Problem with virtumonde and others

**Slayer_MK** · 2007-12-10, 20:37

hello, thank your for takin your time to read this.
I've been having problems lately with popups while browsing and error boxes popping up telling me that i'm infected. i read the *Before you Post* sticky and folowed all the directions.
HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:25:57 PM, on 12/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\RACLE~1\nslookup.exe
C:\Documents and Settings\Owner\My Documents\?racle\d?xplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mystical-knights.com/forums/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.h...ys=DTP&M=T3516
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Mystical Knights Toolbar - {ba04d9ab-6dc6-4998-8060-60a627792e8c} - C:\Program Files\Mystical_Knights\tbMys0.dll
R3 - URLSearchHook: ggtrades Toolbar - {92bc260c-897a-41f8-8ac3-2ab645b41ec9} - C:\Program Files\ggtrades\tbggt1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Mystical Knights Toolbar - {ba04d9ab-6dc6-4998-8060-60a627792e8c} - C:\Program Files\Mystical_Knights\tbMys0.dll
O3 - Toolbar: ggtrades Toolbar - {92bc260c-897a-41f8-8ac3-2ab645b41ec9} - C:\Program Files\ggtrades\tbggt1.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [9cf56b43] rundll32.exe "C:\WINDOWS\system32\ivlwwmyt.dll",b
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Cpue] "C:\PROGRA~1\COMMON~1\RACLE~1\nslookup.exe" -vt ndrv
O4 - HKCU\..\Run: [Myeek] "C:\Documents and Settings\Owner\My Documents\?racle\d?xplore.exe"
O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Video Access ActiveX Object\isamntr.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Euchre - http://download2.games.yahoo.com/gam...ts/y/et3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/gam...s/y/poti_x.cab
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescampus.com/xiah/luncher/GamesCampus.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1197260567796
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 8018 bytes

and Kaspersky
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, December 10, 2007 12:16:00 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/12/2007
Kaspersky Anti-Virus database records: 478764
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 136126
Number of viruses found: 15
Number of infected objects: 27
Number of suspicious objects: 0
Duration of the scan process: 01:16:39

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012007121020071211\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\!update.exe Infected: Trojan-Downloader.Win32.PurityScan.dx skipped
C:\Documents and Settings\Owner\Local Settings\Temp\D55.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Documents and Settings\Owner\Local Settings\Temp\D55.tmp NSIS: infected - 1 skipped
C:\Documents and Settings\Owner\Local Settings\Temp\D5A.tmp/stream/data0001 Infected: not-a-virus:AdWare.Win32.Agent.vv skipped
C:\Documents and Settings\Owner\Local Settings\Temp\D5A.tmp/stream/data0002 Infected: not-a-virus:AdWare.Win32.AdBand.e skipped
C:\Documents and Settings\Owner\Local Settings\Temp\D5A.tmp/stream Infected: not-a-virus:AdWare.Win32.AdBand.e skipped
C:\Documents and Settings\Owner\Local Settings\Temp\D5A.tmp NSIS: infected - 3 skipped
C:\Documents and Settings\Owner\Local Settings\Temp\NeroDemo12065\Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_d0c.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\O7E3G5OP\warningiepage[1].htm Infected: not-virus:Hoax.JS.Agent.a skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF1804.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2FHE9VBX\hctp[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2FHE9VBX\ptch[1] Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\7LBCO9IU\17PHolmes[1].cmt Infected: Trojan-Downloader.Win32.Agent.fuc skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\M9Z12F3V\gamadril20071203[1] Infected: Backdoor.Win32.Agent.dbm skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\PVEU680G\!update-4395[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.dx skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\RQCBVXYC\upd32_v14[1] Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Οracle\nslookup.exe Infected: Trojan-Downloader.Win32.PurityScan.dx skipped
C:\Program Files\Outerinfo\FF\components\FF.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP1\A0000024.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP2\change.log Object is locked skipped
C:\torrentDl's\Nero 7.7.5.1 Ultra\Nero 7.7.5.1 Ultra.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\torrentDl's\Nero 7.7.5.1 Ultra\Nero 7.7.5.1 Ultra.exe RAR: infected - 1 skipped
C:\WINDOWS\AVGNT.exe Infected: Trojan-Dropper.Win32.Autoit.c skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\mrofinu72.exe Infected: Trojan-Downloader.Win32.Agent.fuc skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\euyknrhl.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\WINDOWS\system32\gttmjiih.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\ibmdvmze.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gl skipped
C:\WINDOWS\system32\ivlwwmyt.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\WINDOWS\system32\spalamuq.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Thank you in advance!

-Bill

**ken545** · 2007-12-11, 10:53

Hello Slayer_MK

Welcome to Safer Networking.

Please read Before You Post
All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen

You have TWO nasty infections on this system, I am going to give you some programs to run, take your time and run them in order and I need to see the reports when your done.

Please download SuperAntiSpyware
Install the program

Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.

Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Then, click Finish

It is possible that the program asks to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:

Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log

It opens in your default text editor (such as Notepad)

Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.

=========================================

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

=========================================

Download SmitfraudFix
Extract the content (a folder named SmitfraudFix) to your Desktop.

Boot your computer into Safemode

Go to Start> Shut Off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly.
This will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to SAFEMODE
Then press the Enter on your Keyboard

Tutorial if you need it How to boot into Safemode

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart into normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

=======================================

Please download ATF Cleaner by Atribune to your desktop.

This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up

This is important, do this before you post a HJT log
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe<-- Right click on Hijackthis.exe ( looks like a man with a spyglass )and rename it to Scanner.exe

These reports wont fit in one reply so take as many Submit Replies as you need.
I need to see....
1. SAS log
2. Combofix log
3. Smitfraud log
4. New HJT log renamed please

**Slayer_MK** · 2007-12-11, 18:11

Thank you for your fast response!!!!
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/11/2007 at 10:56 AM

Application Version : 3.9.1008

Core Rules Database Version : 3359
Trace Rules Database Version: 1358

Scan type : Complete Scan
Total Scan Time : 00:33:42

Memory items scanned : 353
Memory threats detected : 5
Registry items scanned : 5194
Registry threats detected : 126
File items scanned : 30821
File threats detected : 501

Trojan.WinFixer
C:\WINDOWS\SYSTEM32\DDCYX.DLL
C:\WINDOWS\SYSTEM32\DDCYX.DLL
HKLM\Software\Classes\CLSID\{02C32DEC-2C2E-49CB-B1DC-0E1FF3B929E8}
HKCR\CLSID\{02C32DEC-2C2E-49CB-B1DC-0E1FF3B929E8}
HKCR\CLSID\{02C32DEC-2C2E-49CB-B1DC-0E1FF3B929E8}\InprocServer32
HKCR\CLSID\{02C32DEC-2C2E-49CB-B1DC-0E1FF3B929E8}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02C32DEC-2C2E-49CB-B1DC-0E1FF3B929E8}

Adware.Vundo-Variant/Small-A
C:\WINDOWS\SYSTEM32\AJRQNUCS.DLL
C:\WINDOWS\SYSTEM32\AJRQNUCS.DLL
HKLM\Software\Classes\CLSID\{e855c728-5387-49bc-bc16-bae69651270e}
HKCR\CLSID\{E855C728-5387-49BC-BC16-BAE69651270E}
HKCR\CLSID\{E855C728-5387-49BC-BC16-BAE69651270E}\InprocServer32
HKCR\CLSID\{E855C728-5387-49BC-BC16-BAE69651270E}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e855c728-5387-49bc-bc16-bae69651270e}
C:\SYSTEM VOLUME INFORMATION\_RESTORE{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP3\A0000107.DLL
C:\WINDOWS\SYSTEM32\GTTMJIIH.DLL

Trojan.Downloader-NewJuan/VM
C:\WINDOWS\SYSTEM32\SSFXYTWE.DLL
C:\WINDOWS\SYSTEM32\SSFXYTWE.DLL

Adware.eZula
C:\WINDOWS\SYSTEM32\DMMQKBPH.EXE
C:\WINDOWS\SYSTEM32\DMMQKBPH.EXE
C:\WINDOWS\Prefetch\DMMQKBPH.EXE-2AC43009.pf

Adware.ClickSpring/Resident
C:\WINDOWS\SYSTEM32\IBMDVMZE.DLL
C:\WINDOWS\SYSTEM32\IBMDVMZE.DLL

Adware.ClickSpring
[Cpue] C:\PROGRA~1\COMMON~1\RACLE~1\NSLOOKUP.EXE
C:\PROGRA~1\COMMON~1\RACLE~1\NSLOOKUP.EXE
HKLM\Software\Classes\CLSID\{E389D34F-45AB-490B-DE28-3EE6768203EA}
HKCR\CLSID\{E389D34F-45AB-490B-DE28-3EE6768203EA}
HKCR\CLSID\{E389D34F-45AB-490B-DE28-3EE6768203EA}\InprocServer32
HKCR\CLSID\{E389D34F-45AB-490B-DE28-3EE6768203EA}\InprocServer32#ThreadingModel
HKCR\CLSID\{E389D34F-45AB-490B-DE28-3EE6768203EA}\Programmable
HKCR\CLSID\{E389D34F-45AB-490B-DE28-3EE6768203EA}\TypeLib
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E389D34F-45AB-490B-DE28-3EE6768203EA}
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\!UPDATE.EXE
C:\Documents and Settings\Owner\My Documents\RACLE~1\DXPLOR~1.EXE
C:\PROGRAM FILES\COMMON FILES\RACLE~1\NSLOOKUP.EXE
C:\WINDOWS\Prefetch\NSLOOKUP.EXE-2ACEF363.pf

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}
HKCR\CLSID\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}
HKCR\CLSID\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}\InprocServer32
HKCR\CLSID\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\SSQROOM.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}
HKCR\CLSID\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}
C:\SYSTEM VOLUME INFORMATION\_RESTORE{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP1\A0000024.DLL

Unclassified.Unknown Origin
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{11A69AE4-FBED-4832-A2BF-45AF82825583}

Trojan.Downloader-Gen/DDC
HKLM\System\ControlSet001\Services\DomainService
HKLM\System\ControlSet002\Services\DomainService
HKLM\System\CurrentControlSet\Services\DomainService
C:\SYSTEM VOLUME INFORMATION\_RESTORE{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP2\A0000070.EXE

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@www.animeporn[2].txt
C:\Documents and Settings\Owner\Cookies\owner@pornbilly[1].txt
C:\Documents and Settings\Owner\Cookies\owner@redorbit[2].txt
C:\Documents and Settings\Owner\Cookies\owner@cs.sexcounter[2].txt
C:\Documents and Settings\Owner\Cookies\owner@CATR0O0B.txt
C:\Documents and Settings\Owner\Cookies\owner@www.hornyoldfuckers[1].txt
C:\Documents and Settings\Owner\Cookies\owner@edge.ru4[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.dragonball-xxx[2].txt
C:\Documents and Settings\Owner\Cookies\owner@web-stat[2].txt
C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt
C:\Documents and Settings\Owner\Cookies\owner@roiservice[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ad1.clickhype[1].txt
C:\Documents and Settings\Owner\Cookies\owner@imrworldwide[2].txt
C:\Documents and Settings\Owner\Cookies\owner@iteens[2].txt
C:\Documents and Settings\Owner\Cookies\owner@altastat[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adserver.softwareonline[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adprofile[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adecn[2].txt
C:\Documents and Settings\Owner\Cookies\owner@server.cpmstar[2].txt
C:\Documents and Settings\Owner\Cookies\owner@try.screensavers[1].txt
C:\Documents and Settings\Owner\Cookies\owner@image.masterstats[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.couplesseduceteens[3].txt
C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[4].txt
C:\Documents and Settings\Owner\Cookies\owner@travelnetsolutions.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@vip.clickzs[2].txt
C:\Documents and Settings\Owner\Cookies\owner@bdsm-artwork[3].txt
C:\Documents and Settings\Owner\Cookies\owner@teensforcash[1].txt
C:\Documents and Settings\Owner\Cookies\owner@questionmarket[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.teensforcash[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adultreviews[2].txt
C:\Documents and Settings\Owner\Cookies\owner@traffic.el-ladies[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adultswim[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.iteens[1].txt
C:\Documents and Settings\Owner\Cookies\owner@creaminteen[1].txt
C:\Documents and Settings\Owner\Cookies\owner@tremor.adbureau[1].txt
C:\Documents and Settings\Owner\Cookies\owner@programs.wegcash[2].txt
C:\Documents and Settings\Owner\Cookies\owner@audit.median[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.porndvddirect[1].txt
C:\Documents and Settings\Owner\Cookies\owner@pornaccess[2].txt
C:\Documents and Settings\Owner\Cookies\owner@couplesseduceteens[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.labpixies[1].txt
C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[3].txt
C:\Documents and Settings\Owner\Cookies\owner@www.ticketsnow[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adultcomix[1].txt
C:\Documents and Settings\Owner\Cookies\owner@teenmoviezone[2].txt
C:\Documents and Settings\Owner\Cookies\owner@paycounter[2].txt
C:\Documents and Settings\Owner\Cookies\owner@grandpasfuckteens[2].txt
C:\Documents and Settings\Owner\Cookies\owner@realmedia[2].txt
C:\Documents and Settings\Owner\Cookies\owner@tacoda[2].txt
C:\Documents and Settings\Owner\Cookies\owner@stats.privacyprotector[1].txt
C:\Documents and Settings\Owner\Cookies\owner@qksrv[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.revsci[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.creaminteen[2].txt
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.hardporn[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adultadworld[1].txt
C:\Documents and Settings\Owner\Cookies\owner@media.funpic[1].txt
C:\Documents and Settings\Owner\Cookies\owner@hardporn[2].txt
C:\Documents and Settings\Owner\Cookies\owner@2o7[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.pornoverview[2].txt
C:\Documents and Settings\Owner\Cookies\owner@youngdumbteens[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.xxx-homemade[1].txt
C:\Documents and Settings\Owner\Cookies\owner@stan1.teenmoviezone[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.addfreestats[1].txt
C:\Documents and Settings\Owner\Cookies\owner@yadro[2].txt
C:\Documents and Settings\Owner\Cookies\owner@valueclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@paypal.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@cartoonnetwork.122.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ticketsnow[1].txt
C:\Documents and Settings\Owner\Cookies\owner@qnsr[1].txt
C:\Documents and Settings\Owner\Cookies\owner@fastclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adult-sex-searcher[1].txt
C:\Documents and Settings\Owner\Cookies\owner@clickthrough.wegcash[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adserver.adreactor[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adlegend[2].txt
C:\Documents and Settings\Owner\Cookies\owner@sexyfuckgames[2].txt
C:\Documents and Settings\Owner\Cookies\owner@vipxxxcartoons[2].txt
C:\Documents and Settings\Owner\Cookies\owner@revsci[2].txt
C:\Documents and Settings\Owner\Cookies\owner@xiti[1].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
C:\Documents and Settings\Owner\Cookies\owner@18virginsex[2].txt
C:\Documents and Settings\Owner\Cookies\owner@offers.clickbooth[2].txt
C:\Documents and Settings\Owner\Cookies\owner@i.screensavers[1].txt
C:\Documents and Settings\Owner\Cookies\owner@anat.tacoda[1].txt
C:\Documents and Settings\Owner\Cookies\owner@toplist[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.pornbilly[1].txt
C:\Documents and Settings\Owner\Cookies\owner@msnportal.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adbrite[2].txt
C:\Documents and Settings\Owner\Cookies\owner@nextag[2].txt
C:\Documents and Settings\Owner\Cookies\owner@porndvddirect[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adinterax[2].txt
C:\Documents and Settings\Owner\Cookies\owner@hypertracker[1].txt
C:\Documents and Settings\Owner\Cookies\owner@free.cartoonpornguide[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.mysexgames[1].txt
C:\Documents and Settings\Owner\Cookies\owner@3.adbrite[2].txt
C:\Documents and Settings\Owner\Cookies\owner@filthytoonfuckers[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adopt.euroclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@4.adbrite[1].txt
C:\Documents and Settings\Owner\Cookies\owner@67.15.239[3].txt
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[2].txt
C:\Documents and Settings\Owner\Cookies\owner@precisionclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@youngporn[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[1].txt
C:\Documents and Settings\Owner\Cookies\owner@sexonhawaii[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.hornymatches[2].txt
C:\Documents and Settings\Owner\Cookies\owner@partner2profit[1].txt
C:\Documents and Settings\Owner\Cookies\owner@atwola[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.allporntoons[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adsrevenue[1].txt
C:\Documents and Settings\Owner\Cookies\owner@mo-media[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.thepornart[1].txt
C:\Documents and Settings\Owner\Cookies\owner@snagajob.122.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@xxxcounter[2].txt
C:\Documents and Settings\Owner\Cookies\owner@citi.bridgetrack[1].txt
C:\Documents and Settings\Owner\Cookies\owner@sexy-cartoon[1].txt
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.adultswim[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.amateursexhunters[1].txt
C:\Documents and Settings\Owner\Cookies\owner@perf.overture[1].txt
C:\Documents and Settings\Owner\Cookies\owner@reduxads.valuead[2].txt
C:\Documents and Settings\Owner\Cookies\owner@shortmedia.us.intellitxt[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.viva-xxx[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.cartoon-sex[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.xxxmsncam[1].txt
C:\Documents and Settings\Owner\Cookies\owner@pro-market[2].txt
C:\Documents and Settings\Owner\Cookies\owner@server.lon.liveperson[3].txt
C:\Documents and Settings\Owner\Cookies\owner@cgm.adbureau[1].txt
C:\Documents and Settings\Owner\Cookies\owner@hornymatches[1].txt
C:\Documents and Settings\Owner\Cookies\owner@galleries.bannedfamilyporn[2].txt
C:\Documents and Settings\Owner\Cookies\owner@a.websponsors[2].txt
C:\Documents and Settings\Owner\Cookies\owner@teenxonline[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.allhomesex[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.anime-porn[1].txt
C:\Documents and Settings\Owner\Cookies\owner@sexyteens.megapornmall[2].txt
C:\Documents and Settings\Owner\Cookies\owner@forums.sexyandfunny[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.couplesseduceteens[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www2.adultreviews[4].txt
C:\Documents and Settings\Owner\Cookies\owner@focalex[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.free-adult-anime[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www5.addfreestats[1].txt
C:\Documents and Settings\Owner\Cookies\owner@247realmedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.porno-city[1].txt
C:\Documents and Settings\Owner\Cookies\owner@bs.serving-sys[2].txt
C:\Documents and Settings\Owner\Cookies\owner@vhost.oddcast[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.adbrite[1].txt
C:\Documents and Settings\Owner\Cookies\owner@clicktorrent[1].txt
C:\Documents and Settings\Owner\Cookies\owner@sex-3d[1].txt
C:\Documents and Settings\Owner\Cookies\owner@fishsexgames[2].txt
C:\Documents and Settings\Owner\Cookies\owner@myhornycartoons[2].txt
C:\Documents and Settings\Owner\Cookies\owner@list[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.cartoonporn[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.evil-fucking[2].txt
C:\Documents and Settings\Owner\Cookies\owner@banners.gipsta[1].txt
C:\Documents and Settings\Owner\Cookies\owner@sick-porn[2].txt
C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www6.addfreestats[2].txt
C:\Documents and Settings\Owner\Cookies\owner@revenue[2].txt
C:\Documents and Settings\Owner\Cookies\owner@wrigley.122.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@hornyteens.megapornmall[1].txt
C:\Documents and Settings\Owner\Cookies\owner@hentaicounter[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.amateurs-xxx-teens[2].txt
C:\Documents and Settings\Owner\Cookies\owner@dash.revsci[2].txt
C:\Documents and Settings\Owner\Cookies\owner@prosexxx[2].txt
C:\Documents and Settings\Owner\Cookies\owner@drunkenteenorgies[1].txt
C:\Documents and Settings\Owner\Cookies\owner@fortunecity[2].txt
C:\Documents and Settings\Owner\Cookies\owner@freecodesource.advertserve[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.drawn-sex[2].txt
C:\Documents and Settings\Owner\Cookies\owner@xxx.fuck-toons[2].txt
C:\Documents and Settings\Owner\Cookies\owner@hentai-sex[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.monster[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.disney-xxx[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.porncartoon[1].txt
C:\Documents and Settings\Owner\Cookies\owner@xxx.freepornotoons[1].txt
C:\Documents and Settings\Owner\Cookies\owner@specificclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@eas.apm.emediate[2].txt
C:\Documents and Settings\Owner\Cookies\owner@cupolaventures.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.herfirstlesbiansex[

**Slayer_MK** · 2007-12-11, 18:13

2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.fullpornlinks[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.xctrk[2].txt
C:\Documents and Settings\Owner\Cookies\owner@fucked-in-space.nichepass[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.pstats[1].txt
C:\Documents and Settings\Owner\Cookies\owner@join.porndvddirect[1].txt
C:\Documents and Settings\Owner\Cookies\owner@webpower[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.teengee[2].txt
C:\Documents and Settings\Owner\Cookies\owner@teenhitchhikers[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adtech[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.addynamix[1].txt
C:\Documents and Settings\Owner\Cookies\owner@atlas.entrepreneur[1].txt
C:\Documents and Settings\Owner\Cookies\owner@xxx.toonshentai[2].txt
C:\Documents and Settings\Owner\Cookies\owner@interclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.3d-porn-thumbs[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.abum[1].txt
C:\Documents and Settings\Owner\Cookies\owner@top.disneyporn[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.burstbeacon[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.sex-cartoons[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adserver.mpogonline[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.allrealitypass[1].txt
C:\Documents and Settings\Owner\Cookies\owner@admin.teenrevenue[1].txt
C:\Documents and Settings\Owner\Cookies\owner@teenhitchhikcock[1].txt
C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[2].txt
C:\Documents and Settings\Owner\Cookies\owner@traffic-h[2].txt
C:\Documents and Settings\Owner\Cookies\owner@click.dofantasy[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.adultcartoon[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.uncensored-sex[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.allporncomics[2].txt
C:\Documents and Settings\Owner\Cookies\owner@metacafe.122.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.disney-sex[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adopt.specificclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@hentaixxxtreme[1].txt
C:\Documents and Settings\Owner\Cookies\owner@orgysexparties[2].txt
C:\Documents and Settings\Owner\Cookies\owner@superpornovoyeur[2].txt
C:\Documents and Settings\Owner\Cookies\owner@hotlog[2].txt
C:\Documents and Settings\Owner\Cookies\owner@67.15.239[4].txt
C:\Documents and Settings\Owner\Cookies\owner@superbteensnatch[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.clubteenpix[2].txt
C:\Documents and Settings\Owner\Cookies\owner@top.comicsporn[2].txt
C:\Documents and Settings\Owner\Cookies\owner@67.15.239[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ltds.freeporn4you[1].txt
C:\Documents and Settings\Owner\Cookies\owner@cartoonporn[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.incentaclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@overture[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.universalteens[2].txt
C:\Documents and Settings\Owner\Cookies\owner@3d-adult-world[1].txt
C:\Documents and Settings\Owner\Cookies\owner@exitexchange[1].txt
C:\Documents and Settings\Owner\Cookies\owner@chokertraffic[2].txt
C:\Documents and Settings\Owner\Cookies\owner@serving-sys[1].txt
C:\Documents and Settings\Owner\Cookies\owner@67.15.239[5].txt
C:\Documents and Settings\Owner\Cookies\owner@animesexy[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.levelclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.adultanime[2].txt
C:\Documents and Settings\Owner\Cookies\owner@clickaider[1].txt
C:\Documents and Settings\Owner\Cookies\owner@teens-girls[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.momsgotofuck[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.crackthrust[1].txt
C:\Documents and Settings\Owner\Cookies\owner@crazytoons.porno-private[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.bdsmreality[1].txt
C:\Documents and Settings\Owner\Cookies\owner@bestsellerantivirus[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.cartoonporn[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.glispa[1].txt
C:\Documents and Settings\Owner\Cookies\owner@3d-animated-incest.orporno[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ah-teens[1].txt
C:\Documents and Settings\Owner\Cookies\owner@htmlgear.tripod[1].txt
C:\Documents and Settings\Owner\Cookies\owner@incestartsex.colinsfreehost[2].txt
C:\Documents and Settings\Owner\Cookies\owner@webstat[1].txt
C:\Documents and Settings\Owner\Cookies\owner@sexmovieset[2].txt
C:\Documents and Settings\Owner\Cookies\owner@msnportalbeetoffice2007.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@divx.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@finnteen[1].txt
C:\Documents and Settings\Owner\Cookies\owner@67.15.239[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adv.dmv[1].txt
C:\Documents and Settings\Owner\Cookies\owner@world-sex-pics[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.gamesbannernet[1].txt
C:\Documents and Settings\Owner\Cookies\owner@findwhat[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.dark-xxx-factory[1].txt
C:\Documents and Settings\Owner\Cookies\owner@top.porn-comics[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.linuxjournal[2].txt
C:\Documents and Settings\Owner\Cookies\owner@drunk-sex[1].txt
C:\Documents and Settings\Owner\Cookies\owner@h.starware[2].txt
C:\Documents and Settings\Owner\Cookies\owner@fhg.best-sex-galleries[2].txt
C:\Documents and Settings\Owner\Cookies\owner@login.tracking101[2].txt
C:\Documents and Settings\Owner\Cookies\owner@icc.intellisrv[2].txt
C:\Documents and Settings\Owner\Cookies\owner@da-tracking[2].txt
C:\Documents and Settings\Owner\Cookies\owner@the18teens[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.petitenudeteen[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.xplusone[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.directnetadvertising[1].txt
C:\Documents and Settings\Owner\Cookies\owner@server.lon.liveperson[1].txt
C:\Documents and Settings\Owner\Cookies\owner@younggirlsxxx[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.sexyteenonline[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.hardfucked[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.toon-sex-blog[1].txt
C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[6].txt
C:\Documents and Settings\Owner\Cookies\owner@drawn-sex[2].txt
C:\Documents and Settings\Owner\Cookies\owner@nextbdsm[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.bdsm-gallery[2].txt
C:\Documents and Settings\Owner\Cookies\owner@sexnemo[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.xxx-69-xxx[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.teensforcash[2].txt
C:\Documents and Settings\Owner\Cookies\owner@tinyteenmodels[1].txt
C:\Documents and Settings\Owner\Cookies\owner@coolsavings[2].txt
C:\Documents and Settings\Owner\Cookies\owner@free.cartoonsxxxworld[1].txt
C:\Documents and Settings\Owner\Cookies\owner@eyewonder[2].txt
C:\Documents and Settings\Owner\Cookies\owner@comix.cartoonxxx[1].txt
C:\Documents and Settings\Owner\Cookies\owner@nagfuck[2].txt
C:\Documents and Settings\Owner\Cookies\owner@media1.onlinewelten[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adultdisneyporn[2].txt
C:\Documents and Settings\Owner\Cookies\owner@incest3d.porn-host[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.sexdisney[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.bunnyteens[1].txt
C:\Documents and Settings\Owner\Cookies\owner@mediamax[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.petiteteenlist[1].txt
C:\Documents and Settings\Owner\Cookies\owner@best-3d-incest.orporno[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.littlevirginteens[2].txt
C:\Documents and Settings\Owner\Cookies\owner@stats.myspacesupport[2].txt
C:\Documents and Settings\Owner\Cookies\owner@partywildnaked[2].txt
C:\Documents and Settings\Owner\Cookies\owner@loanweb.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.entrepreneur[1].txt
C:\Documents and Settings\Owner\Cookies\owner@hornyteenharlots[2].txt
C:\Documents and Settings\Owner\Cookies\owner@drawn-bdsm[1].txt
C:\Documents and Settings\Owner\Cookies\owner@hqthefilmsxxx[4].txt
C:\Documents and Settings\Owner\Cookies\owner@top.fuck-toons[1].txt
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wgk4siajaaq.stats.esomniture[2].txt
C:\Documents and Settings\Owner\Cookies\owner@giftcertificatescom.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@leads.specificmedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@extra-teens[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.anime-adult[1].txt
C:\Documents and Settings\Owner\Cookies\owner@dirtyteens[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.incestsextoons[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads2.ljworld[2].txt
C:\Documents and Settings\Owner\Cookies\owner@cartoonsexlist[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.freepornhentai[1].txt
C:\Documents and Settings\Owner\Cookies\owner@galleries.drunkenteenorgies[1].txt
C:\Documents and Settings\Owner\Cookies\owner@try.starware[1].txt
C:\Documents and Settings\Owner\Cookies\owner@tds.traffic-drive[1].txt
C:\Documents and Settings\Owner\Cookies\owner@count1.exitexchange[2].txt
C:\Documents and Settings\Owner\Cookies\owner@teenaday[1].txt
C:\Documents and Settings\Owner\Cookies\owner@fuckfamily[1].txt
C:\Documents and Settings\Owner\Cookies\owner@incest.3d-sex-comics[2].txt
C:\Documents and Settings\Owner\Cookies\owner@anad.tacoda[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.calltoactionmedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@efashionsolutions.122.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[8].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.outerinfoads[2].txt
C:\Documents and Settings\Owner\Cookies\owner@CALYR0AJ.txt
C:\Documents and Settings\Owner\Cookies\owner@ehg-eset.hitbox[1].txt
C:\Documents and Settings\Owner\Cookies\owner@theteenslut[2].txt
C:\Documents and Settings\Owner\Cookies\owner@fluidaudionetworks.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjmiumczoco.stats.esomniture[2].txt
C:\Documents and Settings\Owner\Cookies\owner@tripod[1].txt
C:\Documents and Settings\Owner\Cookies\owner@viacomedycentralrl.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@top100sexgames[1].txt
C:\Documents and Settings\Owner\Cookies\owner@CAETQDDT.txt
C:\Documents and Settings\Owner\Cookies\owner@xxxpower[1].txt
C:\Documents and Settings\Owner\Cookies\owner@3dsexclub[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.sexyhumorgames[1].txt
C:\Documents and Settings\Owner\Cookies\owner@keywordmax[1].txt
C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[11].txt
C:\Documents and Settings\Owner\Cookies\owner@www.3dpornlinks[1].txt
C:\Documents and Settings\Owner\Cookies\owner@stampscom.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@teens-hard[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.extra-teens[2].txt
C:\Documents and Settings\Owner\Cookies\owner@validporn[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads4.blastro[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adserver.easyad[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.webpagecounter[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adserver5.teracent[1].txt
C:\Documents and Settings\Owner\Cookies\owner@premiumtv.122.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@giftscom.122.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@teen-titans.cartoonpornguide[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.googleadservices[7].txt
C:\Documents and Settings\Owner\Cookies\owner@a.websponsors[1].txt
C:\Documents and Settings\Owner\Cookies\owner@screensavers[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.cartoon-sex-seek[2].txt
C:\Documents and Settings\Owner\Cookies\owner@gms.adbureau[1].txt
C:\Documents and Settings\Owner\Cookies\owner@crazyxxx3dworld[3].txt
C:\Documents and Settings\Owner\Cookies\owner@www2.addfreestats[1].txt
C:\Documents and Settings\Owner\Cookies\owner@naked-cartoon[1].txt
C:\Documents and Settings\Owner\Cookies\owner@click.fantasypromotion[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.adult-empire[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.gangbangedteens[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.bdsm-comics[2].txt
C:\Documents and Settings\Owner\Cookies\owner@teensex101[1].txt
C:\Documents and Settings\Owner\Cookies\owner@richmedia.yahoo[1].txt
C:\Documents and Settings\Owner\Cookies\owner@go.sexprofit[3].txt
C:\Documents and Settings\Owner\Cookies\owner@toonc.porn-host[2].txt
C:\Documents and Settings\Owner\Cookies\owner@newmotioninc.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@1.tracking4rev[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.fpctraffic2[1].txt
C:\Documents and Settings\Owner\Cookies\owner@rotator.adjuggler[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.bridgetrack[1].txt
C:\Documents and Settings\Owner\Cookies\owner@tagiq.clickforensics[1].txt
C:\Documents and Settings\Owner\Cookies\owner@kaboose.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www1.addfreestats[1].txt
C:\Documents and Settings\Owner\Cookies\owner@uncensored-sex[1].txt
C:\Documents and Settings\Owner\Cookies\owner@egoteens[2].txt
C:\Documents and Settings\Owner\Cookies\owner@rambler[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.midgetteen[2].txt
C:\Documents and Settings\Owner\Cookies\owner@zoo-toons.xxxtopsex[3].txt
C:\Documents and Settings\Owner\Cookies\owner@www.googleadservices[6].txt
C:\Documents and Settings\Owner\Cookies\owner@www.googleadservices[1].txt
C:\Documents and Settings\Owner\Cookies\owner@CA7GFW5F.txt
C:\Documents and Settings\Owner\Cookies\owner@ads.joinaxxess[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www2.adultreviews[3].txt
C:\Documents and Settings\Owner\Cookies\owner@counter.surfcounters[1].txt
C:\Documents and Settings\Owner\Cookies\owner@s4.trafficmaxx[2].txt
C:\Documents and Settings\Owner\Cookies\owner@fresh-sex-girls[2].txt
C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[9].txt
C:\Documents and Settings\Owner\Cookies\owner@stat.onestat[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.dirtyteens[1].txt
C:\Documents and Settings\Owner\Cookies\owner@stats.sellmosoft[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.admedia365[1].txt
C:\Documents and Settings\Owner\Cookies\owner@CA2YZV81.txt
C:\Documents and Settings\Owner\Cookies\owner@sitestat.mayoclinic[2].txt
C:\Documents and Settings\Owner\Cookies\owner@gcc-08.googleadservices[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.associatedcontent[2].txt
C:\Documents and Settings\Owner\Cookies\owner@banned3dsex[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.pubmatic[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.toons-fuck[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.realtechnetwork[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.momsonsex[1].txt
C:\Documents and Settings\Owner\Cookies\owner@media6degrees[2].txt
C:\Documents and Settings\Owner\Cookies\owner@entrepreneur[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.googleadservices[3].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.revsci[2].txt
C:\Documents and Settings\Owner\Cookies\owner@crazy3dxxx.cartoons-xxx[

**Slayer_MK** · 2007-12-11, 18:14

1].txt
C:\Documents and Settings\Owner\Cookies\owner@data2.perf.overture[1].txt
C:\Documents and Settings\Owner\Cookies\owner@3d-incest.porn-host[1].txt
C:\Documents and Settings\Owner\Cookies\owner@orifreeporn[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.gametoplist[1].txt
C:\Documents and Settings\Owner\Cookies\owner@got-fucked[1].txt
C:\Documents and Settings\Owner\Cookies\owner@apmebf[2].txt
C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[10].txt
C:\Documents and Settings\Owner\Cookies\owner@adserver.incgamers[2].txt
C:\Documents and Settings\Owner\Cookies\owner@classifiedventures1.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[7].txt
C:\Documents and Settings\Owner\Cookies\owner@collective-media[1].txt
C:\Documents and Settings\Owner\Cookies\owner@CAZNZHXH.txt
C:\Documents and Settings\Owner\Cookies\owner@sitestat.mayoclinic[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.realtechnetwork[3].txt
C:\Documents and Settings\Owner\Cookies\owner@optimost[1].txt
C:\Documents and Settings\Owner\Cookies\owner@lynxtrack[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.hotfamilysex[2].txt
C:\Documents and Settings\Owner\Cookies\owner@microsoftwlmessengermkt.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@hitbox[2].txt
C:\Documents and Settings\Owner\Cookies\owner@CAQY8831.txt
C:\Documents and Settings\Owner\Cookies\owner@taboo.crazyxxx3dworld[1].txt
C:\Documents and Settings\Owner\Cookies\owner@path.pureadstracking[1].txt
C:\Documents and Settings\Owner\Cookies\owner@sex-mango[1].txt
C:\Documents and Settings\Owner\Cookies\owner@entrepreneur.122.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@brightcove.112.2o7[2].txt
C:\Documents and Settings\Owner\Cookies\owner@eyesex[2].txt
C:\Documents and Settings\Owner\Cookies\owner@trafficroup[1].txt
C:\Documents and Settings\Owner\Cookies\owner@optimizer.intermarkmedia[2].txt
C:\Documents and Settings\Owner\Cookies\owner@azjmp[1].txt
C:\Documents and Settings\Owner\Cookies\owner@momsonsex[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[2].txt
C:\Documents and Settings\Owner\Cookies\owner@knorton13.tripod[1].txt
C:\Documents and Settings\Owner\Cookies\owner@gcc-00.googleadservices[1].txt
C:\Documents and Settings\Owner\Cookies\owner@CA295GR1.txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@a.websponsors[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ad.yieldmanager[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ad1.clickhype[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@adbrite[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ads.addynamix[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ads.monster[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ads.revsci[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ads1.revenue[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@atdmt[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@belnk[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@dist.belnk[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@doubleclick[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@edge.ru4[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@fastclick[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@gamestats[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@media.fastclick[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@overture[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@qnsr[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@questionmarket[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@realmedia[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@revenue[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@revsci[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@trafficmp[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@tribalfusion[2].txt

Trojan.Security Toolbar
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url

Trojan.Media-Codec
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Security Add-On
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Security Add-On#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Security Add-On#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#user32.dll [ C:\Program Files\Video Access ActiveX Object\isamntr.exe ]Adware.ClickSpring/Outer Info Network
C:\Program Files\Outerinfo\FF\chrome.manifest
C:\Program Files\Outerinfo\FF\components\FF.dll
C:\Program Files\Outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\Outerinfo\FF\components
C:\Program Files\Outerinfo\FF\install.rdf
C:\Program Files\Outerinfo\FF
C:\Program Files\Outerinfo\Terms.rtf
C:\Program Files\Outerinfo
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo

Malware.SpyDawn
HKCR\TypeLib\{C7281808-F7C3-4BED-940F-40B9FD5784B6}
HKCR\TypeLib\{C7281808-F7C3-4BED-940F-40B9FD5784B6}\1.0
HKCR\TypeLib\{C7281808-F7C3-4BED-940F-40B9FD5784B6}\1.0\0
HKCR\TypeLib\{C7281808-F7C3-4BED-940F-40B9FD5784B6}\1.0\0\win32
HKCR\TypeLib\{C7281808-F7C3-4BED-940F-40B9FD5784B6}\1.0\FLAGS
HKCR\TypeLib\{C7281808-F7C3-4BED-940F-40B9FD5784B6}\1.0\HELPDIR
HKCR\Interface\{080C3EC1-AB54-40F3-88BE-E6FACE068CF0}
HKCR\Interface\{080C3EC1-AB54-40F3-88BE-E6FACE068CF0}\ProxyStubClsid
HKCR\Interface\{080C3EC1-AB54-40F3-88BE-E6FACE068CF0}\ProxyStubClsid32
HKCR\Interface\{080C3EC1-AB54-40F3-88BE-E6FACE068CF0}\TypeLib
HKCR\Interface\{080C3EC1-AB54-40F3-88BE-E6FACE068CF0}\TypeLib#Version
HKCR\Interface\{101981F9-8BA3-4064-949B-3C5BEB867134}
HKCR\Interface\{101981F9-8BA3-4064-949B-3C5BEB867134}\ProxyStubClsid
HKCR\Interface\{101981F9-8BA3-4064-949B-3C5BEB867134}\ProxyStubClsid32
HKCR\Interface\{101981F9-8BA3-4064-949B-3C5BEB867134}\TypeLib
HKCR\Interface\{101981F9-8BA3-4064-949B-3C5BEB867134}\TypeLib#Version
HKCR\Interface\{16992424-7AC2-47F6-8799-BF4E8EBBECC1}
HKCR\Interface\{16992424-7AC2-47F6-8799-BF4E8EBBECC1}\ProxyStubClsid
HKCR\Interface\{16992424-7AC2-47F6-8799-BF4E8EBBECC1}\ProxyStubClsid32
HKCR\Interface\{16992424-7AC2-47F6-8799-BF4E8EBBECC1}\TypeLib
HKCR\Interface\{16992424-7AC2-47F6-8799-BF4E8EBBECC1}\TypeLib#Version
HKCR\Interface\{28DC003F-7396-4B9D-8D0C-E40D8F4E3F4A}
HKCR\Interface\{28DC003F-7396-4B9D-8D0C-E40D8F4E3F4A}\ProxyStubClsid
HKCR\Interface\{28DC003F-7396-4B9D-8D0C-E40D8F4E3F4A}\ProxyStubClsid32
HKCR\Interface\{28DC003F-7396-4B9D-8D0C-E40D8F4E3F4A}\TypeLib
HKCR\Interface\{28DC003F-7396-4B9D-8D0C-E40D8F4E3F4A}\TypeLib#Version
HKCR\Interface\{3A9CCAF6-08B8-4163-8DD8-3D9200314533}
HKCR\Interface\{3A9CCAF6-08B8-4163-8DD8-3D9200314533}\ProxyStubClsid
HKCR\Interface\{3A9CCAF6-08B8-4163-8DD8-3D9200314533}\ProxyStubClsid32
HKCR\Interface\{3A9CCAF6-08B8-4163-8DD8-3D9200314533}\TypeLib
HKCR\Interface\{3A9CCAF6-08B8-4163-8DD8-3D9200314533}\TypeLib#Version
HKCR\Interface\{3F109E21-D00A-4222-9A42-4A7611122CF1}
HKCR\Interface\{3F109E21-D00A-4222-9A42-4A7611122CF1}\ProxyStubClsid
HKCR\Interface\{3F109E21-D00A-4222-9A42-4A7611122CF1}\ProxyStubClsid32
HKCR\Interface\{3F109E21-D00A-4222-9A42-4A7611122CF1}\TypeLib
HKCR\Interface\{3F109E21-D00A-4222-9A42-4A7611122CF1}\TypeLib#Version
HKCR\Interface\{4DB7B2C0-C3BE-4A1D-915B-9B04981CF4B4}
HKCR\Interface\{4DB7B2C0-C3BE-4A1D-915B-9B04981CF4B4}\ProxyStubClsid
HKCR\Interface\{4DB7B2C0-C3BE-4A1D-915B-9B04981CF4B4}\ProxyStubClsid32
HKCR\Interface\{4DB7B2C0-C3BE-4A1D-915B-9B04981CF4B4}\TypeLib
HKCR\Interface\{4DB7B2C0-C3BE-4A1D-915B-9B04981CF4B4}\TypeLib#Version
HKCR\Interface\{5FC90027-65C3-4E0C-91C7-E3D3296E3763}
HKCR\Interface\{5FC90027-65C3-4E0C-91C7-E3D3296E3763}\ProxyStubClsid
HKCR\Interface\{5FC90027-65C3-4E0C-91C7-E3D3296E3763}\ProxyStubClsid32
HKCR\Interface\{5FC90027-65C3-4E0C-91C7-E3D3296E3763}\TypeLib
HKCR\Interface\{5FC90027-65C3-4E0C-91C7-E3D3296E3763}\TypeLib#Version
HKCR\Interface\{63948A86-9227-4DAB-8AA6-CCD2111264A0}
HKCR\Interface\{63948A86-9227-4DAB-8AA6-CCD2111264A0}\ProxyStubClsid
HKCR\Interface\{63948A86-9227-4DAB-8AA6-CCD2111264A0}\ProxyStubClsid32
HKCR\Interface\{63948A86-9227-4DAB-8AA6-CCD2111264A0}\TypeLib
HKCR\Interface\{63948A86-9227-4DAB-8AA6-CCD2111264A0}\TypeLib#Version
HKCR\Interface\{7A7CA289-6E1E-4A00-AA81-C5D252945645}
HKCR\Interface\{7A7CA289-6E1E-4A00-AA81-C5D252945645}\ProxyStubClsid
HKCR\Interface\{7A7CA289-6E1E-4A00-AA81-C5D252945645}\ProxyStubClsid32
HKCR\Interface\{7A7CA289-6E1E-4A00-AA81-C5D252945645}\TypeLib
HKCR\Interface\{7A7CA289-6E1E-4A00-AA81-C5D252945645}\TypeLib#Version
HKCR\Interface\{7DE844A5-DC96-4CD5-B4EE-1C7AE0B5E62A}
HKCR\Interface\{7DE844A5-DC96-4CD5-B4EE-1C7AE0B5E62A}\ProxyStubClsid
HKCR\Interface\{7DE844A5-DC96-4CD5-B4EE-1C7AE0B5E62A}\ProxyStubClsid32
HKCR\Interface\{7DE844A5-DC96-4CD5-B4EE-1C7AE0B5E62A}\TypeLib
HKCR\Interface\{7DE844A5-DC96-4CD5-B4EE-1C7AE0B5E62A}\TypeLib#Version
HKCR\Interface\{929FC56A-EE5C-436C-BC73-68D583233485}
HKCR\Interface\{929FC56A-EE5C-436C-BC73-68D583233485}\ProxyStubClsid
HKCR\Interface\{929FC56A-EE5C-436C-BC73-68D583233485}\ProxyStubClsid32
HKCR\Interface\{929FC56A-EE5C-436C-BC73-68D583233485}\TypeLib
HKCR\Interface\{929FC56A-EE5C-436C-BC73-68D583233485}\TypeLib#Version
HKCR\Interface\{94596FC9-CBF8-4F61-8A02-AACBB86B51BA}
HKCR\Interface\{94596FC9-CBF8-4F61-8A02-AACBB86B51BA}\ProxyStubClsid
HKCR\Interface\{94596FC9-CBF8-4F61-8A02-AACBB86B51BA}\ProxyStubClsid32
HKCR\Interface\{94596FC9-CBF8-4F61-8A02-AACBB86B51BA}\TypeLib
HKCR\Interface\{94596FC9-CBF8-4F61-8A02-AACBB86B51BA}\TypeLib#Version
HKCR\Interface\{A048440C-9495-4757-8FB3-0383ADE9E89D}
HKCR\Interface\{A048440C-9495-4757-8FB3-0383ADE9E89D}\ProxyStubClsid
HKCR\Interface\{A048440C-9495-4757-8FB3-0383ADE9E89D}\ProxyStubClsid32
HKCR\Interface\{A048440C-9495-4757-8FB3-0383ADE9E89D}\TypeLib
HKCR\Interface\{A048440C-9495-4757-8FB3-0383ADE9E89D}\TypeLib#Version
HKCR\Interface\{CC09AC3E-AA61-4CBD-A351-DF435C8FE5C2}
HKCR\Interface\{CC09AC3E-AA61-4CBD-A351-DF435C8FE5C2}\ProxyStubClsid
HKCR\Interface\{CC09AC3E-AA61-4CBD-A351-DF435C8FE5C2}\ProxyStubClsid32
HKCR\Interface\{CC09AC3E-AA61-4CBD-A351-DF435C8FE5C2}\TypeLib
HKCR\Interface\{CC09AC3E-AA61-4CBD-A351-DF435C8FE5C2}\TypeLib#Version
HKCR\Interface\{CC61280D-617C-4007-9D21-3F6F7BBA81FE}
HKCR\Interface\{CC61280D-617C-4007-9D21-3F6F7BBA81FE}\ProxyStubClsid
HKCR\Interface\{CC61280D-617C-4007-9D21-3F6F7BBA81FE}\ProxyStubClsid32
HKCR\Interface\{CC61280D-617C-4007-9D21-3F6F7BBA81FE}\TypeLib
HKCR\Interface\{CC61280D-617C-4007-9D21-3F6F7BBA81FE}\TypeLib#Version

Adware.AdSponsor/ISM
HKU\S-1-5-21-4106870390-2351743502-3898326784-1003\Software\antica

Trojan.Unclassifed/Loader-Suspicious
C:\PROGRAM FILES\GGTD2\RA 3.3\LOADER.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\SHORTCUT TO LOADER.LNK
C:\WINDOWS\Prefetch\LOADER.EXE-1FB3DD85.pf

Browser Hijacker.Favorites
C:\DOCUMENTS AND SETTINGS\OWNER\FAVORITES\BILL\ONLINE SECURITY TEST.URL

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP2\A0000072.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP2\A0000078.DLL
C:\WINDOWS\SYSTEM32\EUYKNRHL.DLL

Trojan.Downloader-Gen/Win
C:\WINDOWS\MROFINU72.EXE

Trojan.Unknown Origin
C:\WINDOWS\SYSTEM32\WNSINTSV32.EXE

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13:31 AM, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mystical-knights.com/forums/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Mystical Knights Toolbar - {ba04d9ab-6dc6-4998-8060-60a627792e8c} - C:\Program Files\Mystical_Knights\tbMys0.dll
R3 - URLSearchHook: ggtrades Toolbar - {92bc260c-897a-41f8-8ac3-2ab645b41ec9} - C:\Program Files\ggtrades\tbggt1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRA~1\Yahoo!\common\YIeTagBm.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: ggtrades Toolbar - {92bc260c-897a-41f8-8ac3-2ab645b41ec9} - C:\Program Files\ggtrades\tbggt1.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Mystical Knights Toolbar - {ba04d9ab-6dc6-4998-8060-60a627792e8c} - C:\Program Files\Mystical_Knights\tbMys0.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!

**Slayer_MK** · 2007-12-11, 18:15

\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Mystical Knights Toolbar - {ba04d9ab-6dc6-4998-8060-60a627792e8c} - C:\Program Files\Mystical_Knights\tbMys0.dll
O3 - Toolbar: ggtrades Toolbar - {92bc260c-897a-41f8-8ac3-2ab645b41ec9} - C:\Program Files\ggtrades\tbggt1.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [9cf56b43] rundll32.exe "C:\WINDOWS\system32\ajrqnucs.dll",b
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Myeek] "C:\Documents and Settings\Owner\My Documents\?racle\d?xplore.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Euchre - http://download2.games.yahoo.com/gam...ts/y/et3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/gam...s/y/poti_x.cab
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescampus.com/xiah/luncher/GamesCampus.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1197260567796
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ssqroom - ssqroom.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 8389 bytes
Thank your for your fast reply, rest is comin very soon
-Bill

**ken545** · 2007-12-11, 18:18

If you can, post the HJT log renamed in one post , I need to look at that all together .

Ken

**Slayer_MK** · 2007-12-11, 18:29

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13:31 AM, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mystical-knights.com/forums/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Mystical Knights Toolbar - {ba04d9ab-6dc6-4998-8060-60a627792e8c} - C:\Program Files\Mystical_Knights\tbMys0.dll
R3 - URLSearchHook: ggtrades Toolbar - {92bc260c-897a-41f8-8ac3-2ab645b41ec9} - C:\Program Files\ggtrades\tbggt1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRA~1\Yahoo!\common\YIeTagBm.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: ggtrades Toolbar - {92bc260c-897a-41f8-8ac3-2ab645b41ec9} - C:\Program Files\ggtrades\tbggt1.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Mystical Knights Toolbar - {ba04d9ab-6dc6-4998-8060-60a627792e8c} - C:\Program Files\Mystical_Knights\tbMys0.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!
\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Mystical Knights Toolbar - {ba04d9ab-6dc6-4998-8060-60a627792e8c} - C:\Program Files\Mystical_Knights\tbMys0.dll
O3 - Toolbar: ggtrades Toolbar - {92bc260c-897a-41f8-8ac3-2ab645b41ec9} - C:\Program Files\ggtrades\tbggt1.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [9cf56b43] rundll32.exe "C:\WINDOWS\system32\ajrqnucs.dll",b
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Myeek] "C:\Documents and Settings\Owner\My Documents\?racle\d?xplore.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Euchre - http://download2.games.yahoo.com/gam...ts/y/et3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/gam...s/y/poti_x.cab
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescampus.com/xiah/luncher/GamesCampus.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1197260567796
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ssqroom - ssqroom.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 8389 bytes

**Slayer_MK** · 2007-12-11, 18:30

ComboFix 07-12-09.1 - Owner 2007-12-11 11:16:04.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.118 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator.BILLNSARAH\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Administrator.BILLNSARAH\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Administrator.BILLNSARAH\Favorites\Online Security Guide.lnk
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Owner\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Owner\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Owner\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Owner\My Documents\RACLE~1
C:\Program Files\Common Files\racle~1
C:\Program Files\Common Files\racle~1\?racle\
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE

((((((((((((((((((((((((( Files Created from 2007-11-11 to 2007-12-11 )))))))))))))))))))))))))))))))
.

2007-12-11 09:39 . 2007-12-11 11:07 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-11 09:39 . 2007-12-11 09:39 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2007-12-11 09:39 . 2007-12-11 09:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-10 13:31 . 2007-12-11 09:15 758 ---hs---- C:\WINDOWS\system32\scunqrja.ini
2007-12-10 13:25 . 2007-12-10 13:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-10 12:22 . 2006-06-30 23:30 <DIR> d-------- C:\Documents and Settings\Administrator.BILLNSARAH\WINDOWS
2007-12-10 12:22 . 2006-07-31 11:03 <DIR> d-------- C:\Documents and Settings\Administrator.BILLNSARAH\Application Data\You've Got Pictures Screensaver
2007-12-10 12:22 . 2006-07-31 11:11 <DIR> d-------- C:\Documents and Settings\Administrator.BILLNSARAH\Application Data\SampleView
2007-12-10 08:24 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-12-10 08:24 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-12-09 22:32 . 2007-12-09 22:32 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-09 22:32 . 2007-12-09 22:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-09 20:01 . 2007-12-09 20:01 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-12-09 13:34 . 2007-12-10 13:23 638 ---hs---- C:\WINDOWS\system32\tymwwlvi.ini
2007-12-08 14:43 . 2007-12-08 14:43 4,286 --a------ C:\WINDOWS\system32\everybodybets.32x32.4.ico
2007-12-08 08:48 . 2007-12-11 10:57 455,437 --ahs---- C:\WINDOWS\system32\xycdd.ini2
2007-12-08 08:48 . 2007-12-11 10:59 455,437 --ahs---- C:\WINDOWS\system32\xycdd.ini
2007-11-14 20:48 . 2007-11-14 20:48 <DIR> d-------- C:\Program Files\Ventrilo
2007-11-14 20:47 . 2007-12-11 09:38 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-12 22:34 . 2007-12-10 21:18 <DIR> d-------- C:\Program Files\GGTD2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-11 04:38 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ventrilo
2007-12-09 17:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-08 15:28 --------- d-----w C:\Program Files\ggtrades
2007-12-05 01:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2007-12-03 19:23 --------- d-----w C:\Program Files\Diablo II
2007-11-24 20:42 4,254 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{92bc260c-897a-41f8-8ac3-2ab645b41ec9}]
2007-11-18 11:20 1502232 --a------ C:\Program Files\ggtrades\tbggt1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba04d9ab-6dc6-4998-8060-60a627792e8c}]
2007-11-18 11:20 1502232 --a------ C:\Program Files\Mystical_Knights\tbMys0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{BA04D9AB-6DC6-4998-8060-60A627792E8C}"= C:\Program Files\Mystical_Knights\tbMys0.dll [2007-11-18 11:20 1502232]
"{92BC260C-897A-41F8-8AC3-2AB645B41EC9}"= C:\Program Files\ggtrades\tbggt1.dll [2007-11-18 11:20 1502232]

[HKEY_CLASSES_ROOT\clsid\{ba04d9ab-6dc6-4998-8060-60a627792e8c}]

[HKEY_CLASSES_ROOT\clsid\{92bc260c-897a-41f8-8ac3-2ab645b41ec9}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{BA04D9AB-6DC6-4998-8060-60A627792E8C}"= C:\Program Files\Mystical_Knights\tbMys0.dll [2007-11-18 11:20 1502232]
"{92BC260C-897A-41F8-8AC3-2AB645B41EC9}"= C:\Program Files\ggtrades\tbggt1.dll [2007-11-18 11:20 1502232]

[HKEY_CLASSES_ROOT\clsid\{ba04d9ab-6dc6-4998-8060-60a627792e8c}]

[HKEY_CLASSES_ROOT\clsid\{92bc260c-897a-41f8-8ac3-2ab645b41ec9}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []
"Yahoo! Pager"="1" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"Myeek"="C:\Documents and Settings\Owner\My Documents\?racle\d?xplore.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 04:01]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-04 18:44 C:\WINDOWS\RTHDCPL.exe]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 16:19]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 03:52]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-21 19:30]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-31 11:03]
"9cf56b43"="C:\WINDOWS\system32\ajrqnucs.dll" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" []

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqroom]
ssqroom.dll

R3 kbdcap;kbdcap;C:\WINDOWS\system32\drivers\kbdcap.sys
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;C:\WINDOWS\system32\DRIVERS\el575nd5.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{09f816e9-20c0-11db-a73d-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5a001031-20b3-11db-b386-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\DOCUME~1\Owner\LOCALS~1\Temp\qwfhldynAH.dll
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-11 11:23:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-11 11:24:48 - machine was rebooted
.
--- E O F ---
HJT in next post

**Slayer_MK** · 2007-12-11, 18:31

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:30:24 AM, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mystical-knights.com/forums/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Mystical Knights Toolbar - {ba04d9ab-6dc6-4998-8060-60a627792e8c} - C:\Program Files\Mystical_Knights\tbMys0.dll
R3 - URLSearchHook: ggtrades Toolbar - {92bc260c-897a-41f8-8ac3-2ab645b41ec9} - C:\Program Files\ggtrades\tbggt1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRA~1\Yahoo!\common\YIeTagBm.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: ggtrades Toolbar - {92bc260c-897a-41f8-8ac3-2ab645b41ec9} - C:\Program Files\ggtrades\tbggt1.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Mystical Knights Toolbar - {ba04d9ab-6dc6-4998-8060-60a627792e8c} - C:\Program Files\Mystical_Knights\tbMys0.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Mystical Knights Toolbar - {ba04d9ab-6dc6-4998-8060-60a627792e8c} - C:\Program Files\Mystical_Knights\tbMys0.dll
O3 - Toolbar: ggtrades Toolbar - {92bc260c-897a-41f8-8ac3-2ab645b41ec9} - C:\Program Files\ggtrades\tbggt1.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [9cf56b43] rundll32.exe "C:\WINDOWS\system32\ajrqnucs.dll",b
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Myeek] "C:\Documents and Settings\Owner\My Documents\?racle\d?xplore.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Euchre - http://download2.games.yahoo.com/gam...ts/y/et3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/gam...s/y/poti_x.cab
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescampus.com/xiah/luncher/GamesCampus.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1197260567796
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ssqroom - ssqroom.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 8581 bytes
goin to do smitfraud step next.
-Bill

Thread: Problem with virtumonde and others

Thread Tools

Display

Problem with virtumonde and others

Posting Permissions