Solved: virus causing blank desktop, HTJ log included

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

nightcrwlr

Thread Starter
Joined
Sep 23, 2003
Messages
38
Hi,
A friend of mine dl'd a virus or trojan that caused his computer to boot to a blank desktop (no icons or taskbar), the "click here to remove spyware" popups, and constantly try to connect to the internet. I was able to ctrl-alt-del into task manager to get the desktop back to normal but it seems to restart explorer every 10 secs or so and seemed to prevent me from running any programs. I saw that their antivirus was out of date so I uninstalled pccillin, and installed AVG Free 8, which finds the Win32/Huer virus and efcASlkj.dll, but cant seem to remove. I searched online and found info on the zlob trojan that caused the same "symptoms" but not all the processes that it listed in the removal showed up, so I dont think that's the one. I did have msmsgs.exe, that when I ended its process, stopped the explorer restart but not the internet attempts. here is the HTJ log AFTER ending the msmsgs.exe process.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:10:43 PM, on 5/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Microsoft LifeCam\MSCamSvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\Smilebox\SmileboxTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AOL9~1.0F\waol.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rsvp.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\AOL9~1.0F\shellmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\taskmgr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5238E
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0B8491F3-7EEE-4756-AA78-303D35D9532C} - C:\WINDOWS\system32\efcASlkj.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DVA Gate - {5BFC1E05-8287-420E-8526-F6D76E1FEBB8} - C:\WINDOWS\gndarmblsnv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: (no name) - {CE86878F-D099-4FFC-A4DC-E51D192063B1} - C:\WINDOWS\system32\fccdebaa.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: wxdbpfvo - {C3169036-557E-45E1-840F-C845DC406C55} - C:\WINDOWS\wxdbpfvo.dll (file missing)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SmileboxTray] "C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\Smilebox\SmileboxTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU\..\Run: [awowonpd] C:\WINDOWS\system32\epkxwbsz.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRA~1\AOL9~1.0F\AOL.EXE" -b
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKLM\..\Policies\Explorer\Run: [D0ERd2pXaF] C:\Documents and Settings\All Users\Application Data\enqhihql\mxuxchmj.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: AOL &Dictionary Search - file:///C:\Program Files\Common Files\aol\AOLSearch/AOLDictionary.htm
O8 - Extra context menu item: AOL &Thesaurus Search - file:///C:\Program Files\Common Files\aol\AOLSearch/AOLThesauras.htm
O8 - Extra context menu item: AOL &Video Search - file:///C:\Program Files\Common Files\aol\AOLSearch/AOLVideo.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA12F14B-6C4F-4144-90B8-A685630F8948}: NameServer = 85.255.113.123,85.255.112.184
O17 - HKLM\System\CCS\Services\Tcpip\..\{B97B1F63-7203-4CD5-A7D3-9330F8670E23}: NameServer = 85.255.113.123,85.255.112.184
O17 - HKLM\System\CCS\Services\Tcpip\..\{C542180A-D12B-4342-BF87-1E9C9DF8A4D7}: NameServer = 85.255.113.123,85.255.112.184
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.123 85.255.112.184
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.123 85.255.112.184
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.123 85.255.112.184
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: fccdebaa - fccdebaa.dll (file missing)
O21 - SSODL: qadovnel - {189C4339-ED41-4537-AC59-1C828B6D748D} - C:\WINDOWS\qadovnel.dll
O21 - SSODL: bdkpfxqw - {7277041D-2417-420E-90DA-540A5571A575} - C:\WINDOWS\bdkpfxqw.dll
O23 - Service: Intel(R) Alert Service (AlertService) - Intel Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 11731 bytes


Any help would be greatly appreciated
 

JSntgRvr

José
Retired Moderator and Malware Specialist
Joined
Jul 1, 2003
Messages
18,552
Hi, nightcrwlr :)

Welcome to TSG.

Please print these instructions for reference, as you will have to restart your computer during the fix.

Please download FixWareout from Here or Here.

Note: You will need to run this tool while having an Internet Connection. The tool will download other files while running.
  1. Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
  2. The fix will begin; follow the prompts.
  3. If your firewall gives an alert, (because this tool will download an additional files from the internet), please don't let your firewall block it, but allow it instead.
  4. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
  5. Once the desktop loads a text file will open (report.txt).
    Please post the C:\fixwareout\report.txt ) into this topic.
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
Running SDFix:
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    -----------------------------------------------------------​
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      -----------------------------------------------------------​
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    -----------------------------------------------------------​
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
 

nightcrwlr

Thread Starter
Joined
Sep 23, 2003
Messages
38
I followed your directions and it seems to have worked, here are the log files.

Thank you for your help

FixWareOut log:
Username "Owner" - 05/19/2008 19:14:59 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdlqb.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.113.123 85.255.112.184" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{AA12F14B-6C4F-4144-90B8-A685630F8948}
"nameserver"="85.255.113.123,85.255.112.184" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{B97B1F63-7203-4CD5-A7D3-9330F8670E23}
"nameserver"="85.255.113.123,85.255.112.184" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{C542180A-D12B-4342-BF87-1E9C9DF8A4D7}
"nameserver"="85.255.113.123,85.255.112.184" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{506B92FB-A770-49DE-B465-8EA15A95D517}
"DhcpNameServer"="85.255.113.123,85.255.112.184" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{B97B1F63-7203-4CD5-A7D3-9330F8670E23}
"DhcpNameServer"="85.255.113.123,85.255.112.184" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{C542180A-D12B-4342-BF87-1E9C9DF8A4D7}
"DhcpNameServer"="85.255.113.123,85.255.112.184" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....
~~~~~ Other
C:\WINDOWS\Temp\kdlqb.ren 66599 08/10/2004

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"
"AVG8_TRAY"="C:\\PROGRA~1\\AVG\\AVG8\\avgtray.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"SmileboxTray"="\"C:\\Documents and Settings\\Owner.YOUR-EBBFCF9347\\Application Data\\Smilebox\\SmileboxTray.exe\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_9"
"awowonpd"="C:\\WINDOWS\\system32\\epkxwbsz.exe"
"AOL Fast Start"="\"C:\\PROGRA~1\\AOL9~1.0F\\AOL.EXE\" -b"
"Power2GoExpress"="NA"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~


ComboFix log:

ComboFix 08-05-15.3 - Owner 2008-05-19 19:45:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.547 [GMT -4:00]
Running from: C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Desktop\blackbird.jpg
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Desktop\EditorFKWP1.5.exe
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Desktop\EditorFKWP2.0.exe
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Desktop\Error Cleaner.url
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Desktop\fkwp1.5.exe
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Desktop\fkwp2.0.exe
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Desktop\fwebd.exe
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Desktop\FWebdEditor.exe
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Desktop\Privacy Protector.url
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Favorites\Error Cleaner.url
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Favorites\Privacy Protector.url
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Favorites\Spyware&Malware Protection.url
C:\Program Files\PC-Cleaner
C:\Program Files\PC-Cleaner\com\pcsd.dll
C:\Program Files\PC-Cleaner\extensions.bak
C:\Program Files\PC-Cleaner\install\PC-Cleaner.exe
C:\Program Files\PC-Cleaner\PC-Cleaner.db
C:\Program Files\PC-Cleaner\PC-Cleaner.exe
C:\Program Files\PC-Cleaner\pccleaner.pkg
C:\Program Files\PC-Cleaner\program.info
C:\Program Files\PC-Cleaner\Uninstall.exe
C:\Program Files\PC-Cleaner\Uninstall.exe.bak
C:\WINDOWS\a.bat
C:\WINDOWS\base64.tmp
C:\WINDOWS\bdkpfxqw.dll
C:\WINDOWS\bdn.com
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\iTunesMusic.exe
C:\WINDOWS\mssecu.exe
C:\WINDOWS\qadovnel.dll
C:\WINDOWS\spwoqbmv.exe
C:\WINDOWS\system32\akttzn.exe
C:\WINDOWS\system32\anticipator.dll
C:\WINDOWS\system32\awtoolb.dll
C:\WINDOWS\system32\bdn.com
C:\WINDOWS\system32\bsva-egihsg52.exe
C:\WINDOWS\system32\dpcproxy.exe
C:\WINDOWS\system32\efcASlkj.dll
C:\WINDOWS\system32\emesx.dll
C:\WINDOWS\system32\h@tkeysh@@k.dll
C:\WINDOWS\system32\hoproxy.dll
C:\WINDOWS\system32\hxiwlgpm.dat
C:\WINDOWS\system32\hxiwlgpm.exe
C:\WINDOWS\system32\jklSAcfe.ini
C:\WINDOWS\system32\jklSAcfe.ini2
C:\WINDOWS\system32\medup012.dll
C:\WINDOWS\system32\medup020.dll
C:\WINDOWS\system32\msgp.exe
C:\WINDOWS\system32\msnbho.dll
C:\WINDOWS\system32\mssecu.exe
C:\WINDOWS\system32\msvchost.exe
C:\WINDOWS\system32\mtr2.exe
C:\WINDOWS\system32\mwin32.exe
C:\WINDOWS\system32\netode.exe
C:\WINDOWS\system32\newsd32.exe
C:\WINDOWS\system32\ps1.exe
C:\WINDOWS\system32\psof1.exe
C:\WINDOWS\system32\psoft1.exe
C:\WINDOWS\system32\regc64.dll
C:\WINDOWS\system32\regm64.dll
C:\WINDOWS\system32\Rundl1.exe
C:\WINDOWS\system32\smp
C:\WINDOWS\system32\smp\msrc.exe
C:\WINDOWS\system32\sncntr.exe
C:\WINDOWS\system32\ssvchost.com
C:\WINDOWS\system32\ssvchost.exe
C:\WINDOWS\system32\sysreq.exe
C:\WINDOWS\system32\taack.dat
C:\WINDOWS\system32\taack.exe
C:\WINDOWS\system32\temp#01.exe
C:\WINDOWS\system32\thun.dll
C:\WINDOWS\system32\thun32.dll
C:\WINDOWS\system32\VBIEWER.OCX
C:\WINDOWS\system32\vbsys2.dll
C:\WINDOWS\system32\vcatchpi.dll
C:\WINDOWS\system32\winlogonpc.exe
C:\WINDOWS\system32\winsystem.exe
C:\WINDOWS\system32\WINWGPX.EXE
C:\WINDOWS\userconfig9x.dll
C:\WINDOWS\Web\def.htm
C:\WINDOWS\winsystem.exe
C:\WINDOWS\xbaqktfv.exe
C:\WINDOWS\zip1.tmp
C:\WINDOWS\zip2.tmp
C:\WINDOWS\zip3.tmp
C:\WINDOWS\zipped.tmp
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-04-19 to 2008-05-19 )))))))))))))))))))))))))))))))
.

2008-05-19 19:20 . 2008-05-19 19:26 <DIR> d-------- C:\SDFix
2008-05-19 19:14 . 2008-05-19 19:18 <DIR> d-------- C:\fixwareout
2008-05-18 13:29 . 2008-05-18 19:09 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-18 13:29 . 2008-05-18 13:29 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-18 13:29 . 2008-05-18 13:29 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-18 13:29 . 2008-05-18 13:29 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-18 13:28 . 2008-05-18 13:28 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-18 13:28 . 2008-05-18 13:28 <DIR> d-------- C:\Program Files\AVG
2008-05-18 13:28 . 2008-05-18 13:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-18 00:04 . 2008-05-18 00:04 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-05-05 20:31 . 2006-11-01 13:11 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\GTek
2008-05-05 20:31 . 2008-05-09 22:42 <DIR> d---s---- C:\Documents and Settings\Admin
2008-05-05 20:31 . 2008-05-19 19:44 1,024 --ah----- C:\Documents and Settings\Admin\ntuser.dat.LOG
2008-05-03 09:23 . 2008-05-03 09:24 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\PC-Cleaner
2008-05-01 20:18 . 2008-05-19 18:46 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\TmpRecentIcons
2008-05-01 07:47 . 2008-05-01 07:47 <DIR> d-------- C:\Program Files\alot
2008-05-01 07:46 . 2008-05-01 07:47 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\alot
2008-05-01 07:39 . 2008-04-30 12:19 258,048 --a------ C:\WINDOWS\gndarmblsnv.dll
2008-05-01 07:38 . 2008-05-18 13:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\enqhihql
2008-04-25 20:18 . 2008-04-25 11:27 299,008 --a------ C:\WINDOWS\qnmargoldpq.dll
2008-04-25 20:18 . 2008-04-25 11:26 225,280 --a------ C:\WINDOWS\wdpoefan.dll
2008-04-25 20:18 . 2008-04-25 11:26 196,608 --a------ C:\WINDOWS\vadokmxt.dll
2008-04-25 20:18 . 2008-04-25 11:27 81,920 --a------ C:\WINDOWS\wxvgsdbq.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-18 23:09 --------- d-----w C:\Program Files\Trend Micro
2008-05-15 19:04 --------- d--ha-w C:\Documents and Settings\All Users\Application Data\GTek
2008-05-10 03:35 16,462 ----a-w C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\wklnhst.dat
2008-05-02 00:05 --------- d-----w C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\Skype
2008-04-21 16:20 --------- d-----w C:\Program Files\PartyGaming
2008-04-17 00:49 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-05 01:34 --------- d-----w C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\uTorrent
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BFC1E05-8287-420E-8526-F6D76E1FEBB8}]
2008-04-30 12:19 258048 --a------ C:\WINDOWS\gndarmblsnv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{C3169036-557E-45E1-840F-C845DC406C55}"= "C:\WINDOWS\wxdbpfvo.dll" [ ]

[HKEY_CLASSES_ROOT\clsid\{c3169036-557e-45e1-840f-c845dc406c55}]
[HKEY_CLASSES_ROOT\wxdbpfvo.1]
[HKEY_CLASSES_ROOT\TypeLib\{D95C697F-D985-4AB1-92B5-40DF04BBE322}]
[HKEY_CLASSES_ROOT\wxdbpfvo]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 19:24 1694208]
"SmileboxTray"="C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\Smilebox\SmileboxTray.exe" [2007-10-17 06:32 201352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"awowonpd"="C:\WINDOWS\system32\epkxwbsz.exe" [ ]
"Power2GoExpress"="NA" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-18 13:28 1177368]
"VX3000"="C:\WINDOWS\vVX3000.exe" [2006-04-25 23:09 994080]
"TM Outbreak Agent"="C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2006-11-17 17:14 4806656]
"SigmatelSysTrayApp"="sttray.exe" []
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-12-09 22:44 139264]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-01 13:07 98304]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2006-06-23 16:40 81920]
"PCClient.exe"="C:\Program Files\Trend Micro\Antivirus\PCClient.exe" [ ]
"pccguide.exe"="C:\Program Files\Trend Micro\Antivirus\pccguide.exe" [ ]
"NMSSupport"="C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-03-29 23:10 375296]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 20:16 1121792]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2006-04-27 20:36 260896]
"IntelAudioStudio"="C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" [2006-07-13 17:34 9134080]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2006-06-23 16:41 98304]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 11:15 151552]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2006-06-23 16:44 86016]
"HostManager"="C:\Program Files\Common Files\AOL\1170558389\ee\AOLSoftware.exe" [2007-05-25 13:16 42032]
"EPSON Stylus CX4200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.exe" [2005-03-07 23:00 98304]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 23:56 64512]
"CHotkey"="zHotkey.exe" [2004-12-08 21:57 550912 C:\WINDOWS\zHotkey.exe]
"CCUTRAYICON"="C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-07-27 13:54 303104]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 20:19 77312 C:\WINDOWS\arpwrmsg.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [2006-11-01 13:04:13 2168360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccdebaa]
fccdebaa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"C:\\Program Files\\AOL 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"C:\\Program Files\\AOL 9.0a\\waol.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AOL 9.0b\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\1170558389\\ee\\aolsoftware.exe"=
"C:\\Program Files\\AOL 9.0c\\waol.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\AOL 9.0d\\waol.exe"=
"C:\\Program Files\\AOL 9.0e\\waol.exe"=
"C:\\Program Files\\AOL 9.0f\\waol.exe"=
"C:\\Program Files\\AOL 9.1\\waol.exe"=
"C:\\Program Files\\AOL 9.1a\\waol.exe"=
"C:\\Program Files\\AOL 9.1b\\waol.exe"=
"C:\\Program Files\\AOL 9.1c\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-18 13:29]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-18 13:28]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-18 13:28]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-18 13:29]
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamSvc.exe" [2006-04-17 23:32]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-14 00:00:01 C:\WINDOWS\Tasks\wrSpySweeper_3FCAB2138A924222B2F60CB4BB138EB5.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe=/ScheduleSweep=wrSpySweeper_3FCAB2138A924222B2F60CB4BB138EB5
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
"2008-05-05 03:00:00 C:\WINDOWS\Tasks\wrSpySweeper_A9B730EE97D94F239C3171521051CE10.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe=/ScheduleSweep=wrSpySweeper_A9B730EE97D94F239C3171521051CE10
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-19 19:48:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\Program Files\Common Files\AOL\acs\AOLacsd.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\ELService.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rsvp.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Webroot\Spy Sweeper\ssu.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2008-05-19 19:51:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-19 23:51:31

Pre-Run: 230,691,491,840 bytes free
Post-Run: 230,700,838,912 bytes free

285 --- E O F --- 2007-12-12 08:02:41

Thanks again.
 

nightcrwlr

Thread Starter
Joined
Sep 23, 2003
Messages
38
SD log:

System Report
*************

Run on Mon 05/19/2008 at 07:26 PM

Microsoft Windows XP [Version 5.1.2600]

Current user is an administrator

Running Processes:

\SystemRoot\System32\smss.exe [208]
\??\C:\WINDOWS\system32\csrss.exe [256]
\??\C:\WINDOWS\system32\winlogon.exe [280]
C:\WINDOWS\system32\services.exe [348]
C:\WINDOWS\system32\lsass.exe [360]
C:\WINDOWS\system32\svchost.exe [524]
C:\WINDOWS\system32\svchost.exe [588]
C:\WINDOWS\system32\svchost.exe [648]
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe [704]
C:\WINDOWS\system32\taskmgr.exe [1204]


Drivers - Running:

abp480n5
ACPI
ACPIEC
adpu160m
agp440
agpCPQ
Aha154x
aic78u2
aic78xx
AliIde
alim1541
amdagp
amsint
asc
asc3350p
asc3550
atapi
Beep
cbidf
cd20xrnt
Cdr4_xp
Cdralw2k
Cdrom
CmdIde
Compbatt
Cpqarray
dac2w2k
dac960nt
Disk
dmio
dmload
dpti2o
ELacpi
ELkbd
ELmou
Fastfat
FltMgr
Ftdisk
HDAudBus
HECI
hpn
i2omgmt
i2omp
i8042prt
iaStor
Imapi
ini910u
IntelIde
isapnp
Kbdclass
KSecDD
Mouclass
MountMgr
mraid35x
Msfs
mssmbios
Mup
NDIS
Npfs
Ntfs
Null
ohci1394
PartMgr
PCI
PCIIde
Pcmcia
perc2
perc2hib
pfc
PxHelp20
ql1080
Ql10wnt
ql12160
ql1240
ql1280
rdpdr
redbook
sisagp
Sparrow
sr
SSFS0509
SSHRMD
SSIDRV
SSKBFD
swenum
symc810
symc8xx
sym_hi
sym_u3
TermDD
TosIde
Udfs
ultra
Update
usbehci
usbhub
usbstor
usbuhci
VgaSave
viaagp
ViaIde
VolSnap


Drivers - Stopped:

Abiosdsk
aec
AFD
Arp1394
ARPolicy
ASCTRM
AsyncMac
Atdisk
Atmarpc
audstub
AvgLdx86
AvgMfx86
AvgTdiX
cbidf2k
CCDECODE
Cdaudio
Cdfs
Changer
CmBatt
dmboot
DMusic
drmkaud
e1express
ELhid
ELmon
Fdc
Fips
Flpydisk
GoProto
Gpc
HidUsb
HSFHWBS2
HSF_DPV
HTTP
ialm
intelppm
Ip6Fw
IpFilterDriver
IpInIp
IpNat
IPSec
IRENUM
kbdhid
kmixer
lbrtfdc
mdmxsdk
MHNDRV
mnmdd
Modem
mouhid
MRxDAV
MRxSmb
MSKSSRV
MSPCLOCK
MSPQM
MSTEE
NABTSFEC
NdisIP
NdisTapi
Ndisuio
NdisWan
NDProxy
NetBIOS
NetBT
NIC1394
NwlnkFlt
NwlnkFwd
Parport
ParVdm
PCIDump
PDCOMP
PDFRAME
PDRELI
PDRFRAME
PptpMiniport
PSched
Ptilink
RasAcd
Rasl2tp
RasPppoe
Raspti
Rdbss
RDPCDD
RDPWD
sdbus
Secdrv
Serenum
Serial
Sfloppy
sfng32
Simbad
SLIP
SONYPVU1
splitter
Srv
STHDA
streamip
swmidi
sysaudio
Tcpip
TDPIPE
TDTCP
TSHWMDTCP
usbaudio
usbccgp
usbprint
usbscan
VX3000
Wanarp
wanatw
WDICA
wdmaud
winachsf
WSTCODEC
WudfPf
WudfRd


Services - Running:

CryptSvc
DcomLaunch
dmserver
Eventlog
helpsvc
PlugPlay
RpcSs
srservice
WebrootSpySweeperService
winmgmt


Services - Stopped:

Alerter
AlertService
ALG
AOL
AppMgmt
ARSVC
aspnet_state
AudioSrv
avg8emc
avg8wd
BITS
Browser
CiSvc
ClipSrv
clr_optimization_v2.0.50727_32
COMSysApp
Dhcp
dmadmin
Dnscache
ehRecvr
ehSched
ELService
ERSvc
EventSystem
FastUserSwitchingCompatibility
HidServ
HTTPFilter
IAANTMON
ImapiService
ISSM
lanmanserver
lanmanworkstation
LmHosts
M1
MCLServiceATL
McrdSvc
Messenger
MHN
mnmsrvc
MSCamSvc
MSDTC
MSIServer
NetDDE
NetDDEdsdm
Netlogon
Netman
Nla
NtLmSsp
NtmsSvc
ose
PolicyAgent
PrismXL
ProtectedStorage
RasAuto
RasMan
RDSessMgr
Remote
RemoteAccess
RemoteRegistry
RpcLocator
RSVP
SamSs
SCardSvr
Schedule
seclogon
SENS
SharedAccess
ShellHWDetection
Spooler
SSDPSRV
stisvc
SwPrv
SysmonLog
TapiSrv
TermService
Themes
TlntSvr
TrkWks
upnphost
UPS
VSS
W32Time
WebClient
WmdmPmSN
Wmi
WmiApSrv
WMPNetworkSvc
wscsvc
wuauserv
WudfSvc
WZCSVC
xmlprov


Files Created/Modified - 60 Days:


C:\

May 19 2008 7:18:22p 209 A.SHR "C:\boot.ini"
May 19 2008 7:23:46p 1,572,864,000 A.SH. "C:\pagefile.sys"
May 19 2008 7:18:16p 52,866 A.... "C:\VETlog.dmp"
May 19 2008 7:18:16p 3,381,628 A.... "C:\VETlog.txt"


C:\WINDOWS\

May 19 2008 7:16:44p 0 A.... "C:\WINDOWS\0.log"
May 1 2008 7:38:44a 4,096 A.... "C:\WINDOWS\a.bat"
May 1 2008 7:38:44a 4,096 A.... "C:\WINDOWS\base64.tmp"
Apr 30 2008 12:19:14p 311,296 A.... "C:\WINDOWS\bdkpfxqw.dll"
May 1 2008 7:38:42a 4,096 A.... "C:\WINDOWS\bdn.com"
May 19 2008 7:23:54p 2,048 A.S.. "C:\WINDOWS\bootstat.dat"
May 1 2008 7:38:44a 4,096 A.... "C:\WINDOWS\FVProtect.exe"
Apr 30 2008 12:19:18p 258,048 A.... "C:\WINDOWS\gndarmblsnv.dll"
May 1 2008 7:38:44a 4,096 A.... "C:\WINDOWS\iTunesMusic.exe"
May 19 2008 1:53:26a 4,590 A.... "C:\WINDOWS\ModemLog_PCI Soft Data Fax Modem with SmartCP.txt"
May 1 2008 7:38:42a 4,096 A.... "C:\WINDOWS\mssecu.exe"
May 19 2008 7:24:52p 691,430 A.... "C:\WINDOWS\ntbtlog.txt"
May 5 2008 8:32:10p 1,523 A.... "C:\WINDOWS\OEWABLog.txt"
Apr 30 2008 12:19:12p 307,200 A.... "C:\WINDOWS\qadovnel.dll"
Apr 25 2008 11:27:06a 299,008 A.... "C:\WINDOWS\qnmargoldpq.dll"
May 19 2008 7:22:36p 20,502 A.... "C:\WINDOWS\SchedLgU.Txt"
May 15 2008 2:53:02p 373,874 A.... "C:\WINDOWS\setupact.log"
May 18 2008 12:01:38a 47,868 A.... "C:\WINDOWS\setupapi.log"
Apr 30 2008 12:19:24p 94,208 A.... "C:\WINDOWS\spwoqbmv.exe"
May 19 2008 7:18:22p 282 A.... "C:\WINDOWS\system.ini"
May 1 2008 7:38:44a 4,096 A.... "C:\WINDOWS\userconfig9x.dll"
Apr 25 2008 11:26:52a 196,608 A.... "C:\WINDOWS\vadokmxt.dll"
Apr 25 2008 11:26:56a 225,280 A.... "C:\WINDOWS\wdpoefan.dll"
May 19 2008 7:22:36p 216 A.... "C:\WINDOWS\wiadebug.log"
May 19 2008 7:16:42p 49 A.... "C:\WINDOWS\wiaservc.log"
May 19 2008 7:18:22p 863 A.... "C:\WINDOWS\win.ini"
May 19 2008 7:22:36p 1,420,072 A.... "C:\WINDOWS\WindowsUpdate.log"
May 1 2008 7:38:42a 4,096 A.... "C:\WINDOWS\winsystem.exe"
May 5 2008 8:32:10p 18,044 A.... "C:\WINDOWS\wmsetup.log"
Apr 25 2008 11:27:14a 81,920 A.... "C:\WINDOWS\wxvgsdbq.exe"
Apr 30 2008 12:19:16p 102,400 A.... "C:\WINDOWS\xbaqktfv.exe"
May 1 2008 7:38:44a 4,096 A.... "C:\WINDOWS\zip1.tmp"
May 1 2008 7:38:44a 4,096 A.... "C:\WINDOWS\zip2.tmp"
May 1 2008 7:38:44a 4,096 A.... "C:\WINDOWS\zip3.tmp"
May 1 2008 7:38:44a 4,096 A.... "C:\WINDOWS\zipped.tmp"
May 19 2008 7:23:54p 0 A.... "C:\WINDOWS\Debug\PASSWD.LOG"
May 15 2008 2:52:08p 4,100 A.... "C:\WINDOWS\inf\branches.PNF"
May 15 2008 2:52:10p 1,394,536 A.... "C:\WINDOWS\inf\INFCACHE.1"
May 19 2008 7:18:22p 209 ..... "C:\WINDOWS\pss\boot.ini.backup"
May 15 2008 2:55:34p 863 ..... "C:\WINDOWS\pss\win.ini.backup"
May 19 2008 7:16:46p 1,048,576 A.... "C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{A64208A5-824D-411E-87FE-A3B008B6F1B6}.crmlog"
May 1 2008 7:38:42a 4,096 A.... "C:\WINDOWS\system32\akttzn.exe"
May 1 2008 7:38:42a 4,096 A.... "C:\WINDOWS\system32\anticipator.dll"
May 18 2008 1:29:06p 10,520 A.... "C:\WINDOWS\system32\avgrsstx.dll"
May 1 2008 7:38:38a 4,096 A.... "C:\WINDOWS\system32\awtoolb.dll"
May 1 2008 7:38:42a 4,096 A.... "C:\WINDOWS\system32\bdn.com"
May 1 2008 7:38:44a 4,096 A.... "C:\WINDOWS\system32\bsva-egihsg52.exe"
May 15 2008 2:29:10p 0 A.... "C:\WINDOWS\system32\clkcnt.txt"
May 1 2008 7:38:42a 4,096 A.... "C:\WINDOWS\system32\dpcproxy.exe"
May 1 2008 7:44:14a 281,600 A.... "C:\WINDOWS\system32\efcASlkj.dll"
May 1 2008 7:38:42a 4,096 A.... "C:\WINDOWS\system32\emesx.dll"
May 1 2008 7:38:42a 4,096 A.... "C:\WINDOWS\system32\h@tkeysh@@k.dll"
May 1 2008 7:38:44a 4,096 A.... "C:\WINDOWS\system32\hoproxy.dll"
May 1 2008 7:38:44a 4,096 A.... "C:\WINDOWS\system32\hxiwlgpm.dat"
May 1 2008 7:38:44a 4,096 A.... "C:\WINDOWS\system32\hxiwlgpm.exe"
May 19 2008 7:26:08p 1,250,320 A.SH. "C:\WINDOWS\system32\jklSAcfe.ini"
May 19 2008 7:25:58p 1,250,206 A.SH. "C:\WINDOWS\system32\jklSAcfe.ini2"
May 1 2008 7:38:44a 4,096 A.... "C:\WINDOWS\system32\medup012.dll"
May 1 2008 7:38:44a 4,096 A.... "C:\WINDOWS\system32\medup020.dll"
May 1 2008 7:38:42a 4,096 A.... "C:\WINDOWS\system32\msgp.exe"
May 1 2008 7:38:44a 4,096 A.... "C:\WINDOWS\system32\msnbho.dll"
May 1 2008 7:38:42a 4,096 A.... "C:\WINDOWS\system32\mssecu.exe"
May 1 2008 7:38:42a 4,096 A.... "C:\WINDOWS\system32\msvchost.exe"
May 1 2008 7:38:42a 4,096 A.... "C:\WINDOWS\system32\mtr2.exe"
May 1 2008 7:38:44a 4,096 A.... "C:\WINDOWS\system32\mwin32.exe"
May 1 2008 7:38:42a 4,096 A.... "C:\WINDOWS\system32\netode.exe"
May 1 2008 7:38:42a 4,096 A.... "C:\WINDOWS\system32\newsd32.exe"
Apr 5 2008 8:46:40a 63,392 A.... "C:\WINDOWS\system32\perfc009.dat"
Apr 5 2008 8:46:40a 404,298 A.... "C:\WINDOWS\system32\perfh009.dat"
Apr 5 2008 8:46:40a 475,154 A.... "C:\WINDOWS\system32\PerfStringBackup.INI"
May 1 2008 7:38:44a 4,096 A.... "C:\WINDOWS\system32\ps1.exe"
May 1 2008 7:38:44a 4,096 A.... "C:\WINDOWS\system32\psof1.exe"
May 1 2008 7:38:44a 4,096 A.... "C:\WINDOWS\system32\psoft1.exe"
May 1 2008 7:38:42a 4,096 A.... "C:\WINDOWS\system32\regc64.dll"
May 1 2008 7:38:42a 4,096 A.... "C:\WINDOWS\system32\regm64.dll"
May 1 2008 7:38:42a 4,096 A.... "C:\WINDOWS\system32\Rundl1.exe"
May 1 2008 7:38:44a 4,096 A.... "C:\WINDOWS\system32\sncntr.exe"
May 1 2008 7:38:42a 4,096 A.... "C:\WINDOWS\system32\ssvchost.com"
May 1 2008 7:38:42a 4,096 A.... "C:\WINDOWS\system32\ssvchost.exe"
May 1 2008 7:38:42a 4,096 A.... "C:\WINDOWS\system32\sysreq.exe"
May 1 2008 7:38:44a 4,096 A.... "C:\WINDOWS\system32\taack.dat"
May 1 2008 7:38:44a 4,096 A.... "C:\WINDOWS\system32\taack.exe"
May 1 2008 7:38:42a 4,096 A.... "C:\WINDOWS\system32\temp#01.exe"
May 1 2008 7:38:42a 4,096 A.... "C:\WINDOWS\system32\thun.dll"
May 1 2008 7:38:42a 4,096 A.... "C:\WINDOWS\system32\thun32.dll"
May 1 2008 7:38:44a 4,096 A.... "C:\WINDOWS\system32\VBIEWER.OCX"
May 1 2008 7:38:38a 4,096 A.... "C:\WINDOWS\system32\vbsys2.dll"
May 1 2008 7:38:42a 4,096 A.... "C:\WINDOWS\system32\vcatchpi.dll"
May 1 2008 7:38:44a 4,096 A.... "C:\WINDOWS\system32\winlogonpc.exe"
May 1 2008 7:38:42a 4,096 A.... "C:\WINDOWS\system32\winsystem.exe"
May 1 2008 7:38:42a 4,096 A.... "C:\WINDOWS\system32\WINWGPX.EXE"
May 19 2008 7:17:00p 1,158 A.... "C:\WINDOWS\system32\wpa.dbl"
May 19 2008 7:22:36p 6 A..H. "C:\WINDOWS\Tasks\SA.DAT"
May 13 2008 8:00:02p 1,560 A.... "C:\WINDOWS\Tasks\wrSpySweeper_3FCAB2138A924222B2F60CB4BB138EB5.job"
May 4 2008 11:00:02p 1,560 A.... "C:\WINDOWS\Tasks\wrSpySweeper_A9B730EE97D94F239C3171521051CE10.job"
May 19 2008 7:26:10p 2,878 A.... "C:\WINDOWS\Temp\scsF.tmp"
May 18 2008 1:10:40p 25,137 A.... "C:\WINDOWS\Temp\tpm4FF.log"
May 19 2008 7:24:08p 255 A.... "C:\WINDOWS\Temp\WGAErrLog.txt"
May 19 2008 7:17:00p 409 A.... "C:\WINDOWS\Temp\WGANotify.settings"
May 1 2008 7:38:38a 1,871 A.... "C:\WINDOWS\Web\def.htm"
May 1 2008 8:04:12p 402,544 A.... "C:\WINDOWS\Debug\UserMode\userenv.bak"
May 19 2008 7:23:52p 105,500 A.... "C:\WINDOWS\Debug\UserMode\userenv.log"
May 17 2008 10:57:02p 1,458 A.... "C:\WINDOWS\security\logs\scecomp.old"
May 18 2008 1:29:02p 96,520 A.... "C:\WINDOWS\system32\drivers\avgldx86.sys"
May 18 2008 1:29:02p 26,184 A.... "C:\WINDOWS\system32\drivers\avgmfx86.sys"
May 18 2008 1:29:06p 75,272 A.... "C:\WINDOWS\system32\drivers\avgtdix.sys"
May 18 2008 2:19:58a 296 A.... "C:\WINDOWS\system32\Restore\rstrlog.dat"
May 1 2008 7:38:44a 4,096 A.... "C:\WINDOWS\system32\smp\msrc.exe"
May 18 2008 1:29:00p 5,618,689 A.... "C:\WINDOWS\system32\drivers\Avg\avi7.avg"
May 18 2008 1:29:02p 22,984,560 A.... "C:\WINDOWS\system32\drivers\Avg\incavi.avm"
May 18 2008 1:29:00p 57,347 A.... "C:\WINDOWS\system32\drivers\Avg\microavi.avg"
May 18 2008 1:29:00p 786,367 A.... "C:\WINDOWS\system32\drivers\Avg\miniavi.avg"
May 19 2008 7:17:28p 23 A.... "C:\WINDOWS\system32\drivers\etc\hosts"
May 15 2008 3:06:12p 149,398 A.... "C:\WINDOWS\system32\wbem\AutoRecover\8858F1BA0D460E5A5B27AB13DE3ACB5D.mof"


C:\Program Files\

May 3 2008 9:23:20a 1,474,560 A.... "C:\Program Files\PC-Cleaner\PC-Cleaner.exe"
May 9 2008 10:58:12p 253,952 A.... "C:\Program Files\PC-Cleaner\Uninstall.exe"
May 18 2008 1:28:54p 886,552 A.... "C:\Program Files\AVG\AVG8\avgabout.dll"
May 18 2008 1:28:52p 453,912 A.... "C:\Program Files\AVG\AVG8\avgcfgex.exe"
May 18 2008 1:28:52p 557,336 A.... "C:\Program Files\AVG\AVG8\avgcfgx.dll"
May 18 2008 1:28:54p 202,008 A.... "C:\Program Files\AVG\AVG8\avgcmgr.exe"
May 18 2008 1:28:54p 1,295,640 A.... "C:\Program Files\AVG\AVG8\avgcorex.dll"
May 18 2008 1:28:54p 72,984 A.... "C:\Program Files\AVG\AVG8\avgcrlpx.dll"
May 18 2008 1:28:52p 62,232 A.... "C:\Program Files\AVG\AVG8\avgdumpx.exe"
May 18 2008 1:28:54p 902,424 A.... "C:\Program Files\AVG\AVG8\avgemc.exe"
May 18 2008 1:28:54p 1,033,496 A.... "C:\Program Files\AVG\AVG8\avgfrw.exe"
May 18 2008 1:28:54p 697,088 A.... "C:\Program Files\AVG\AVG8\avginet.dll"
May 18 2008 1:28:54p 488,728 A.... "C:\Program Files\AVG\AVG8\avgiproxy.exe"
May 18 2008 1:28:52p 164,120 A.... "C:\Program Files\AVG\AVG8\avglngx.dll"
May 18 2008 1:28:54p 214,296 A.... "C:\Program Files\AVG\AVG8\avglogx.dll"
May 18 2008 1:28:54p 173,336 A.... "C:\Program Files\AVG\AVG8\avgmail.dll"
May 18 2008 1:28:54p 320,280 A.... "C:\Program Files\AVG\AVG8\avgmvflx.dll"
May 18 2008 1:28:54p 263,960 A.... "C:\Program Files\AVG\AVG8\avgoff2k.dll"
May 18 2008 1:28:58p 79,128 A.... "C:\Program Files\AVG\AVG8\avgpp.dll"
May 18 2008 1:28:54p 781,592 A.... "C:\Program Files\AVG\AVG8\avgresf.dll"
May 18 2008 1:28:54p 311,576 A.... "C:\Program Files\AVG\AVG8\avgrsx.exe"
May 18 2008 1:28:52p 333,056 A.... "C:\Program Files\AVG\AVG8\avgscanx.dll"
May 18 2008 1:28:52p 580,888 A.... "C:\Program Files\AVG\AVG8\avgscanx.exe"
May 18 2008 1:28:52p 349,976 A.... "C:\Program Files\AVG\AVG8\avgsched.dll"
May 18 2008 1:28:54p 108,824 A.... "C:\Program Files\AVG\AVG8\avgse.dll"
May 18 2008 1:28:52p 365,848 A.... "C:\Program Files\AVG\AVG8\avgsrmax.exe"
May 18 2008 1:28:52p 503,064 A.... "C:\Program Files\AVG\AVG8\avgsrmx.dll"
May 18 2008 1:28:54p 419,096 A.... "C:\Program Files\AVG\AVG8\avgssie.dll"
May 18 2008 1:28:54p 1,177,368 A.... "C:\Program Files\AVG\AVG8\avgtray.exe"
May 18 2008 1:28:54p 2,636,568 A.... "C:\Program Files\AVG\AVG8\avgui.exe"
May 18 2008 1:28:54p 1,621,784 A.... "C:\Program Files\AVG\AVG8\avguiadv.dll"
May 18 2008 1:28:54p 1,911,576 A.... "C:\Program Files\AVG\AVG8\avguires.dll"
May 18 2008 1:28:54p 1,019,672 A.... "C:\Program Files\AVG\AVG8\avgupd.dll"
May 18 2008 1:28:54p 796,440 A.... "C:\Program Files\AVG\AVG8\avgupd.exe"
May 18 2008 1:28:52p 155,928 A.... "C:\Program Files\AVG\AVG8\avgvvx.dll"
May 18 2008 1:28:52p 834,328 A.... "C:\Program Files\AVG\AVG8\avgwd.dll"
May 18 2008 1:28:52p 282,904 A.... "C:\Program Files\AVG\AVG8\avgwdsvc.exe"
May 18 2008 1:28:54p 264,984 A.... "C:\Program Files\AVG\AVG8\avgwdwsc.dll"
May 18 2008 1:28:54p 185,624 A.... "C:\Program Files\AVG\AVG8\avgxpl.dll"
May 18 2008 1:29:00p 17,321 A.... "C:\Program Files\AVG\AVG8\contacts_us.html"
May 18 2008 1:29:00p 1,045,128 A.... "C:\Program Files\AVG\AVG8\dbghelp.dll"
May 18 2008 1:28:54p 51,123 A.... "C:\Program Files\AVG\AVG8\dfncfg.dat"
May 18 2008 1:28:54p 53,528 A.... "C:\Program Files\AVG\AVG8\libsasl.dll"
May 18 2008 1:28:54p 18,200 A.... "C:\Program Files\AVG\AVG8\saslcrammd5.dll"
May 18 2008 1:28:54p 36,632 A.... "C:\Program Files\AVG\AVG8\sasldigestmd5.dll"
May 18 2008 1:28:54p 16,664 A.... "C:\Program Files\AVG\AVG8\sasllogin.dll"
May 18 2008 1:28:54p 16,664 A.... "C:\Program Files\AVG\AVG8\saslplain.dll"
May 18 2008 1:28:54p 847,949 A.... "C:\Program Files\AVG\AVG8\setup.dat"
May 18 2008 1:28:54p 1,751,320 A.... "C:\Program Files\AVG\AVG8\setup.exe"
Apr 21 2008 12:20:24p 130 A.... "C:\Program Files\PartyGaming\PartyPoker\ppunistall.bat"
Apr 21 2008 12:20:12p 825,376 A.... "C:\Program Files\PartyGaming\tmpUpgrade\upgradePG120-121man.exe"
May 9 2008 10:58:12p 307,200 A.... "C:\Program Files\PC-Cleaner\com\pcsd.dll"
May 9 2008 10:58:12p 1,474,560 A.... "C:\Program Files\PC-Cleaner\install\PC-Cleaner.exe"
May 18 2008 7:09:26p 396,288 A.... "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe"
May 13 2008 3:47:16p 97,808 A.... "C:\Program Files\Webroot\Spy Sweeper\compressed.dat"
Mar 21 2008 9:39:02p 447,728 A.... "C:\Program Files\Yahoo!\Messenger\yupdater.exe"
Apr 21 2008 12:20:18p 1,990,297 A.... "C:\Program Files\PartyGaming\PartyPoker\tmpUpgrade\upgradepp119-120man.exe"
May 9 2008 10:43:28p 0 A.... "C:\Program Files\Yahoo!\Messenger\Cache\eJzKeL3OY5jXrh_IXubBRQ--.ProfileMap.dat.tmp"
May 6 2008 7:55:58p 0 A.... "C:\Program Files\Yahoo!\Messenger\Cache\nLszaMErj_rP3fG_Vd3RTw--.ProfileMap.dat.tmp"
Apr 16 2008 8:50:10p 304,520 A.... "C:\Program Files\Adobe\Reader 8.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A81200000003}\Setup.exe"
May 17 2008 11:07:26p 864 A.... "C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\bf-500.dat"
May 17 2008 11:07:26p 416 A.... "C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\conf-100.dat"
May 17 2008 11:07:26p 288 A.... "C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\conf-900.dat"
May 17 2008 11:07:26p 160 A.... "C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\ie7conflict.dat"
May 17 2008 11:07:26p 96 A.... "C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\notes.dat"
May 17 2008 11:07:26p 736 A.... "C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\partner-700.dat"
May 17 2008 11:07:26p 608 A.... "C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\subscrip-2000.dat"
May 17 2008 11:07:26p 96 A.... "C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\survey.dat"
May 17 2008 11:07:26p 96 A.... "C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\updates-300.dat"
May 17 2008 11:08:00p 288 A.... "C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\urgent-800.dat"
Apr 21 2008 12:46:20p 17,114 A.... "C:\Program Files\PartyGaming\PartyPoker\Language\en_US\articles\16991.html"
Apr 21 2008 12:46:20p 16,611 A.... "C:\Program Files\PartyGaming\PartyPoker\Language\en_US\articles\6331.html"
Apr 21 2008 12:46:20p 20,909 A.... "C:\Program Files\PartyGaming\PartyPoker\Language\en_US\articles\6333.html"
Apr 21 2008 12:46:20p 37,014 A.... "C:\Program Files\PartyGaming\PartyPoker\Language\en_US\articles\66983.html"


Files with hidden attributes:

Mon 29 Jan 2007 46,640 A..H. --- "C:\Program Files\AOL 9.0\AOLphx.exe"
Mon 29 Jan 2007 54,832 A..H. --- "C:\Program Files\AOL 9.0\AOLphxex.exe"
Mon 29 Jan 2007 33,328 A..H. --- "C:\Program Files\AOL 9.0\rbm.exe"
Tue 6 Feb 2007 46,640 A..H. --- "C:\Program Files\AOL 9.0a\AOLphx.exe"
Tue 6 Feb 2007 54,832 A..H. --- "C:\Program Files\AOL 9.0a\AOLphxex.exe"
Tue 6 Feb 2007 33,328 A..H. --- "C:\Program Files\AOL 9.0a\rbm.exe"
Tue 20 Feb 2007 46,640 A..H. --- "C:\Program Files\AOL 9.0b\AOLphx.exe"
Tue 20 Feb 2007 54,832 A..H. --- "C:\Program Files\AOL 9.0b\AOLphxex.exe"
Tue 20 Feb 2007 33,328 A..H. --- "C:\Program Files\AOL 9.0b\rbm.exe"
Thu 15 Mar 2007 46,640 A..H. --- "C:\Program Files\AOL 9.0c\AOLphx.exe"
Thu 15 Mar 2007 54,832 A..H. --- "C:\Program Files\AOL 9.0c\AOLphxex.exe"
Thu 15 Mar 2007 33,328 A..H. --- "C:\Program Files\AOL 9.0c\rbm.exe"
Tue 3 Apr 2007 46,640 A..H. --- "C:\Program Files\AOL 9.0d\AOLphx.exe"
Tue 3 Apr 2007 54,832 A..H. --- "C:\Program Files\AOL 9.0d\AOLphxex.exe"
Tue 3 Apr 2007 33,328 A..H. --- "C:\Program Files\AOL 9.0d\rbm.exe"
Wed 11 Apr 2007 46,640 A..H. --- "C:\Program Files\AOL 9.0e\AOLphx.exe"
Wed 11 Apr 2007 54,832 A..H. --- "C:\Program Files\AOL 9.0e\AOLphxex.exe"
Wed 11 Apr 2007 33,328 A..H. --- "C:\Program Files\AOL 9.0e\rbm.exe"
Fri 13 Jul 2007 46,384 A..H. --- "C:\Program Files\AOL 9.0f\AOLphx.exe"
Fri 13 Jul 2007 54,576 A..H. --- "C:\Program Files\AOL 9.0f\AOLphxex.exe"
Fri 13 Jul 2007 33,072 A..H. --- "C:\Program Files\AOL 9.0f\rbm.exe"
Thu 26 Jul 2007 46,432 A..H. --- "C:\Program Files\AOL 9.1\AOLphx.exe"
Thu 26 Jul 2007 54,624 A..H. --- "C:\Program Files\AOL 9.1\AOLphxex.exe"
Thu 26 Jul 2007 33,120 A..H. --- "C:\Program Files\AOL 9.1\rbm.exe"
Fri 17 Aug 2007 46,432 A..H. --- "C:\Program Files\AOL 9.1a\AOLphx.exe"
Fri 17 Aug 2007 54,624 A..H. --- "C:\Program Files\AOL 9.1a\AOLphxex.exe"
Fri 17 Aug 2007 33,120 A..H. --- "C:\Program Files\AOL 9.1a\rbm.exe"
Fri 7 Sep 2007 46,432 A..H. --- "C:\Program Files\AOL 9.1b\AOLphx.exe"
Fri 7 Sep 2007 54,624 A..H. --- "C:\Program Files\AOL 9.1b\AOLphxex.exe"
Fri 7 Sep 2007 33,120 A..H. --- "C:\Program Files\AOL 9.1b\rbm.exe"
Mon 1 Oct 2007 46,432 A..H. --- "C:\Program Files\AOL 9.1c\AOLphx.exe"
Mon 1 Oct 2007 54,624 A..H. --- "C:\Program Files\AOL 9.1c\AOLphxex.exe"
Mon 1 Oct 2007 33,120 A..H. --- "C:\Program Files\AOL 9.1c\rbm.exe"
Tue 30 Oct 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 8 Oct 2007 96,072 ...H. --- "C:\Program Files\Common Files\AOL\TopSpeed\3.0\WBUnins.exe"
Wed 1 Nov 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Wed 1 Nov 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Wed 1 Nov 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"


Program Folders:

C:\Program Files\

Adobe
alot
AOL
AOL 9.0
AOL 9.0a
AOL 9.0b
AOL 9.0c
AOL 9.0d
AOL 9.0e
AOL 9.0f
AOL 9.1
AOL 9.1a
AOL 9.1b
AOL 9.1c
ArcSoft
AVG
BigFix
Common Files
ComPlus Applications
CONEXANT
CyberLink
DietPower 4.4
Digital Media Reader
epson
Gateway Games
Google
gtw_logo
InstallShield Installation Information
Intel
Intel Audio Studio
Internet Explorer
Java
McAfee
Messenger
Microsoft ActiveSync
Microsoft Digital Image 2006
microsoft frontpage
Microsoft LifeCam
Microsoft Money 2006
Microsoft Office
Microsoft Works
Microsoft.NET
Movie Maker
MSN
MSN Encarta Plus
MSN Gaming Zone
MSXML 4.0
Napster
NetMeeting
Online Services
Outlook Express
PartyGaming
PC-Cleaner
Pure Networks
QuickTime
Real
SigmaTel
Skype
Trend Micro
Uninstall Information
uTorrent
Viewpoint
Virtools
Webroot
WildTangent
Windows Media Connect 2
Windows Media Player
Windows NT
Windows Plus
WindowsUpdate
WinRAR
xerox
Yahoo!

continued...
 

nightcrwlr

Thread Starter
Joined
Sep 23, 2003
Messages
38
C:\Program Files\Common Files\

Adobe
AOL
aolshare
DESIGNER
InstallShield
Intel
Java
Microsoft Shared
MSSoap
New Boundary
Nullsoft
ODBC
Real
Roxio Shared
Services
Skype
SpeechEngines
System


Add/Remove Programs:

Adobe Flash Player ActiveX
AOL Toolbar 5.0
AOL Uninstaller (Choose which Products to Remove)
AVG Free 8.0
Microsoft Away Mode
BigFix
Soft Data Fax Modem with SmartCP
DietPower 4.4
dog1 Screen Saver
dog3 Screen Saver
Intel(R) Quick Resume Technology Drivers
EPSON Printer Software
EPSON Scan
gtw_logo
Intel(R) Graphics Media Accelerator Driver
Intel(R) Management Engine Interface
HijackThis 2.0.2
Microsoft Internationalized Domain Names Mitigation APIs
Windows Internet Explorer 7
Digital Media Reader
Intel® Viiv&#8482; Software
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Security Update for Windows XP (KB883939)
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Microsoft .NET Framework 1.0 Hotfix (KB887998)
High Definition Audio Driver Package - KB888111
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Hotfix for Windows XP (KB888795)
Security Update for Windows XP (KB890046)
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Hotfix for Windows XP (KB891593)
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Hotfix for Windows XP (KB893357)
Security Update for Windows XP (KB893756)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Update for Windows XP (KB894391)
Hotfix for Windows XP (KB895953)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB896344)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Update for Windows XP (KB896727)
Security Update for Step By Step Interactive Training (KB898458)
Update for Windows XP (KB898461)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Update Rollup 2 for Windows XP Media Center Edition 2005
Update for Windows XP (KB900485)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Hotfix for Windows XP (KB902841)
Hotfix for Windows Media Player 10 (KB903157)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Update for Windows XP (KB904942)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Hotfix for Windows XP (KB906569)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Hotfix for Windows XP (KB909095)
Update for Windows Media Player 10 (KB910393)
Update for Windows XP (KB910437)
Hotfix for Windows XP (KB910728)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Hotfix for Windows XP (KB912024)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Update for Windows XP (KB912945)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913580)
Update for Windows Media Player 10 (KB913800)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB914906)
Hotfix for Windows XP (KB915865)
Security Update for Windows XP (KB916281)
Update for Windows XP (KB916595)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917537)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Update for Windows XP (KB920872)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Update for Windows XP (KB922582)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB925454)
Windows XP Media Center Edition 2005 KB925766
Security Update for Windows XP (KB925902)
Hotfix for Windows XP (KB926239)
Update for Windows Media Player 10 (KB926251)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Update for Windows XP (KB927891)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Hotfix for Windows XP (KB928388)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Update for Windows XP (KB929338)
Hotfix for Windows Media Format 11 SDK (KB929399)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Update for Windows XP (KB930916)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Update for Windows XP (KB931836)
Security Update for Windows XP (KB932168)
Update for Windows XP (KB933360)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Update for Windows XP (KB936357)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows Internet Explorer 7 (KB938127)
Update for Windows XP (KB938828)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows Internet Explorer 7 (KB939653)
Hotfix for Windows Media Player 11 (KB939683)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows Internet Explorer 7 (KB942615)
Update for Windows XP (KB942763)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944653)
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Money 2006
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft National Language Support Downlevel APIs
PartyPoker
PC-Cleaner
Microsoft Digital Image Starter Edition 2006
Intel(R) PRO Network Connections Drivers
QuickTime
RealPlayer Basic
Adobe Flash Player 9 ActiveX
EPSON CX 4200 4800 Guide
Skype 3.0
Starware Screensavers Toolbar
Viewpoint Media Player
Virtools 3D Life Player
WebVideo Support
Windows Genuine Advantage Validation Tool
Windows Genuine Advantage Notifications (KB905474)
Windows Media Format 11 runtime
Windows Media Player 11
WinRAR archiver
Windows Media Format 11 runtime
Windows Media Player 11
Microsoft User-Mode Driver Framework Feature Pack 1.0
Yahoo! Toolbar
Yahoo! Browser Services
Yahoo! Browser Services
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar
Yahoo! Install Manager
Recovery Software Suite Gateway
Google Earth
DVD Solution
Intel Audio Studio 2.0
J2SE Runtime Environment 5.0 Update 2
Java(TM) 6 Update 2
Java(TM) 6 Update 3
MSXML 4.0 SP2 (KB927978)
Skype Plugin Manager
Power2Go 4.0
Digital Media Reader
DietPower 4.4
Microsoft LifeCam
Microsoft Digital Image Starter Edition 2006 Editor
Intel Audio Studio 2.0
PowerDVD
Microsoft Digital Image Starter Edition 2006 Library
Microsoft Works
Multimedia Keyboard Driver
Microsoft .NET Framework 2.0
Microsoft Visual C++ 2005 Redistributable
Napster Burn Engine
Intel(R) Matrix Storage Manager
Microsoft Office Standard Edition 2003
Sonic Encoders
Microsoft Digital Image Library 9 - Blocker
SigmaTel Audio
Adobe Reader 8.1.2
Spy Sweeper
MSXML 4.0 SP2 (KB936181)
Microsoft .NET Framework 1.1
ArcSoft PhotoImpression 5
Intel® Viiv&#8482; Software
Hallmark Smilebox
µTorrent


Run Values:

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AVG8_TRAY"="C:\\PROGRA~1\\AVG\\AVG8\\avgtray.exe"
"VX3000"="C:\\WINDOWS\\vVX3000.exe"
"TM Outbreak Agent"="\"C:\\Program Files\\Trend Micro\\Antivirus\\TMOAgent.exe\" /run"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\jusched.exe\""
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\" /startintray"
"SigmatelSysTrayApp"="sttray.exe"
"Reminder"="%WINDIR%\\Creator\\Remind_XP.exe"
"Recguard"="%WINDIR%\\SMINST\\RECGUARD.EXE"
"readericon"="C:\\Program Files\\Digital Media Reader\\readericon45G.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Persistence"="C:\\WINDOWS\\system32\\igfxpers.exe"
"PCClient.exe"="\"C:\\Program Files\\Trend Micro\\Antivirus\\PCClient.exe\""
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Antivirus\\pccguide.exe\""
"NMSSupport"="\"C:\\Program Files\\Common Files\\Intel\\IntelDH\\NMS\\Support\\IntelHCTAgent.exe\" /startup"
"MSKDetectorExe"="C:\\Program Files\\McAfee\\SpamKiller\\MSKDetct.exe /uninstall"
"LifeCam"="\"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe\""
"IntelAudioStudio"="\"C:\\Program Files\\Intel Audio Studio\\IntelAudioStudio.exe\" TRAY"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"IAAnotif"="C:\\Program Files\\Intel\\Intel Matrix Storage Manager\\Iaanotif.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"HostManager"="\"C:\\Program Files\\Common Files\\AOL\\1170558389\\ee\\AOLSoftware.exe\""
"EPSON Stylus CX4200 Series"="\"C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAEA.EXE\" /P26 \"EPSON Stylus CX4200 Series\" /O6 \"USB001\" /M \"Stylus CX4200\""
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"CHotkey"="zHotkey.exe"
"CCUTRAYICON"="C:\\Program Files\\Intel\\IntelDH\\CCU\\CCU_TrayIcon.exe"
"AlwaysReady Power Message APP"="ARPWRMSG.EXE"
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\optionalcomponents]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\optionalcomponents\IMAIL]
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\optionalcomponents\MAPI]
"Installed"="1"
"NoChange"="1"
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\optionalcomponents\MSFS]
"Installed"="1"
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"SmileboxTray"="\"C:\\Documents and Settings\\Owner.YOUR-EBBFCF9347\\Application Data\\Smilebox\\SmileboxTray.exe\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_9"
"awowonpd"="C:\\WINDOWS\\system32\\epkxwbsz.exe"
"Power2GoExpress"="NA"


Bot Check:

SERVICE_NAME: wscsvc
DISPLAY_NAME : Security Center
START_TYPE : 2 AUTO_START

SERVICE_NAME: sharedaccess
DISPLAY_NAME : Windows Firewall/Internet Connection Sharing (ICS)
START_TYPE : 2 AUTO_START

SERVICE_NAME: wuauserv
DISPLAY_NAME : Automatic Updates
START_TYPE : 2 AUTO_START

SERVICE_NAME: srservice
DISPLAY_NAME : System Restore Service
START_TYPE : 2 AUTO_START

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"="Y"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"restrictanonymous"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update]
"AUOptions"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"WaitToKillServiceTimeout"="5000"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"SFCDisable"=dword:00000000
"Shell"="Explorer.exe"
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shell extensions]









[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters]
"TransportBindName"="\\Device\\"


ShellExecuteHooks:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{CE86878F-D099-4FFC-A4DC-E51D192063B1}"=""



Environment:


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\environment
ComSpec REG_EXPAND_SZ %SystemRoot%\system32\cmd.exe
Path REG_EXPAND_SZ %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
windir REG_EXPAND_SZ %SystemRoot%
OS REG_SZ Windows_NT
PATHEXT REG_SZ .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
TEMP REG_EXPAND_SZ %SystemRoot%\TEMP
TMP REG_EXPAND_SZ %SystemRoot%\TEMP
SAFEBOOT_OPTION REG_SZ MINIMAL

SecurityProviders:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
SecurityProviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Authentication Packages:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Authentication Packages REG_MULTI_SZ msv1_0\0C:\WINDOWS\system32\efcASlkj\0\0


Subsystem Startup:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems]
"Windows"="%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16"


Midi Drivers:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"midi"="wdmaud.drv"


Non-Default IFEO Debugger:


Non-Default Installed Components:


Non-Default Safeboot Minimal:


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\webrootspysweeperservice
<NO NAME> REG_SZ Service


File Associations:


[HKEY_CLASSES_ROOT\batfile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\cmdfile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\comfile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\htafile\shell\open\command]
@="C:\\WINDOWS\\system32\\mshta.exe \"%1\" %*"

[HKEY_CLASSES_ROOT\http\shell\open\command]
@="C:\\PROGRA~1\\AOL9~1.0F\\aol.exe -u\"%1\""

[HKEY_CLASSES_ROOT\htmlfile\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" -nohome"

[HKEY_CLASSES_ROOT\regedit\shell\open\command]
@="regedit.exe %1"

[HKEY_CLASSES_ROOT\regfile\shell\open\command]
@="regedit.exe \"%1\""

[HKEY_CLASSES_ROOT\scrfile\shell\open\command]
@="\"%1\" /S"

[HKEY_CLASSES_ROOT\txtfile\shell\open\command]
@="%SystemRoot%\system32\NOTEPAD.EXE %1"


Finished!
 

nightcrwlr

Thread Starter
Joined
Sep 23, 2003
Messages
38
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:47:02 PM, on 5/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Microsoft LifeCam\MSCamSvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\AOL\1170558389\ee\AOLSoftware.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\Smilebox\SmileboxTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\BigFix\bigfix.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\rsvp.exe
C:\PROGRA~1\AOL9~1.0F\waol.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\PROGRA~1\AOL9~1.0F\shellmon.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5238E
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DVA Gate - {5BFC1E05-8287-420E-8526-F6D76E1FEBB8} - C:\WINDOWS\gndarmblsnv.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: wxdbpfvo - {C3169036-557E-45E1-840F-C845DC406C55} - C:\WINDOWS\wxdbpfvo.dll (file missing)
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [readericon] "C:\Program Files\Digital Media Reader\readericon45G.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startup
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" /uninstall
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1170558389\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [CCUTRAYICON] "C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe"
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SmileboxTray] "C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\Smilebox\SmileboxTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU\..\Run: [awowonpd] C:\WINDOWS\system32\epkxwbsz.exe
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: AOL &Dictionary Search - file:///C:\Program Files\Common Files\aol\AOLSearch/AOLDictionary.htm
O8 - Extra context menu item: AOL &Thesaurus Search - file:///C:\Program Files\Common Files\aol\AOLSearch/AOLThesauras.htm
O8 - Extra context menu item: AOL &Video Search - file:///C:\Program Files\Common Files\aol\AOLSearch/AOLVideo.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: fccdebaa - fccdebaa.dll (file missing)
O23 - Service: Intel(R) Alert Service (AlertService) - Intel Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 13103 bytes

as far as I'm concerned it can be marked solved, Thanks again.
 

JSntgRvr

José
Retired Moderator and Malware Specialist
Joined
Jul 1, 2003
Messages
18,552
Hi, nightcrwlr :)

Still; infected. You ran SDFix in Normal Mode. Must run it in Safe mode. Post the resulting report.

  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
Code:
File::
C:\WINDOWS\qnmargoldpq.dll  
C:\WINDOWS\wdpoefan.dll  
C:\WINDOWS\vadokmxt.dll  
C:\WINDOWS\wxvgsdbq.exe  
C:\WINDOWS\gndarmblsnv.dll 

Folder::
C:\Documents and Settings\All Users\Application Data\enqhihql

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BFC1E05-8287-420E-8526-F6D76E1FEBB8}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
[-HKEY_CLASSES_ROOT\clsid\{c3169036-557e-45e1-840f-c845dc406c55}]
[-HKEY_CLASSES_ROOT\wxdbpfvo.1]
[-HKEY_CLASSES_ROOT\TypeLib\{D95C697F-D985-4AB1-92B5-40DF04BBE322}]
[-HKEY_CLASSES_ROOT\wxdbpfvo]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"awowonpd"=-
"Power2GoExpress"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccdebaa]


Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log..
 

nightcrwlr

Thread Starter
Joined
Sep 23, 2003
Messages
38
System Report
*************

Run on Tue 05/20/2008 at 11:42 PM

Microsoft Windows XP [Version 5.1.2600]

Current user is an administrator

Running Processes:

\SystemRoot\System32\smss.exe [208]
\??\C:\WINDOWS\system32\csrss.exe [256]
\??\C:\WINDOWS\system32\winlogon.exe [280]
C:\WINDOWS\system32\services.exe [348]
C:\WINDOWS\system32\lsass.exe [360]
C:\WINDOWS\system32\svchost.exe [516]
C:\WINDOWS\system32\svchost.exe [560]
C:\WINDOWS\system32\svchost.exe [608]
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe [640]
C:\WINDOWS\Explorer.EXE [948]
C:\WINDOWS\system32\ctfmon.exe [1080]


Drivers - Running:

abp480n5
ACPI
ACPIEC
adpu160m
agp440
agpCPQ
Aha154x
aic78u2
aic78xx
AliIde
alim1541
amdagp
amsint
asc
asc3350p
asc3550
atapi
Beep
cbidf
cd20xrnt
Cdr4_xp
Cdralw2k
Cdrom
CmdIde
Compbatt
Cpqarray
dac2w2k
dac960nt
Disk
dmio
dmload
dpti2o
ELacpi
ELkbd
ELmou
Fastfat
FltMgr
Ftdisk
HDAudBus
HECI
hpn
i2omgmt
i2omp
i8042prt
iaStor
Imapi
ini910u
IntelIde
isapnp
Kbdclass
KSecDD
Mouclass
MountMgr
mraid35x
Msfs
mssmbios
Mup
NDIS
Npfs
Ntfs
Null
ohci1394
PartMgr
PCI
PCIIde
Pcmcia
perc2
perc2hib
pfc
PxHelp20
ql1080
Ql10wnt
ql12160
ql1240
ql1280
rdpdr
redbook
sisagp
Sparrow
sr
SSFS0509
SSHRMD
SSIDRV
SSKBFD
swenum
symc810
symc8xx
sym_hi
sym_u3
TermDD
TosIde
Udfs
ultra
Update
usbehci
usbhub
usbstor
usbuhci
VgaSave
viaagp
ViaIde
VolSnap


Drivers - Stopped:

Abiosdsk
aec
AFD
Arp1394
ARPolicy
ASCTRM
AsyncMac
Atdisk
Atmarpc
audstub
AvgLdx86
AvgMfx86
AvgTdiX
cbidf2k
CCDECODE
Cdaudio
Cdfs
Changer
CmBatt
dmboot
DMusic
drmkaud
e1express
ELhid
ELmon
Fdc
Fips
Flpydisk
GoProto
Gpc
HidUsb
HSFHWBS2
HSF_DPV
HTTP
ialm
intelppm
Ip6Fw
IpFilterDriver
IpInIp
IpNat
IPSec
IRENUM
kbdhid
kmixer
lbrtfdc
mdmxsdk
MHNDRV
mnmdd
Modem
mouhid
MRxDAV
MRxSmb
MSKSSRV
MSPCLOCK
MSPQM
MSTEE
NABTSFEC
NdisIP
NdisTapi
Ndisuio
NdisWan
NDProxy
NetBIOS
NetBT
NIC1394
NwlnkFlt
NwlnkFwd
Parport
ParVdm
PCIDump
PDCOMP
PDFRAME
PDRELI
PDRFRAME
PptpMiniport
PSched
Ptilink
RasAcd
Rasl2tp
RasPppoe
Raspti
Rdbss
RDPCDD
RDPWD
sdbus
Secdrv
Serenum
Serial
Sfloppy
sfng32
Simbad
SLIP
SONYPVU1
splitter
Srv
STHDA
streamip
swmidi
sysaudio
Tcpip
TDPIPE
TDTCP
TSHWMDTCP
usbaudio
usbccgp
usbprint
usbscan
VX3000
Wanarp
wanatw
WDICA
wdmaud
winachsf
WSTCODEC
WudfPf
WudfRd


Services - Running:

CryptSvc
DcomLaunch
dmserver
Eventlog
helpsvc
PlugPlay
RpcSs
srservice
WebrootSpySweeperService
winmgmt


Services - Stopped:

Alerter
AlertService
ALG
AOL
AppMgmt
ARSVC
aspnet_state
AudioSrv
avg8emc
avg8wd
BITS
Browser
CiSvc
ClipSrv
clr_optimization_v2.0.50727_32
COMSysApp
Dhcp
dmadmin
Dnscache
ehRecvr
ehSched
ELService
ERSvc
EventSystem
FastUserSwitchingCompatibility
HidServ
HTTPFilter
IAANTMON
ImapiService
ISSM
lanmanserver
lanmanworkstation
LmHosts
M1
MCLServiceATL
McrdSvc
Messenger
MHN
mnmsrvc
MSCamSvc
MSDTC
MSIServer
NetDDE
NetDDEdsdm
Netlogon
Netman
Nla
NtLmSsp
NtmsSvc
ose
PolicyAgent
PrismXL
ProtectedStorage
RasAuto
RasMan
RDSessMgr
Remote
RemoteAccess
RemoteRegistry
RpcLocator
RSVP
SamSs
SCardSvr
Schedule
seclogon
SENS
SharedAccess
ShellHWDetection
Spooler
SSDPSRV
stisvc
SwPrv
SysmonLog
TapiSrv
TermService
Themes
TlntSvr
TrkWks
upnphost
UPS
VSS
W32Time
WebClient
WmdmPmSN
Wmi
WmiApSrv
WMPNetworkSvc
wscsvc
wuauserv
WudfSvc
WZCSVC
xmlprov


Files Created/Modified - 60 Days:


C:\

May 19 2008 7:18:22p 209 A.SHR "C:\boot.ini"
May 19 2008 7:51:40p 15,930 A.... "C:\ComboFix.txt"
May 20 2008 11:39:38p 1,572,864,000 A.SH. "C:\pagefile.sys"
May 20 2008 11:37:48p 52,654 A.... "C:\VETlog.dmp"
May 20 2008 11:37:48p 3,388,166 A.... "C:\VETlog.txt"


C:\WINDOWS\

May 20 2008 11:37:38p 0 A.... "C:\WINDOWS\0.log"
May 20 2008 11:39:46p 2,048 A.S.. "C:\WINDOWS\bootstat.dat"
May 20 2008 11:38:48p 4,590 A.... "C:\WINDOWS\ModemLog_PCI Soft Data Fax Modem with SmartCP.txt"
May 20 2008 11:39:48p 921,982 A.... "C:\WINDOWS\ntbtlog.txt"
May 5 2008 8:32:10p 1,523 A.... "C:\WINDOWS\OEWABLog.txt"
May 20 2008 11:38:48p 21,698 A.... "C:\WINDOWS\SchedLgU.Txt"
May 15 2008 2:53:02p 373,874 A.... "C:\WINDOWS\setupact.log"
May 18 2008 12:01:38a 47,868 A.... "C:\WINDOWS\setupapi.log"
May 19 2008 7:48:12p 282 A.... "C:\WINDOWS\system.ini"
May 20 2008 11:38:48p 215 A.... "C:\WINDOWS\wiadebug.log"
May 20 2008 11:38:48p 49 A.... "C:\WINDOWS\wiaservc.log"
May 20 2008 11:37:44p 863 A.... "C:\WINDOWS\win.ini"
May 20 2008 11:38:48p 1,440,191 A.... "C:\WINDOWS\WindowsUpdate.log"
May 5 2008 8:32:10p 18,044 A.... "C:\WINDOWS\wmsetup.log"
May 20 2008 11:39:46p 0 A.... "C:\WINDOWS\Debug\PASSWD.LOG"
May 19 2008 7:46:48p 110 A.... "C:\WINDOWS\erdnt\CFrecovery.bat"
May 15 2008 2:52:08p 4,100 A.... "C:\WINDOWS\inf\branches.PNF"
May 15 2008 2:52:10p 1,394,536 A.... "C:\WINDOWS\inf\INFCACHE.1"
May 19 2008 7:18:22p 209 ..... "C:\WINDOWS\pss\boot.ini.backup"
May 15 2008 2:55:34p 863 ..... "C:\WINDOWS\pss\win.ini.backup"
May 20 2008 11:37:40p 1,048,576 A.... "C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{D5BA174A-93A6-4C99-86F0-F92948D3D608}.crmlog"
May 18 2008 1:29:06p 10,520 A.... "C:\WINDOWS\system32\avgrsstx.dll"
May 15 2008 2:29:10p 0 A.... "C:\WINDOWS\system32\clkcnt.txt"
Apr 5 2008 8:46:40a 63,392 A.... "C:\WINDOWS\system32\perfc009.dat"
Apr 5 2008 8:46:40a 404,298 A.... "C:\WINDOWS\system32\perfh009.dat"
Apr 5 2008 8:46:40a 475,154 A.... "C:\WINDOWS\system32\PerfStringBackup.INI"
May 20 2008 11:38:06p 1,158 A.... "C:\WINDOWS\system32\wpa.dbl"
May 20 2008 11:38:48p 6 A..H. "C:\WINDOWS\Tasks\SA.DAT"
May 13 2008 8:00:02p 1,560 A.... "C:\WINDOWS\Tasks\wrSpySweeper_3FCAB2138A924222B2F60CB4BB138EB5.job"
May 4 2008 11:00:02p 1,560 A.... "C:\WINDOWS\Tasks\wrSpySweeper_A9B730EE97D94F239C3171521051CE10.job"
May 19 2008 9:02:40p 62 A.... "C:\WINDOWS\TEMP\avg8info.id"
May 20 2008 11:41:08p 1,125 A.... "C:\WINDOWS\TEMP\scsF.tmp"
May 20 2008 11:39:54p 255 A.... "C:\WINDOWS\TEMP\WGAErrLog.txt"
May 20 2008 11:38:06p 409 A.... "C:\WINDOWS\TEMP\WGANotify.settings"
May 1 2008 8:04:12p 402,544 A.... "C:\WINDOWS\Debug\UserMode\userenv.bak"
May 20 2008 11:39:44p 119,464 A.... "C:\WINDOWS\Debug\UserMode\userenv.log"
May 19 2008 7:44:48p 425,984 A.... "C:\WINDOWS\erdnt\Hiv-backup\default"
May 19 2008 7:44:48p 673 A.... "C:\WINDOWS\erdnt\Hiv-backup\ERDNT.CON"
May 19 2008 7:44:48p 1,558 A.... "C:\WINDOWS\erdnt\Hiv-backup\ERDNT.INF"
May 19 2008 7:44:48p 28,672 A.... "C:\WINDOWS\erdnt\Hiv-backup\SAM"
May 19 2008 7:44:44p 53,248 A.... "C:\WINDOWS\erdnt\Hiv-backup\SECURITY"
May 19 2008 7:44:48p 24,797,184 A.... "C:\WINDOWS\erdnt\Hiv-backup\software"
May 19 2008 7:51:28p 5,505,024 A.... "C:\WINDOWS\erdnt\Hiv-backup\system"
May 19 2008 7:46:48p 425,984 A.... "C:\WINDOWS\erdnt\subs\default"
May 19 2008 7:46:48p 673 A.... "C:\WINDOWS\erdnt\subs\ERDNT.CON"
May 19 2008 7:46:48p 460 A.... "C:\WINDOWS\erdnt\subs\ERDNT.INF"
May 19 2008 7:46:48p 28,672 A.... "C:\WINDOWS\erdnt\subs\SAM"
May 19 2008 7:46:48p 53,248 A.... "C:\WINDOWS\erdnt\subs\SECURITY"
May 19 2008 7:46:48p 24,805,376 A.... "C:\WINDOWS\erdnt\subs\software"
May 19 2008 7:46:52p 1,024 A..H. "C:\WINDOWS\erdnt\subs\software.LOG"
May 19 2008 7:46:48p 5,480,448 A.... "C:\WINDOWS\erdnt\subs\system"
May 19 2008 7:46:52p 1,024 A..H. "C:\WINDOWS\erdnt\subs\system.LOG"
May 17 2008 10:57:02p 1,458 A.... "C:\WINDOWS\security\logs\scecomp.old"
May 18 2008 1:29:02p 96,520 A.... "C:\WINDOWS\system32\drivers\avgldx86.sys"
May 18 2008 1:29:02p 26,184 A.... "C:\WINDOWS\system32\drivers\avgmfx86.sys"
May 18 2008 1:29:06p 75,272 A.... "C:\WINDOWS\system32\drivers\avgtdix.sys"
May 18 2008 2:19:58a 296 A.... "C:\WINDOWS\system32\Restore\rstrlog.dat"
May 18 2008 1:29:00p 5,618,689 A.... "C:\WINDOWS\system32\drivers\Avg\avi7.avg"
May 19 2008 8:03:20p 23,825,363 A.... "C:\WINDOWS\system32\drivers\Avg\incavi.avm"
May 19 2008 8:03:10p 187,603 A.... "C:\WINDOWS\system32\drivers\Avg\microavi.avg"
May 18 2008 1:29:00p 786,367 A.... "C:\WINDOWS\system32\drivers\Avg\miniavi.avg"
May 19 2008 7:48:06p 27 A.... "C:\WINDOWS\system32\drivers\etc\hosts"
May 15 2008 3:06:12p 149,398 A.... "C:\WINDOWS\system32\wbem\AutoRecover\8858F1BA0D460E5A5B27AB13DE3ACB5D.mof"
May 19 2008 7:44:48p 241,664 A.... "C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT"
May 19 2008 7:44:48p 8,192 A.... "C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat"
May 19 2008 7:44:48p 237,568 A.... "C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT"
May 19 2008 7:44:48p 8,192 A.... "C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat"
May 19 2008 7:44:48p 3,543,040 A.... "C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat"
May 19 2008 7:44:48p 233,472 A.... "C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat"
May 19 2008 7:44:48p 614,400 A.... "C:\WINDOWS\erdnt\Hiv-backup\Users\00000007\ntuser.dat"
May 19 2008 7:44:48p 8,192 A.... "C:\WINDOWS\erdnt\Hiv-backup\Users\00000008\UsrClass.dat"


C:\Program Files\

May 18 2008 1:28:54p 886,552 A.... "C:\Program Files\AVG\AVG8\avgabout.dll"
May 18 2008 1:28:52p 453,912 A.... "C:\Program Files\AVG\AVG8\avgcfgex.exe"
May 18 2008 1:28:52p 557,336 A.... "C:\Program Files\AVG\AVG8\avgcfgx.dll"
May 18 2008 1:28:54p 202,008 A.... "C:\Program Files\AVG\AVG8\avgcmgr.exe"
May 18 2008 1:28:54p 1,295,640 A.... "C:\Program Files\AVG\AVG8\avgcorex.dll"
May 18 2008 1:28:54p 72,984 A.... "C:\Program Files\AVG\AVG8\avgcrlpx.dll"
May 18 2008 1:28:52p 62,232 A.... "C:\Program Files\AVG\AVG8\avgdumpx.exe"
May 18 2008 1:28:54p 902,424 A.... "C:\Program Files\AVG\AVG8\avgemc.exe"
May 18 2008 1:28:54p 1,033,496 A.... "C:\Program Files\AVG\AVG8\avgfrw.exe"
May 18 2008 1:28:54p 697,088 A.... "C:\Program Files\AVG\AVG8\avginet.dll"
May 18 2008 1:28:54p 488,728 A.... "C:\Program Files\AVG\AVG8\avgiproxy.exe"
May 18 2008 1:28:52p 164,120 A.... "C:\Program Files\AVG\AVG8\avglngx.dll"
May 18 2008 1:28:54p 214,296 A.... "C:\Program Files\AVG\AVG8\avglogx.dll"
May 18 2008 1:28:54p 173,336 A.... "C:\Program Files\AVG\AVG8\avgmail.dll"
May 18 2008 1:28:54p 320,280 A.... "C:\Program Files\AVG\AVG8\avgmvflx.dll"
May 18 2008 1:28:54p 263,960 A.... "C:\Program Files\AVG\AVG8\avgoff2k.dll"
May 18 2008 1:28:58p 79,128 A.... "C:\Program Files\AVG\AVG8\avgpp.dll"
May 18 2008 1:28:54p 781,592 A.... "C:\Program Files\AVG\AVG8\avgresf.dll"
May 18 2008 1:28:54p 311,576 A.... "C:\Program Files\AVG\AVG8\avgrsx.exe"
May 18 2008 1:28:52p 333,056 A.... "C:\Program Files\AVG\AVG8\avgscanx.dll"
May 18 2008 1:28:52p 580,888 A.... "C:\Program Files\AVG\AVG8\avgscanx.exe"
May 18 2008 1:28:52p 349,976 A.... "C:\Program Files\AVG\AVG8\avgsched.dll"
May 18 2008 1:28:54p 108,824 A.... "C:\Program Files\AVG\AVG8\avgse.dll"
May 18 2008 1:28:52p 365,848 A.... "C:\Program Files\AVG\AVG8\avgsrmax.exe"
May 18 2008 1:28:52p 503,064 A.... "C:\Program Files\AVG\AVG8\avgsrmx.dll"
May 18 2008 1:28:54p 419,096 A.... "C:\Program Files\AVG\AVG8\avgssie.dll"
May 18 2008 1:28:54p 1,177,368 A.... "C:\Program Files\AVG\AVG8\avgtray.exe"
May 18 2008 1:28:54p 2,636,568 A.... "C:\Program Files\AVG\AVG8\avgui.exe"
May 18 2008 1:28:54p 1,621,784 A.... "C:\Program Files\AVG\AVG8\avguiadv.dll"
May 18 2008 1:28:54p 1,911,576 A.... "C:\Program Files\AVG\AVG8\avguires.dll"
May 18 2008 1:28:54p 1,019,672 A.... "C:\Program Files\AVG\AVG8\avgupd.dll"
May 18 2008 1:28:54p 796,440 A.... "C:\Program Files\AVG\AVG8\avgupd.exe"
May 18 2008 1:28:52p 155,928 A.... "C:\Program Files\AVG\AVG8\avgvvx.dll"
May 18 2008 1:28:52p 834,328 A.... "C:\Program Files\AVG\AVG8\avgwd.dll"
May 18 2008 1:28:52p 282,904 A.... "C:\Program Files\AVG\AVG8\avgwdsvc.exe"
May 18 2008 1:28:54p 264,984 A.... "C:\Program Files\AVG\AVG8\avgwdwsc.dll"
May 18 2008 1:28:54p 185,624 A.... "C:\Program Files\AVG\AVG8\avgxpl.dll"
May 18 2008 1:29:00p 17,321 A.... "C:\Program Files\AVG\AVG8\contacts_us.html"
May 18 2008 1:29:00p 1,045,128 A.... "C:\Program Files\AVG\AVG8\dbghelp.dll"
May 18 2008 1:28:54p 51,123 A.... "C:\Program Files\AVG\AVG8\dfncfg.dat"
May 18 2008 1:28:54p 53,528 A.... "C:\Program Files\AVG\AVG8\libsasl.dll"
May 18 2008 1:28:54p 18,200 A.... "C:\Program Files\AVG\AVG8\saslcrammd5.dll"
May 18 2008 1:28:54p 36,632 A.... "C:\Program Files\AVG\AVG8\sasldigestmd5.dll"
May 18 2008 1:28:54p 16,664 A.... "C:\Program Files\AVG\AVG8\sasllogin.dll"
May 18 2008 1:28:54p 16,664 A.... "C:\Program Files\AVG\AVG8\saslplain.dll"
May 18 2008 1:28:54p 847,949 A.... "C:\Program Files\AVG\AVG8\setup.dat"
May 18 2008 1:28:54p 1,751,320 A.... "C:\Program Files\AVG\AVG8\setup.exe"
Apr 21 2008 12:20:24p 130 A.... "C:\Program Files\PartyGaming\PartyPoker\ppunistall.bat"
Apr 21 2008 12:20:12p 825,376 A.... "C:\Program Files\PartyGaming\tmpUpgrade\upgradePG120-121man.exe"
May 19 2008 10:46:50p 396,288 A.... "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe"
May 13 2008 3:47:16p 97,808 A.... "C:\Program Files\Webroot\Spy Sweeper\compressed.dat"
Mar 21 2008 9:39:02p 447,728 A.... "C:\Program Files\Yahoo!\Messenger\yupdater.exe"
Apr 21 2008 12:20:18p 1,990,297 A.... "C:\Program Files\PartyGaming\PartyPoker\tmpUpgrade\upgradepp119-120man.exe"
May 9 2008 10:43:28p 0 A.... "C:\Program Files\Yahoo!\Messenger\Cache\eJzKeL3OY5jXrh_IXubBRQ--.ProfileMap.dat.tmp"
May 6 2008 7:55:58p 0 A.... "C:\Program Files\Yahoo!\Messenger\Cache\nLszaMErj_rP3fG_Vd3RTw--.ProfileMap.dat.tmp"
Apr 16 2008 8:50:10p 304,520 A.... "C:\Program Files\Adobe\Reader 8.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A81200000003}\Setup.exe"
May 20 2008 11:36:36p 800 A.... "C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\bf-500.dat"
May 20 2008 11:36:36p 416 A.... "C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\conf-100.dat"
May 20 2008 11:36:36p 288 A.... "C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\conf-900.dat"
May 20 2008 11:36:36p 96 A.... "C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\gather-now.dat"
May 20 2008 11:36:36p 160 A.... "C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\ie7conflict.dat"
May 20 2008 11:36:36p 96 A.... "C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\notes.dat"
May 20 2008 11:36:36p 736 A.... "C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\partner-700.dat"
May 20 2008 11:36:36p 608 A.... "C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\subscrip-2000.dat"
May 20 2008 11:36:34p 96 A.... "C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\survey.dat"
May 20 2008 11:36:34p 96 A.... "C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\updates-300.dat"
May 20 2008 11:36:34p 288 A.... "C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\urgent-800.dat"
Apr 21 2008 12:46:20p 17,114 A.... "C:\Program Files\PartyGaming\PartyPoker\Language\en_US\articles\16991.html"
Apr 21 2008 12:46:20p 16,611 A.... "C:\Program Files\PartyGaming\PartyPoker\Language\en_US\articles\6331.html"
Apr 21 2008 12:46:20p 20,909 A.... "C:\Program Files\PartyGaming\PartyPoker\Language\en_US\articles\6333.html"
Apr 21 2008 12:46:20p 37,014 A.... "C:\Program Files\PartyGaming\PartyPoker\Language\en_US\articles\66983.html"


Files with hidden attributes:

Mon 29 Jan 2007 46,640 A..H. --- "C:\Program Files\AOL 9.0\AOLphx.exe"
Mon 29 Jan 2007 54,832 A..H. --- "C:\Program Files\AOL 9.0\AOLphxex.exe"
Mon 29 Jan 2007 33,328 A..H. --- "C:\Program Files\AOL 9.0\rbm.exe"
Tue 6 Feb 2007 46,640 A..H. --- "C:\Program Files\AOL 9.0a\AOLphx.exe"
Tue 6 Feb 2007 54,832 A..H. --- "C:\Program Files\AOL 9.0a\AOLphxex.exe"
Tue 6 Feb 2007 33,328 A..H. --- "C:\Program Files\AOL 9.0a\rbm.exe"
Tue 20 Feb 2007 46,640 A..H. --- "C:\Program Files\AOL 9.0b\AOLphx.exe"
Tue 20 Feb 2007 54,832 A..H. --- "C:\Program Files\AOL 9.0b\AOLphxex.exe"
Tue 20 Feb 2007 33,328 A..H. --- "C:\Program Files\AOL 9.0b\rbm.exe"
Thu 15 Mar 2007 46,640 A..H. --- "C:\Program Files\AOL 9.0c\AOLphx.exe"
Thu 15 Mar 2007 54,832 A..H. --- "C:\Program Files\AOL 9.0c\AOLphxex.exe"
Thu 15 Mar 2007 33,328 A..H. --- "C:\Program Files\AOL 9.0c\rbm.exe"
Tue 3 Apr 2007 46,640 A..H. --- "C:\Program Files\AOL 9.0d\AOLphx.exe"
Tue 3 Apr 2007 54,832 A..H. --- "C:\Program Files\AOL 9.0d\AOLphxex.exe"
Tue 3 Apr 2007 33,328 A..H. --- "C:\Program Files\AOL 9.0d\rbm.exe"
Wed 11 Apr 2007 46,640 A..H. --- "C:\Program Files\AOL 9.0e\AOLphx.exe"
Wed 11 Apr 2007 54,832 A..H. --- "C:\Program Files\AOL 9.0e\AOLphxex.exe"
Wed 11 Apr 2007 33,328 A..H. --- "C:\Program Files\AOL 9.0e\rbm.exe"
Fri 13 Jul 2007 46,384 A..H. --- "C:\Program Files\AOL 9.0f\AOLphx.exe"
Fri 13 Jul 2007 54,576 A..H. --- "C:\Program Files\AOL 9.0f\AOLphxex.exe"
Fri 13 Jul 2007 33,072 A..H. --- "C:\Program Files\AOL 9.0f\rbm.exe"
Thu 26 Jul 2007 46,432 A..H. --- "C:\Program Files\AOL 9.1\AOLphx.exe"
Thu 26 Jul 2007 54,624 A..H. --- "C:\Program Files\AOL 9.1\AOLphxex.exe"
Thu 26 Jul 2007 33,120 A..H. --- "C:\Program Files\AOL 9.1\rbm.exe"
Fri 17 Aug 2007 46,432 A..H. --- "C:\Program Files\AOL 9.1a\AOLphx.exe"
Fri 17 Aug 2007 54,624 A..H. --- "C:\Program Files\AOL 9.1a\AOLphxex.exe"
Fri 17 Aug 2007 33,120 A..H. --- "C:\Program Files\AOL 9.1a\rbm.exe"
Fri 7 Sep 2007 46,432 A..H. --- "C:\Program Files\AOL 9.1b\AOLphx.exe"
Fri 7 Sep 2007 54,624 A..H. --- "C:\Program Files\AOL 9.1b\AOLphxex.exe"
Fri 7 Sep 2007 33,120 A..H. --- "C:\Program Files\AOL 9.1b\rbm.exe"
Mon 1 Oct 2007 46,432 A..H. --- "C:\Program Files\AOL 9.1c\AOLphx.exe"
Mon 1 Oct 2007 54,624 A..H. --- "C:\Program Files\AOL 9.1c\AOLphxex.exe"
Mon 1 Oct 2007 33,120 A..H. --- "C:\Program Files\AOL 9.1c\rbm.exe"
Tue 30 Oct 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 8 Oct 2007 96,072 ...H. --- "C:\Program Files\Common Files\AOL\TopSpeed\3.0\WBUnins.exe"
Wed 1 Nov 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Wed 1 Nov 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Wed 1 Nov 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"

continued...
 

nightcrwlr

Thread Starter
Joined
Sep 23, 2003
Messages
38
Program Folders:

C:\Program Files\

Adobe
alot
AOL
AOL 9.0
AOL 9.0a
AOL 9.0b
AOL 9.0c
AOL 9.0d
AOL 9.0e
AOL 9.0f
AOL 9.1
AOL 9.1a
AOL 9.1b
AOL 9.1c
ArcSoft
AVG
BigFix
Common Files
ComPlus Applications
CONEXANT
CyberLink
DietPower 4.4
Digital Media Reader
epson
Gateway Games
Google
gtw_logo
InstallShield Installation Information
Intel
Intel Audio Studio
Internet Explorer
Java
McAfee
Messenger
Microsoft ActiveSync
Microsoft Digital Image 2006
microsoft frontpage
Microsoft LifeCam
Microsoft Money 2006
Microsoft Office
Microsoft Works
Microsoft.NET
Movie Maker
MSN
MSN Encarta Plus
MSN Gaming Zone
MSXML 4.0
Napster
NetMeeting
Online Services
Outlook Express
PartyGaming
Pure Networks
QuickTime
Real
SigmaTel
Skype
Trend Micro
Uninstall Information
uTorrent
Viewpoint
Virtools
Webroot
WildTangent
Windows Media Connect 2
Windows Media Player
Windows NT
Windows Plus
WindowsUpdate
WinRAR
xerox
Yahoo!

C:\Program Files\Common Files\

Adobe
AOL
aolshare
DESIGNER
InstallShield
Intel
Java
Microsoft Shared
MSSoap
New Boundary
Nullsoft
ODBC
Real
Roxio Shared
Services
Skype
SpeechEngines
System


Add/Remove Programs:

Adobe Flash Player ActiveX
AOL Toolbar 5.0
AOL Uninstaller (Choose which Products to Remove)
AVG Free 8.0
Microsoft Away Mode
BigFix
Soft Data Fax Modem with SmartCP
DietPower 4.4
dog1 Screen Saver
dog3 Screen Saver
Intel(R) Quick Resume Technology Drivers
EPSON Printer Software
EPSON Scan
gtw_logo
Intel(R) Graphics Media Accelerator Driver
Intel(R) Management Engine Interface
HijackThis 2.0.2
Microsoft Internationalized Domain Names Mitigation APIs
Windows Internet Explorer 7
Digital Media Reader
Intel® Viiv&#8482; Software
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Security Update for Windows XP (KB883939)
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Microsoft .NET Framework 1.0 Hotfix (KB887998)
High Definition Audio Driver Package - KB888111
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Hotfix for Windows XP (KB888795)
Security Update for Windows XP (KB890046)
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Hotfix for Windows XP (KB891593)
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Hotfix for Windows XP (KB893357)
Security Update for Windows XP (KB893756)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Update for Windows XP (KB894391)
Hotfix for Windows XP (KB895953)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB896344)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Update for Windows XP (KB896727)
Security Update for Step By Step Interactive Training (KB898458)
Update for Windows XP (KB898461)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Update Rollup 2 for Windows XP Media Center Edition 2005
Update for Windows XP (KB900485)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Hotfix for Windows XP (KB902841)
Hotfix for Windows Media Player 10 (KB903157)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Update for Windows XP (KB904942)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Hotfix for Windows XP (KB906569)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Hotfix for Windows XP (KB909095)
Update for Windows Media Player 10 (KB910393)
Update for Windows XP (KB910437)
Hotfix for Windows XP (KB910728)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Hotfix for Windows XP (KB912024)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Update for Windows XP (KB912945)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913580)
Update for Windows Media Player 10 (KB913800)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB914906)
Hotfix for Windows XP (KB915865)
Security Update for Windows XP (KB916281)
Update for Windows XP (KB916595)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917537)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Update for Windows XP (KB920872)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Update for Windows XP (KB922582)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB925454)
Windows XP Media Center Edition 2005 KB925766
Security Update for Windows XP (KB925902)
Hotfix for Windows XP (KB926239)
Update for Windows Media Player 10 (KB926251)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Update for Windows XP (KB927891)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Hotfix for Windows XP (KB928388)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Update for Windows XP (KB929338)
Hotfix for Windows Media Format 11 SDK (KB929399)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Update for Windows XP (KB930916)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Update for Windows XP (KB931836)
Security Update for Windows XP (KB932168)
Update for Windows XP (KB933360)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Update for Windows XP (KB936357)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows Internet Explorer 7 (KB938127)
Update for Windows XP (KB938828)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows Internet Explorer 7 (KB939653)
Hotfix for Windows Media Player 11 (KB939683)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows Internet Explorer 7 (KB942615)
Update for Windows XP (KB942763)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944653)
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Money 2006
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft National Language Support Downlevel APIs
PartyPoker
PC-Cleaner
Microsoft Digital Image Starter Edition 2006
Intel(R) PRO Network Connections Drivers
QuickTime
RealPlayer Basic
Adobe Flash Player 9 ActiveX
EPSON CX 4200 4800 Guide
Skype 3.0
Viewpoint Media Player
Virtools 3D Life Player
Windows Genuine Advantage Validation Tool
Windows Genuine Advantage Notifications (KB905474)
Windows Media Format 11 runtime
Windows Media Player 11
WinRAR archiver
Windows Media Format 11 runtime
Windows Media Player 11
Microsoft User-Mode Driver Framework Feature Pack 1.0
Yahoo! Toolbar
Yahoo! Browser Services
Yahoo! Browser Services
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar
Yahoo! Install Manager
Recovery Software Suite Gateway
Google Earth
DVD Solution
Intel Audio Studio 2.0
J2SE Runtime Environment 5.0 Update 2
Java(TM) 6 Update 2
Java(TM) 6 Update 3
MSXML 4.0 SP2 (KB927978)
Skype Plugin Manager
Power2Go 4.0
Digital Media Reader
DietPower 4.4
Microsoft LifeCam
Microsoft Digital Image Starter Edition 2006 Editor
Intel Audio Studio 2.0
PowerDVD
Microsoft Digital Image Starter Edition 2006 Library
Microsoft Works
Multimedia Keyboard Driver
Microsoft .NET Framework 2.0
Microsoft Visual C++ 2005 Redistributable
Napster Burn Engine
Intel(R) Matrix Storage Manager
Microsoft Office Standard Edition 2003
Sonic Encoders
Microsoft Digital Image Library 9 - Blocker
SigmaTel Audio
Adobe Reader 8.1.2
Spy Sweeper
MSXML 4.0 SP2 (KB936181)
Microsoft .NET Framework 1.1
ArcSoft PhotoImpression 5
Intel® Viiv&#8482; Software
Hallmark Smilebox
µTorrent


Run Values:

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AVG8_TRAY"="C:\\PROGRA~1\\AVG\\AVG8\\avgtray.exe"
"VX3000"="C:\\WINDOWS\\vVX3000.exe"
"TM Outbreak Agent"="\"C:\\Program Files\\Trend Micro\\Antivirus\\TMOAgent.exe\" /run"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\jusched.exe\""
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\" /startintray"
"SigmatelSysTrayApp"="sttray.exe"
"Reminder"="%WINDIR%\\Creator\\Remind_XP.exe"
"Recguard"="%WINDIR%\\SMINST\\RECGUARD.EXE"
"readericon"="\"C:\\Program Files\\Digital Media Reader\\readericon45G.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Persistence"="C:\\WINDOWS\\system32\\igfxpers.exe"
"PCClient.exe"="\"C:\\Program Files\\Trend Micro\\Antivirus\\PCClient.exe\""
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Antivirus\\pccguide.exe\""
"NMSSupport"="\"C:\\Program Files\\Common Files\\Intel\\IntelDH\\NMS\\Support\\IntelHCTAgent.exe\" /startup"
"MSKDetectorExe"="\"C:\\Program Files\\McAfee\\SpamKiller\\MSKDetct.exe\" /uninstall"
"LifeCam"="\"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe\""
"IntelAudioStudio"="\"C:\\Program Files\\Intel Audio Studio\\IntelAudioStudio.exe\" TRAY"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"IAAnotif"="\"C:\\Program Files\\Intel\\Intel Matrix Storage Manager\\Iaanotif.exe\""
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"HostManager"="\"C:\\Program Files\\Common Files\\AOL\\1170558389\\ee\\AOLSoftware.exe\""
"EPSON Stylus CX4200 Series"="\"C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAEA.EXE\" /P26 \"EPSON Stylus CX4200 Series\" /O6 \"USB001\" /M \"Stylus CX4200\""
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"CHotkey"="zHotkey.exe"
"CCUTRAYICON"="\"C:\\Program Files\\Intel\\IntelDH\\CCU\\CCU_TrayIcon.exe\""
"AlwaysReady Power Message APP"="ARPWRMSG.EXE"
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\optionalcomponents]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\optionalcomponents\IMAIL]
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\optionalcomponents\MAPI]
"Installed"="1"
"NoChange"="1"
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\optionalcomponents\MSFS]
"Installed"="1"
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"SmileboxTray"="\"C:\\Documents and Settings\\Owner.YOUR-EBBFCF9347\\Application Data\\Smilebox\\SmileboxTray.exe\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_9"
"awowonpd"="C:\\WINDOWS\\system32\\epkxwbsz.exe"
"Power2GoExpress"="NA"


Bot Check:

SERVICE_NAME: wscsvc
DISPLAY_NAME : Security Center
START_TYPE : 2 AUTO_START

SERVICE_NAME: sharedaccess
DISPLAY_NAME : Windows Firewall/Internet Connection Sharing (ICS)
START_TYPE : 2 AUTO_START

SERVICE_NAME: wuauserv
DISPLAY_NAME : Automatic Updates
START_TYPE : 2 AUTO_START

SERVICE_NAME: srservice
DISPLAY_NAME : System Restore Service
START_TYPE : 2 AUTO_START

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"="Y"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"restrictanonymous"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update]
"AUOptions"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"WaitToKillServiceTimeout"="5000"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"SFCDisable"=dword:00000000
"Shell"="Explorer.exe"
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shell extensions]









[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters]
"TransportBindName"="\\Device\\"


ShellExecuteHooks:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""



Environment:


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\environment
ComSpec REG_EXPAND_SZ %SystemRoot%\system32\cmd.exe
Path REG_EXPAND_SZ %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
windir REG_EXPAND_SZ %SystemRoot%
OS REG_SZ Windows_NT
PATHEXT REG_SZ .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
TEMP REG_EXPAND_SZ %SystemRoot%\TEMP
TMP REG_EXPAND_SZ %SystemRoot%\TEMP
SAFEBOOT_OPTION REG_SZ MINIMAL

SecurityProviders:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
SecurityProviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Authentication Packages:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0


Subsystem Startup:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems]
"Windows"="%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16"


Midi Drivers:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"midi"="wdmaud.drv"


Non-Default IFEO Debugger:


Non-Default Installed Components:


Non-Default Safeboot Minimal:


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\webrootspysweeperservice
<NO NAME> REG_SZ Service


File Associations:


[HKEY_CLASSES_ROOT\batfile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\cmdfile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\comfile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\htafile\shell\open\command]
@="C:\\WINDOWS\\system32\\mshta.exe \"%1\" %*"

[HKEY_CLASSES_ROOT\http\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" -nohome"

[HKEY_CLASSES_ROOT\htmlfile\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" -nohome"

[HKEY_CLASSES_ROOT\regedit\shell\open\command]
@="regedit.exe %1"

[HKEY_CLASSES_ROOT\regfile\shell\open\command]
@="regedit.exe \"%1\""

[HKEY_CLASSES_ROOT\scrfile\shell\open\command]
@="\"%1\" /S"

[HKEY_CLASSES_ROOT\txtfile\shell\open\command]
@="%SystemRoot%\system32\NOTEPAD.EXE %1"


Finished!
 

nightcrwlr

Thread Starter
Joined
Sep 23, 2003
Messages
38
ComboFix 08-05-15.3 - Owner 2008-05-20 23:43:47.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.780 [GMT -4:00]
Running from: C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Desktop\cfscript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\gndarmblsnv.dll
C:\WINDOWS\qnmargoldpq.dll
C:\WINDOWS\vadokmxt.dll
C:\WINDOWS\wdpoefan.dll
C:\WINDOWS\wxvgsdbq.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\enqhihql

.
((((((((((((((((((((((((( Files Created from 2008-04-21 to 2008-05-21 )))))))))))))))))))))))))))))))
.

2008-05-19 19:20 . 2008-05-20 23:42 <DIR> d-------- C:\SDFix
2008-05-19 19:14 . 2008-05-19 19:18 <DIR> d-------- C:\fixwareout
2008-05-18 13:29 . 2008-05-19 23:21 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-18 13:29 . 2008-05-18 13:29 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-18 13:29 . 2008-05-18 13:29 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-18 13:29 . 2008-05-18 13:29 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-18 13:28 . 2008-05-19 20:03 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-18 13:28 . 2008-05-18 13:28 <DIR> d-------- C:\Program Files\AVG
2008-05-18 13:28 . 2008-05-18 13:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-18 00:04 . 2008-05-18 00:04 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-05-05 20:31 . 2006-11-01 13:11 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\GTek
2008-05-05 20:31 . 2008-05-09 22:42 <DIR> d---s---- C:\Documents and Settings\Admin
2008-05-05 20:31 . 2008-05-19 19:44 1,024 --ah----- C:\Documents and Settings\Admin\ntuser.dat.LOG
2008-05-03 09:23 . 2008-05-03 09:24 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\PC-Cleaner
2008-05-01 20:18 . 2008-05-19 18:46 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\TmpRecentIcons
2008-05-01 07:47 . 2008-05-01 07:47 <DIR> d-------- C:\Program Files\alot
2008-05-01 07:46 . 2008-05-01 07:47 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\alot

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-18 23:09 --------- d-----w C:\Program Files\Trend Micro
2008-05-15 19:04 --------- d--ha-w C:\Documents and Settings\All Users\Application Data\GTek
2008-05-10 03:35 16,462 ----a-w C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\wklnhst.dat
2008-05-02 00:05 --------- d-----w C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\Skype
2008-04-21 16:20 --------- d-----w C:\Program Files\PartyGaming
2008-04-17 00:49 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-05 01:34 --------- d-----w C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\uTorrent
.

((((((((((((((((((((((((((((( snapshot@2008-05-19_19.51.10.67 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-19 23:47:59 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-21 03:39:44 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 19:24 1694208]
"SmileboxTray"="C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\Smilebox\SmileboxTray.exe" [2007-10-17 06:32 201352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-18 13:28 1177368]
"VX3000"="C:\WINDOWS\vVX3000.exe" [2006-04-25 23:09 994080]
"TM Outbreak Agent"="C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2006-11-17 17:14 4806656]
"SigmatelSysTrayApp"="sttray.exe" []
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-12-09 22:44 139264]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-01 13:07 98304]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2006-06-23 16:40 81920]
"PCClient.exe"="C:\Program Files\Trend Micro\Antivirus\PCClient.exe" [ ]
"pccguide.exe"="C:\Program Files\Trend Micro\Antivirus\pccguide.exe" [ ]
"NMSSupport"="C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-03-29 23:10 375296]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 20:16 1121792]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2006-04-27 20:36 260896]
"IntelAudioStudio"="C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" [2006-07-13 17:34 9134080]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2006-06-23 16:41 98304]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 11:15 151552]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2006-06-23 16:44 86016]
"HostManager"="C:\Program Files\Common Files\AOL\1170558389\ee\AOLSoftware.exe" [2007-05-25 13:16 42032]
"EPSON Stylus CX4200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.exe" [2005-03-07 23:00 98304]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 23:56 64512]
"CHotkey"="zHotkey.exe" [2004-12-08 21:57 550912 C:\WINDOWS\zHotkey.exe]
"CCUTRAYICON"="C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-07-27 13:54 303104]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 20:19 77312 C:\WINDOWS\arpwrmsg.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [2006-11-01 13:04:13 2168360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"C:\\Program Files\\AOL 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"C:\\Program Files\\AOL 9.0a\\waol.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AOL 9.0b\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\1170558389\\ee\\aolsoftware.exe"=
"C:\\Program Files\\AOL 9.0c\\waol.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\AOL 9.0d\\waol.exe"=
"C:\\Program Files\\AOL 9.0e\\waol.exe"=
"C:\\Program Files\\AOL 9.0f\\waol.exe"=
"C:\\Program Files\\AOL 9.1\\waol.exe"=
"C:\\Program Files\\AOL 9.1a\\waol.exe"=
"C:\\Program Files\\AOL 9.1b\\waol.exe"=
"C:\\Program Files\\AOL 9.1c\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009

S1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-18 13:29]
S2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-18 13:28]
S2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-18 13:28]
S2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-18 13:29]
S2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamSvc.exe" [2006-04-17 23:32]

*Newly Created Service* - CATCHME
*Newly Created Service* - MDMXSDK
.
Contents of the 'Scheduled Tasks' folder
"2008-05-14 00:00:01 C:\WINDOWS\Tasks\wrSpySweeper_3FCAB2138A924222B2F60CB4BB138EB5.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe=/ScheduleSweep=wrSpySweeper_3FCAB2138A924222B2F60CB4BB138EB5
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
"2008-05-05 03:00:00 C:\WINDOWS\Tasks\wrSpySweeper_A9B730EE97D94F239C3171521051CE10.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe=/ScheduleSweep=wrSpySweeper_A9B730EE97D94F239C3171521051CE10
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-20 23:44:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-20 23:45:00
ComboFix-quarantined-files.txt 2008-05-21 03:44:49
ComboFix2.txt 2008-05-19 23:51:38

Pre-Run: 231,766,355,968 bytes free
Post-Run: 231,751,802,880 bytes free

165 --- E O F --- 2007-12-12 08:02:41
 

nightcrwlr

Thread Starter
Joined
Sep 23, 2003
Messages
38
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:50 AM, on 5/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Microsoft LifeCam\MSCamSvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\AOL\1170558389\ee\AOLSoftware.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\Smilebox\SmileboxTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\Program Files\BigFix\bigfix.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rsvp.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\PROGRA~1\AOL9~1.0F\shellmon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [readericon] "C:\Program Files\Digital Media Reader\readericon45G.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startup
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" /uninstall
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1170558389\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [CCUTRAYICON] "C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe"
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SmileboxTray] "C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\Smilebox\SmileboxTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: AOL &Dictionary Search - file:///C:\Program Files\Common Files\aol\AOLSearch/AOLDictionary.htm
O8 - Extra context menu item: AOL &Thesaurus Search - file:///C:\Program Files\Common Files\aol\AOLSearch/AOLThesauras.htm
O8 - Extra context menu item: AOL &Video Search - file:///C:\Program Files\Common Files\aol\AOLSearch/AOLVideo.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Intel(R) Alert Service (AlertService) - Intel Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 12000 bytes
 

JSntgRvr

José
Retired Moderator and Malware Specialist
Joined
Jul 1, 2003
Messages
18,552
Hi, nightcrwlr :)

The log looks clear. Lets check for remnants:

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Let me know how is the computer doing afterward.
 

nightcrwlr

Thread Starter
Joined
Sep 23, 2003
Messages
38
Anti-Malware did find more stuff, but was able to remove it without a problem, the computer seems to be running fine now.

Again, thank you for all your help, you're a lifesaver.

Malwarebytes' Anti-Malware 1.12
Database version: 775

Scan type: Quick Scan
Objects scanned: 40156
Time elapsed: 4 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 21
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 22
Files Infected: 26

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{eff4851a-2e0c-4d2f-b916-862955b8e721} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{f94bab71-2806-45f1-bb49-3c2a128085f7} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{c474eb48-ccfe-40c5-8325-8e36c08370e7} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{fc1e1ac3-3303-4bc5-913c-735d8b393fad} (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{1962c5bc-e475-465b-823b-133e711bceb9} (Adware.Starware) -> No action taken.
HKEY_CURRENT_USER\Software\alot (Adware.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\pcsd.dll (Rogue.PCAntispyware) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\pcsd.dll (Rogue.PCAntispyware) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Inet Delivery (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\mslagent (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Golden Palace Casino NEW (Trojan.DNSChanger) -> No action taken.
HKEY_CURRENT_USER\Software\PC-Cleaner (Rogue.PC-Cleaner) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC-Cleaner (Rogue.PC-Cleaner) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\PC-Cleaner (Rogue.PC-Cleaner) -> No action taken.
HKEY_CLASSES_ROOT\wxdbpfvo.bmva (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\dpevflbg.bstl (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\dpevflbg.toolbar.1 (Trojan.FakeAlert) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c} (Fake.Dropped.Malware) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\alot (Adware.BHO) -> No action taken.
C:\Program Files\alot\bin (Adware.BHO) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\PC-Cleaner (Rogue.PC-Cleaner) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\PC-Cleaner (Rogue.PC-Cleaner) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\alot (Adware.BHO) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\alot\Resources (Adware.BHO) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\alot\Resources\Button_0 (Adware.BHO) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\alot\Resources\Button_1 (Adware.BHO) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\alot\Resources\Button_2 (Adware.BHO) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\alot\Resources\Button_3 (Adware.BHO) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\alot\Resources\Button_4 (Adware.BHO) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\alot\Resources\Button_5 (Adware.BHO) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\alot\Resources\Button_6 (Adware.BHO) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\alot\Resources\Shared (Adware.BHO) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\alot\Resources\Button_0\images (Adware.BHO) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\alot\Resources\Button_1\images (Adware.BHO) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\alot\Resources\Button_2\images (Adware.BHO) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\alot\Resources\Button_3\images (Adware.BHO) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\alot\Resources\Button_4\images (Adware.BHO) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\alot\Resources\Button_5\images (Adware.BHO) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\alot\Resources\Button_6\images (Adware.BHO) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\alot\Resources\Shared\images (Adware.BHO) -> No action taken.

Files Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\PC-Cleaner\Register PC-Cleaner.lnk (Rogue.PC-Cleaner) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\PC-Cleaner\Start PC-Cleaner.lnk (Rogue.PC-Cleaner) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\PC-Cleaner\Uninstall PC-Cleaner.lnk (Rogue.PC-Cleaner) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\PC-Cleaner\log.dat (Rogue.PC-Cleaner) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\PC-Cleaner\settings.dat (Rogue.PC-Cleaner) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\alot\toolbar.xml (Adware.BHO) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\alot\Resources\Button_0\images\alot_icon_35x16.bmp (Adware.BHO) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\alot\Resources\Button_1\images\alot_search_24x16.bmp (Adware.BHO) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\alot\Resources\Button_2\images\default_285_alot_celeb_search.bmp (Adware.BHO) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\alot\Resources\Button_3\images\default_281_alot_weather_widget.bmp (Adware.BHO) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\alot\Resources\Button_4\images\active_default_345_alot_celeb_news.bmp (Adware.BHO) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\alot\Resources\Button_4\images\default_345_alot_celeb_news.bmp (Adware.BHO) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\alot\Resources\Button_5\images\default_287_alot_celeb_center.bmp (Adware.BHO) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\alot\Resources\Button_6\images\default_288_alot_mrkt_bang.bmp (Adware.BHO) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\alot\Resources\Shared\domains.dat (Adware.BHO) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\alot\Resources\Shared\images\alot_brand.png (Adware.BHO) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\alot\Resources\Shared\images\spinner.bmp (Adware.BHO) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\alot\Resources\Shared\images\widget_bottom.bmp (Adware.BHO) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\alot\Resources\Shared\images\widget_btnclose0.bmp (Adware.BHO) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\alot\Resources\Shared\images\widget_btnclose1.bmp (Adware.BHO) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\alot\Resources\Shared\images\widget_btnmin0.bmp (Adware.BHO) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\alot\Resources\Shared\images\widget_btnmin1.bmp (Adware.BHO) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\alot\Resources\Shared\images\widget_caption.bmp (Adware.BHO) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\alot\Resources\Shared\images\widget_error_bg.bmp (Adware.BHO) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\alot\Resources\Shared\images\widget_error_close.bmp (Adware.BHO) -> No action taken.
C:\Documents and Settings\Owner.YOUR-EBBFCF9347\Application Data\alot\Resources\Shared\images\widget_error_icon.bmp (Adware.BHO) -> No action taken.
 

JSntgRvr

José
Retired Moderator and Malware Specialist
Joined
Jul 1, 2003
Messages
18,552
Hi, nightcrwlr. :)

Congratulations.


Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
Create a Restore point (If the above process fails to do so):
  1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  2. In the System Restore dialog box, click Create a restore point, and then click Next.
  3. Type a description for your restore point, such as "After Cleanup", then click Create.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  1. Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  2. AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  3. SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  4. ZonedOut + IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  5. CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  6. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  7. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  8. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  9. ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  10. Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.
  11. Read and follow the suggestions given at this web site by Miekiemoes http://users.telenet.be/bluepatchy/miekiemoes/prevention.html .
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

Click Here for some advise from our security Experts.

Please use the thread's Tools and mark this thread as "Solved".

Best wishes!
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top