:40
AEOFFICE.DLL : 8.1.0.25 196986 Bytes 10/13/2008 04:13:36
AEHEUR.DLL : 8.1.0.59 1438071 Bytes 10/13/2008 04:13:34
AEHELP.DLL : 8.1.0.15 115063 Bytes 7/10/2008 19:44:48
AEGEN.DLL : 8.1.0.36 315764 Bytes 10/13/2008 04:13:25
AEEMU.DLL : 8.1.0.7 430452 Bytes 7/31/2008 15:33:21
AECORE.DLL : 8.1.1.11 172406 Bytes 10/13/2008 04:13:22
AEBB.DLL : 8.1.0.1 53617 Bytes 7/10/2008 19:44:48
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 15:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 16:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 10/13/2008 04:13:20
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 18:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 15:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 19:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 00:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 19:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 19:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 20:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 20:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Sunday, October 12, 2008 23:15

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'MsPMSPSv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'hposts07.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'MDM.EXE' - '1' Module(s) have been scanned
Scan process 'CTSVCCDA.EXE' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'hpoevm07.exe' - '1' Module(s) have been scanned
Scan process 'rapimgr.exe' - '1' Module(s) have been scanned
Scan process 'hpobrt07.exe' - '1' Module(s) have been scanned
Scan process 'wcescomm.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'PStrip.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'QTTask.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'daemon.exe' - '1' Module(s) have been scanned
Scan process 'CTHELPER.EXE' - '1' Module(s) have been scanned
Scan process 'CTDVDDET.exe' - '1' Module(s) have been scanned
Scan process 'CTSysVol.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'InCDsrv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
48 processes with 48 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '63' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Qoobox\Quarantine\[4][email protected]
[0] Archive type: ZIP
--> g92.exe
[DETECTION] Contains recognition pattern of the DR/Click.Agent.bso.1 dropper
--> scntmtdl.exe
[DETECTION] Is the TR/Agent.tzh Trojan
[NOTE] The file was moved to '495017d4.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\Fonts\a.zip.vir
[0] Archive type: ZIP
--> Setup.exe
[DETECTION] Is the TR/Dldr.VB.bsa.6 Trojan
[NOTE] The file was moved to '496d17f8.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\Fonts\Setup.exe.vir
[DETECTION] Is the TR/Dldr.VB.bsa.6 Trojan
[NOTE] The file was moved to '4967182f.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\Fonts\svchost.exe.vir
[DETECTION] Is the TR/Dldr.VB.bsa.6 Trojan
[NOTE] The file was moved to '49561840.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\R2FyeQ\command.exe.vir
[DETECTION] Is the TR/Spy.Banbra.df.199 Trojan
[NOTE] The file was moved to '4960183a.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\apxcdrjj.dll.vir
[DETECTION] Is the TR/Vundo.FKK Trojan
[NOTE] The file was moved to '496b183b.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\awtqoLeE.dll.vir
[DETECTION] Is the TR/Monder.mlo Trojan
[NOTE] The file was moved to '49671842.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\awtssrRI.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '49671843.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\awttsPge.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48e7e55c.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\awttsPiI.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '49671845.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\bcwvwlht.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '496a1830.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\bjecexye.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49581837.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\bnacjwgi.dll.vir
[DETECTION] Is the TR/Monder.nvw Trojan
[NOTE] The file was moved to '4954183b.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\btjtzq.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '495d1842.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\bylwmhth.dll.vir
[DETECTION] Is the TR/Monder.115200.1 Trojan
[NOTE] The file was moved to '495f1847.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\byXrqQHA.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '494b1847.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\cbXNEVom.dll.vir
[DETECTION] Is the TR/Monder.34816.24 Trojan
[NOTE] The file was moved to '494b1831.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\cerftcqu.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '49651834.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\cfgakmwl.dll.vir
[DETECTION] Is the TR/Vundo.JO.2 Trojan
[NOTE] The file was moved to '495a1835.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\cnkybf.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '495e183e.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\dlohaofu.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4962183c.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\dwwnw64r.exe.vir
[DETECTION] Is the TR/Spy.Agent.MWB Trojan
[NOTE] The file was moved to '496a1848.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\efcAQiiG.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49561837.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\eixoaove.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48ebe524.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\eltkqunf.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4967183e.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\enrpuwbd.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49651840.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\fbdibdfj.dll.vir
[DETECTION] Is the TR/Monder.plo Trojan
[NOTE] The file was moved to '49571835.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\fgtqgumq.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4967183a.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\fmnmbcir.dll.vir
[DETECTION] Is the TR/Monder.pse Trojan
[NOTE] The file was moved to '49611840.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\gjiektpv.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '495c183e.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\gqqqdmwm.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49641845.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\hgGyvvSl.dll.vir
[DETECTION] Is the TR/Monder.34816.24 Trojan
[NOTE] The file was moved to '493a183c.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\ihimbngg.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48dce527.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\ijilyj.dll.vir
[DETECTION] Is the TR/Monder.pkn Trojan
[NOTE] The file was moved to '495c1840.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\ipheytlv.dll.vir
[DETECTION] Is the TR/Vundo.RE Trojan
[NOTE] The file was moved to '495b1846.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\jdilnk.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '495c183b.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\jvxqrray.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '496b184d.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\khfEUkIb.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4959183f.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\lgqdeffi.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4964183f.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\mlJcbYpn.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '493d1844.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\mpegajia.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49581848.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\mvbxtkmq.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4955184f.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\ndnluc.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4961183d.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\ntiluugj.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '495c184e.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\nxfdneyx.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49591852.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\oxajaevp.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49541853.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\pac.txt.vir
[DETECTION] Is the TR/Dldr.VB.VPG Trojan
[NOTE] The file was moved to '4956183c.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\pmnoMcBu.dll.vir
[DETECTION] Is the TR/Monder.34816.24 Trojan
[NOTE] The file was moved to '49611849.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\puoadd.dll.vir
[DETECTION] Is the TR/Monder.pse Trojan
[NOTE] The file was moved to '49621851.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\qccuto.dll.vir
[DETECTION] Is the TR/Vundo.RE Trojan
[NOTE] The file was moved to '4956183f.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\quqkmd.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49641852.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\rnwnw64j.exe.vir
[DETECTION] Is the TR/Spy.Agent.MWB Trojan
[NOTE] The file was moved to '496a184b.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\rqRKcaaY.dll.vir
[DETECTION] Is the TR/Monder.mlo Trojan
[NOTE] The file was moved to '4945184e.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\sebyel.dll.vir
[DETECTION] Is the TR/Monder.115200.1 Trojan
[NOTE] The file was moved to '49551843.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\skdhcz.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49571849.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\slncreej.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4961184b.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\ssqOFXrP.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48e4e54b.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\tmgxisry.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '495a184d.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\tuvSkJBR.dll.vir
[DETECTION] Is the TR/Monder.34816.24 Trojan
[NOTE] The file was moved to '49691855.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\uamgvhdn.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49601842.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\uixhjr.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '496b184a.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\unhoptaa.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '495b1850.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\unscgvyq.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49661850.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\vblofspa.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '495f1844.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\vfjmeq.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '495d1849.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\vyjmacss.dll.vir
[DETECTION] Is the TR/Monder.pkn Trojan
[NOTE] The file was moved to '495d185c.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\wyykbbuu.dll.vir
[DETECTION] Is the TR/Monder.qie Trojan
[NOTE] The file was moved to '496c185d.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\xhrnjb.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4965184c.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\xlwgjibe.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '496a1850.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\yayvUonK.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '496c1845.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\zkwfce.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48eae549.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\ztgtll.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '495a1859.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\tdii.sys.vir
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '495c184a.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000006.exe
[DETECTION] Is the TR/Dldr.VB.bsa.6 Trojan
[NOTE] The file was moved to '49231821.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000007.exe
[DETECTION] Is the TR/Dldr.VB.bsa.6 Trojan
[NOTE] The file was moved to '49231822.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000010.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '485df5fb.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000011.exe
[DETECTION] Is the TR/Spy.Agent.MWB Trojan
[NOTE] The file was moved to '49231824.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000012.exe
[DETECTION] Is the TR/Spy.Agent.MWB Trojan
[NOTE] The file was moved to '485df5fd.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000013.dll
[DETECTION] Is the TR/Vundo.FKK Trojan
[NOTE] The file was moved to '49231823.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000015.dll
[DETECTION] Is the TR/Monder.mlo Trojan
[NOTE] The file was moved to '485df5fc.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000016.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '49231825.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000017.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '49231826.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000018.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '485df5ff.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000020.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49231bd8.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000023.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '485df5fe.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000024.dll
[DETECTION] Is the TR/Monder.nvw Trojan
[NOTE] The file was moved to '49231827.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000025.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '485df5f0.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000027.dll
[DETECTION] Is the TR/Monder.115200.1 Trojan
[NOTE] The file was moved to '485df601.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000028.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '49231bda.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000029.dll
[DETECTION] Is the TR/Monder.34816.24 Trojan
[NOTE] The file was moved to '485df603.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000030.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '49231bdc.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000031.dll
[DETECTION] Is the TR/Vundo.JO.2 Trojan
[NOTE] The file was moved to '49231829.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000032.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '485df5f2.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000035.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49231828.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000037.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '485df5f1.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000039.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4923182b.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000040.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '485df5f4.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000041.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4923182a.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000044.dll
[DETECTION] Is the TR/Monder.plo Trojan
[NOTE] The file was moved to '485df5f3.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000045.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4923182c.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000046.dll
[DETECTION] Is the TR/Monder.pse Trojan
[NOTE] The file was moved to '485df5f5.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000049.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4923182d.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000050.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '485df5f6.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000052.dll
[DETECTION] Is the TR/Monder.34816.24 Trojan
[NOTE] The file was moved to '4923182f.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000057.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4923182e.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000058.dll
[DETECTION] Is the TR/Monder.pkn Trojan
[NOTE] The file was moved to '485df5e8.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000059.dll
[DETECTION] Is the TR/Vundo.RE Trojan
[NOTE] The file was moved to '49231831.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000061.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '485df5ea.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000062.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '485df5f7.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000063.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '49231820.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000066.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '485df5f9.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000067.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '49231833.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000068.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '485df5ec.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000069.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49231835.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000071.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49231830.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000073.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '485df5e9.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000074.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '485df5ee.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000077.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49231837.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000079.dll
[DETECTION] Is the TR/Monder.34816.24 Trojan
[NOTE] The file was moved to '49231832.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000080.dll
[DETECTION] Is the TR/Monder.pse Trojan
[NOTE] The file was moved to '485df5eb.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000082.dll
[DETECTION] Is the TR/Vundo.RE Trojan
[NOTE] The file was moved to '49231834.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000083.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '485df5e0.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000085.dll
[DETECTION] Is the TR/Monder.mlo Trojan
[NOTE] The file was moved to '49231839.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000087.dll
[DETECTION] Is the TR/Monder.115200.1 Trojan
[NOTE] The file was moved to '485df5e2.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000089.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '485df5ed.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000090.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49231836.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000091.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '485df5ef.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000095.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4923183b.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000096.dll
[DETECTION] Is the TR/Monder.34816.24 Trojan
[NOTE] The file was moved to '485df5e4.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000097.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '485df605.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000098.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49231bde.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000100.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4923183d.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000101.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '485df5e6.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000104.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49231838.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000106.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '485df5e1.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000108.dll
[DETECTION] Is the TR/Monder.pkn Trojan
[NOTE] The file was moved to '4923183a.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000112.dll
[DETECTION] Is the TR/Monder.qie Trojan
[NOTE] The file was moved to '4923183f.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000113.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '485df598.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000114.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '49231841.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000115.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '485df5e3.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000116.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4923183c.qua'!
C:\System Volume Information\_restore{79DA10E3-E224-42D9-B1AA-79977C4348DC}\RP2\A0000118.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '485df5e5.qua'!
C:\WINDOWS\system32\drivers\dtscsi.sys
[WARNING] The file could not be opened!
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!
C:\WINDOWS\system32\drivers\sptd5005.sys
[WARNING] The file could not be opened!
C:\WINDOWS\system32\enB\Wi03550xi.exe
[DETECTION] Is the TR/Spy.Agent.MWB Trojan
[NOTE] The file was moved to '49231bfa.qua'!
C:\WINDOWS\system32\vcom4\PAG32015t.exe
[DETECTION] Is the TR/PCK.Tibs.KV.5 Trojan
[NOTE] The file was moved to '493a1be5.qua'!
C:\WINDOWS\system32\wTR02\wTR022328.exe
[DETECTION] Is the TR/Dldr.VB.hff Trojan
[NOTE] The file was moved to '49451bfc.qua'!
C:\WINDOWS\system32\Xtmp\ATV5105nt.exe
[DETECTION] Is the TR/Dldr.CWS.gen.2 Trojan
[NOTE] The file was moved to '49491bfd.qua'!
Begin scan in 'D:\' <New Volume>


End of the scan: Monday, October 13, 2008 05:01
Used time: 5:46:29 Hour(s)

The scan has been done completely.

8019 Scanning directories
310450 Files were scanned
147 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
146 files were moved to quarantine
0 files were renamed
4 Files cannot be scanned
310299 Files not concerned
1634 Archives were scanned
4 Warnings
146 Notes
disastertourism is offline  
Old 10-13-2008, 08:31 AM   #16
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Good morning. Looking better.

The files which Avira could not open are related to DAEMON Tools. No worries. I'd like a look into a few other folders.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------
  1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  2. Open notepad and copy/paste the text in the quotebox below into it:

    Quote:
    DirLook::
    C:\WINDOWS\system32\enB
    C:\WINDOWS\system32\vcom4
    C:\WINDOWS\system32\wTR02
    C:\WINDOWS\system32\Xtmp

    Save this as CFScript.txt




    Referring to the picture above, drag CFScript.txt into ComboFix.exe


  3. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  4. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  5. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.

  6. Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

    ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 10-13-2008, 07:00 PM   #17
 
Join Date: Oct 2008
Posts: 12
OS:



alright, here they are, sorry it's taken so long, i've been in class all day. first is combofix then hijackthis.


ComboFix 08-10-12.01 - Mr. Garry 2008-10-13 19:49:33.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1537 [GMT -5:00]
Running from: C:\Documents and Settings\Mr. Garry\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mr. Garry\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-09-14 to 2008-10-14 )))))))))))))))))))))))))))))))
.

2008-10-12 23:11 . 2008-10-12 23:11 <DIR> d-------- C:\Program Files\Avira
2008-10-12 23:11 . 2008-10-12 23:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-10-12 19:28 . 2008-10-12 19:30 <DIR> d-------- C:\rsit
2008-10-09 17:08 . 2008-10-09 17:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-09 16:44 . 2008-10-09 16:44 <DIR> d-------- C:\ie-spyad_zo
2008-10-09 16:35 . 2008-10-09 16:35 <DIR> d-------- C:\Program Files\Zoned Out
2008-10-09 16:20 . 2008-10-09 16:20 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-10-09 09:04 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-10-09 08:53 . 2008-10-09 08:53 <DIR> d-------- C:\Program Files\Panda Security
2008-10-09 03:32 . 2008-10-09 03:56 <DIR> d-------- C:\Documents and Settings\Mr. Garry\.housecall6.6
2008-10-09 02:32 . 2008-10-09 08:36 <DIR> d-------- C:\Program Files\XoftSpySE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-13 03:16 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 4
2008-10-13 03:09 --------- d-----w C:\Program Files\Java
2008-10-09 08:32 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2008-10-07 02:53 --------- d-----w C:\Program Files\WAR extract
2008-09-23 21:58 17 ----a-w C:\Program Files\stinger.opt
2008-09-06 01:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-04 20:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-09-04 20:42 --------- d-----w C:\Program Files\Outspark
2008-09-04 20:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Outspark
2008-09-04 15:17 --------- d-----w C:\Documents and Settings\Mr. Garry\Application Data\Uniblue
2008-09-04 15:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-09-04 15:07 147,456 ----a-w C:\WINDOWS\system32\vbzip10.dll
2008-09-04 03:24 --------- d-----w C:\Program Files\Download Manager
2008-08-19 08:00 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-07-31 15:41 68,616 ----a-w C:\WINDOWS\system32\XAPOFX1_1.dll
2008-07-31 15:41 238,088 ----a-w C:\WINDOWS\system32\xactengine3_2.dll
2008-07-31 15:40 509,448 ----a-w C:\WINDOWS\system32\XAudio2_2.dll
2008-07-26 02:43 235,884 ----a-w C:\WINDOWS\AudioGizmo_Toolbar_Uninstaller_906.exe
2007-08-27 00:45 769,031 ----a-w C:\Program Files\stinger.exe
2007-01-11 20:07 58,032,562 ----a-w C:\Program Files\Samsung_PC_Studio_311_FKB.exe
2003-03-31 12:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 07:56 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 07:56 1,028,096 --sha-w C:\WINDOWS\system32\mfc42.dll
2004-08-04 07:56 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 07:56 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 07:56 343,040 --sha-w C:\WINDOWS\system32\msvcrt.dll
2007-12-04 18:38 550,912 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 07:56 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-08-04 07:56 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\system32\enB ----


---- Directory of C:\WINDOWS\system32\vcom4 ----


---- Directory of C:\WINDOWS\system32\wTR02 ----


---- Directory of C:\WINDOWS\system32\Xtmp ----



((((((((((((((((((((((((((((( [email protected]_20.51.23.88 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-09 18:15:51 45,376 ----a-w C:\WINDOWS\system32\drivers\avgntdd.sys
+ 2008-01-21 23:11:28 22,336 ----a-w C:\WINDOWS\system32\drivers\avgntmgr.sys
+ 2008-06-27 20:03:55 75,072 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys
+ 2007-03-01 15:34:22 28,352 ----a-w C:\WINDOWS\system32\drivers\ssmdrv.sys
- 2008-10-09 21:47:02 60,828 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-10-13 03:52:43 60,828 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-10-09 21:47:02 400,794 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-10-13 03:52:43 400,794 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-07-02 57344]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 90112]
"PinnacleDriverCheck"="C:\WINDOWS\System32\PSDrvCheck.exe" [2003-08-28 396800]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-11-08 128920]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-07 185896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 286720]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 81920]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 267064]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"PowerStrip"="c:\program files\powerstrip\pstrip.exe" [2008-02-16 802552]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 8466432]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"CTHelper"="CTHELPER.EXE" [2003-06-19 C:\WINDOWS\system32\CTHELPER.EXE]
"AsioReg"="CTASIO.DLL" [2003-06-19 C:\WINDOWS\system32\CTASIO.DLL]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HPAiODevice(hp psc 700 series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe [2002-04-24 487484]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-06-29 00:43 8466432 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2007-03-30 13:34 25263144 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-03-24 01:30 1266936 C:\Program Files\Valve\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-06-29 00:43 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMP54GSSVC"=2 (0x2)
"RasAuto"=3 (0x3)
"RasMan"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Soulseek\\slsk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\ufr8ecat\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Valve\\Steam\\SteamApps\\ufr8ecat\\counter-strike\\hl.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 28544]
R2 PStrip;PStrip;C:\WINDOWS\system32\drivers\pstrip.sys [2007-07-14 27992]
S3 gkmixern;gkmixern;C:\DOCUME~1\MRCAEA~1.GAR\LOCALS~1\Temp\gkmixern.sys [ ]
S3 XDva143;XDva143;C:\WINDOWS\system32\XDva143.sys [ ]

*Newly Created Service* - ANTIVIRSCHEDULER
*Newly Created Service* - ANTIVIRSERVICE
*Newly Created Service* - AVGIO
*Newly Created Service* - AVGNTFLT
*Newly Created Service* - AVIPBB
.
Contents of the 'Scheduled Tasks' folder

2008-09-30 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2008-10-13 19:52:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-13 19:56:10
ComboFix-quarantined-files.txt 2008-10-14 00:55:31
ComboFix2.txt 2008-10-13 03:26:53
ComboFix3.txt 2008-10-13 01:55:20

Pre-Run: 26,628,182,016 bytes free
Post-Run: 26,620,207,104 bytes free

174 --- E O F --- 2008-08-23 05:45:20




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:58:55 PM, on 10/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\program files\powerstrip\pstrip.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: AudioGizmo Toolbar Helper - {5980B104-CA68-4A9F-9E78-80ADBD2CA53B} - C:\Program Files\AudioGizmo Extension\v3.2.0.0\AudioGizmo_Toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: AudioGizmo Toolbar - {C6BB606F-232D-4957-8AFF-7D4F4A220F67} - C:\Program Files\AudioGizmo Extension\v3.2.0.0\AudioGizmo_Toolbar.dll
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] "REGSVR32.EXE" /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] "C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PowerStrip] "c:\program files\powerstrip\pstrip.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - https://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - https://upload.facebook.com/controls/...toUploader.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7853 bytes
disastertourism is offline  
Old 10-13-2008, 09:00 PM   #18
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



No problems on the delay. Real Life is important.

Logs look good. If you want to install the Recovery Console, to have available in the future should the need for it ever arise, move both ComboFix.exe and the Recovery Console package to the root of your OS, C drive. Perform the drag and drop, and it will (or should, from my testing) succeed at installing. You can then click on No once it's installed, as there's no need to further scan for malware.

If you prefer not to install it, let me know, and I'll have some final instructions for you.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 10-13-2008, 09:43 PM   #19
 
Join Date: Oct 2008
Posts: 12
OS:



alright, i did what you suggested and it worked like a charm. thanks a lot. so, what next?
disastertourism is offline  
Old 10-14-2008, 09:21 AM   #20
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Next is to uninstall ComboFix, and provide you with some future protection information.

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u



This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:
  • Microsoft Windows Update - https://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • SpywareBlaster to help prevent spyware from installing in the first place.
    • Install & update SpywareBlaster with the latest definitions.
      After you have updated, click the button - enable protection for all unprotected items
  • Winpatrol

    Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

    You can get a free copy of Winpatrol or use the Plus version for more features.

    You can read Winpatrol's FAQ if you run into problems.

  • MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
    • Download Host.zip to your desktop.
    • From your Desktop right-click (hosts.zip) and select:
      Extract All from the menu.
    • Click Next, click Next, select the option:
      "Show Extracted files", click Finish
    • This will open the newly created hosts folder on your Desktop.
    • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    • Once updated you should see another prompt that the task was completed.
  • ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

    Do not install more than one AntiVirus program because they will conflict with each other.

  • FIREWALL
    Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here

    Do not install more than one firewall program because they will conflict with each other.

Scan here https://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

Here are some additional utilities that will further enhance your safety.
  • https://www.trillian.cc ? Trillian or https://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • https://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. While Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

  • https://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

  • https://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles
If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 07:51 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2019, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2019 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2019 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts