Infected with flec006.exe.

skoman · May 31, 2008

Hello,
Please would you help me get rid of the viruses I got on my PC.
One of them is flec006.exe.It makes tons of connections and slow down my pc.I checked that in command prompt with netstat -b command.
I have weird process named wintems.exe which I believe it is a virus too.Another strange thing is that I see that process in task manager, but HJT does not detect it.Maybe I messed up HJT somehow or the virus is very smart.
My firewall sygate personal firewall is down and corrupted.I can not start in safe mode.My spybot search and destroy is corrupted too.It will not start.
Is it possible to clean my pc without making clean OS install?
Thanks in advance.

This is my HJT log

Logfile of HijackThis v1.99.1
Scan saved at 20:34:21, on 31.5.2008 г.
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Privoxy\privoxy.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scroogle.org/cgi-bin/scraper.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8118;https=127.0.0.1:8118;socks=127.0.0.1:8118
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;127.0.0.1
O4 - HKLM\..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{CE095E15-67E2-4FCA-BD5B-9956C94D9DFD}: NameServer = 208.67.220.220,208.67.222.222,85.187.164.17,80.72.64.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{EBEC8675-4173-4A8E-9ECD-7AF9FB48EC73}: NameServer = 85.187.164.17,80.72.64.4
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

Blade81 · Jun 1, 2008

Hi

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

When finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

skoman · Jun 1, 2008

Thank you for the reply.
This is the log from Combofix

========================================
ComboFix 08-05-29.1 - Administrator 2008-06-01 16:53:10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.381.1033.18.582 [GMT 3:00]
Running from: C:\Mamicata ti\цомбофикс\kombiniramfiks.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\m
C:\Documents and Settings\Administrator\Application Data\m\data.oct
C:\Documents and Settings\Administrator\Application Data\m\list.oct
C:\Documents and Settings\Administrator\Application Data\m\shared
C:\Documents and Settings\Administrator\Application Data\m\shared\1939 BattleFleet 2.05.zip
C:\Documents and Settings\Administrator\Application Data\m\shared\365 US Navy Ships Screen Saver 2.1 Key.zip
C:\Documents and Settings\Administrator\Application Data\m\shared\3D Speed City (Pocket PC) 1.1f.zip
C:\Documents and Settings\Administrator\Application Data\m\shared\3D Virtual Figure Drawing Studio (Male) 1.08a.zip
C:\Documents and Settings\Administrator\Application Data\m\shared\7thReader 1.0.zip
C:\Documents and Settings\Administrator\Application Data\m\shared\A-Z MPEG VCD DVD Video Converter 4.13.zip
C:\Documents and Settings\Administrator\Application Data\m\shared\A00-202 - Advanced programming Practice Exam Questions 1.0.zip
C:\Documents and Settings\Administrator\Application Data\m\shared\Acala Video mp3 Ripper 2.3.4.zip
C:\Documents and Settings\Administrator\Application Data\m\shared\Active Power Manager 1.0.zip
C:\Documents and Settings\Administrator\Application Data\m\shared\Adobe GoLive CS.zip
C:\Documents and Settings\Administrator\Application Data\m\shared\Advanced Accounting Powered by CAS 7.0.zip
C:\Documents and Settings\Administrator\Application Data\m\shared\Alive Desktop 1.0.zip
C:\Documents and Settings\Administrator\Application Data\m\shared\Animate Me! 1.4 .zip C:\Documents and Settings\Administrator\Application Data\m\shared\Aplus Video to Xbox 8.28.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Apple Multimedia Update 1.0.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Archive & Restore 1.1 .zip C:\Documents and Settings\Administrator\Application Data\m\shared\Arctic Torrent 1.2.3.zip C:\Documents and Settings\Administrator\Application Data\m\shared\AtomicLog 2.301.zip C:\Documents and Settings\Administrator\Application Data\m\shared\AutoMove 1.9.zip C:\Documents and Settings\Administrator\Application Data\m\shared\AutoRun Slideshow 5.0c.zip C:\Documents and Settings\Administrator\Application Data\m\shared\AutoUpdate+ 3.8.0.143 (Patch).zip C:\Documents and Settings\Administrator\Application Data\m\shared\Avast.Pro.v4.7.892-.zip C:\Documents and Settings\Administrator\Application Data\m\shared\B-Coder Professional 4.0.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Backup Deluxe 2005 1.3.zip C:\Documents and Settings\Administrator\Application Data\m\shared\BackUp Utility 1.3 (Patch).zip C:\Documents and Settings\Administrator\Application Data\m\shared\Bad IP Updater 1.5.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Baseball Statistics 1.1.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Batch Maker 1.3.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Battlefield 1942 - Bomber Carrier mod.zip C:\Documents and Settings\Administrator\Application Data\m\shared\BBC News Readers 1.0.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Beanie Genie 1.2.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Begonias on show Screensaver 1.0.zip C:\Documents and Settings\Administrator\Application Data\m\shared\BitDefender Antivirus Plus 10.2 Final.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Blog WizTool 0.2 [KeyGen].zip C:\Documents and Settings\Administrator\Application Data\m\shared\Bmp2PDF Pilot 1.00.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Bone Out From Boneville 1.51.zip C:\Documents and Settings\Administrator\Application Data\m\shared\BySoft Network Monitor 1.2.2.946.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Camouflage 1.03.zip C:\Documents and Settings\Administrator\Application Data\m\shared\CaptureWizPro Screen Capture 3.A0 [Patch].zip C:\Documents and Settings\Administrator\Application Data\m\shared\Car Maintenance Schedule Spreadsheet 1.0.zip C:\Documents and Settings\Administrator\Application Data\m\shared\CD Data Rescue 2.5.31.zip C:\Documents and Settings\Administrator\Application Data\m\shared\CD to MP3 Ripper 1.70 (Cracked).zip C:\Documents and Settings\Administrator\Application Data\m\shared\Celebrity Search 0.4.zip C:\Documents and Settings\Administrator\Application Data\m\shared\CheckPRC 2.0.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Commander 1.30.2.zip C:\Documents and Settings\Administrator\Application Data\m\shared\CtrlView 3.30.zip C:\Documents and Settings\Administrator\Application Data\m\shared\CVS Shell Extension 1.7.2.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Dark Reign 2 demo.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Datacatch Desktop Search Assistant 1.01 Key+Serial.zip C:\Documents and Settings\Administrator\Application Data\m\shared\DBManager Standard Edition 3.2.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Desktop Yoga 1.0.zip C:\Documents and Settings\Administrator\Application Data\m\shared\DevilDarts (ARM) 1.1.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Diablo II Lord of Destruction Game Enhancer mod.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Dictionary German-Polish 1.8.33.zip C:\Documents and Settings\Administrator\Application Data\m\shared\DigiStore 1.0.zip C:\Documents and Settings\Administrator\Application Data\m\shared\DotnetSwitch 1.0.zip C:\Documents and Settings\Administrator\Application Data\m\shared\DupeTrasher 1.1.zip C:\Documents and Settings\Administrator\Application Data\m\shared\EasyFlow CS2 for InDesign CS2 2.0.2 [Serial].zip C:\Documents and Settings\Administrator\Application Data\m\shared\EBook Producer 1.0 [Crack].zip C:\Documents and Settings\Administrator\Application Data\m\shared\Electric Sheep 2.6.6.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Encrypt My Information 3.06.zip C:\Documents and Settings\Administrator\Application Data\m\shared\English to Japanese Gold Dictionary 1.0.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Facial Toner.zip C:\Documents and Settings\Administrator\Application Data\m\shared\FEM-System MEANS 6.05.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Field Lines Screensaver 2.0.zip C:\Documents and Settings\Administrator\Application Data\m\shared\File Compact Wizard 2.0.0.120.zip C:\Documents and Settings\Administrator\Application Data\m\shared\File Compare 1.2.0 (KeyGen).zip C:\Documents and Settings\Administrator\Application Data\m\shared\FireTune 1.1.4.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Flash LipSync Bundle 1.0.1.zip C:\Documents and Settings\Administrator\Application Data\m\shared\FlickrNotFrisk 1.5.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Fly! II map pack 13.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Folding@Home 5.03.zip C:\Documents and Settings\Administrator\Application Data\m\shared\ForeFlight 2.0 [Cracked].zip C:\Documents and Settings\Administrator\Application Data\m\shared\FxFoto 4.0.063.zip C:\Documents and Settings\Administrator\Application Data\m\shared\FxFoto 5.0.068.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Girlsense Tune Player 1.1.zip C:\Documents and Settings\Administrator\Application Data\m\shared\GoodMorning! 1.0.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Got All Media 5.0.2.zip C:\Documents and Settings\Administrator\Application Data\m\shared\GPSS Simulator 1.0.zip C:\Documents and Settings\Administrator\Application Data\m\shared\GroupBar 1.3.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Handy Address Book Server 3.2 [Serial].zip C:\Documents and Settings\Administrator\Application Data\m\shared\Haunted House Screensaver 1.0.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Hot Key Spell Checker 1.0.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Hot Keyboard Pro 3.1.597 (Cracked).zip C:\Documents and Settings\Administrator\Application Data\m\shared\Http SMS Gateway x86 e2.1.zip C:\Documents and Settings\Administrator\Application Data\m\shared\iClone Studio 2.0 Cracked.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Inox 5.1.1 (Cracked).zip C:\Documents and Settings\Administrator\Application Data\m\shared\iPhone Sketch Icons 1.0.zip C:\Documents and Settings\Administrator\Application Data\m\shared\iPlayer 1.0.zip C:\Documents and Settings\Administrator\Application Data\m\shared\iVisit 3.6.3.zip C:\Documents and Settings\Administrator\Application Data\m\shared\JClaim 4.3.18.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Jemdam Newsletter System 1.0b.zip C:\Documents and Settings\Administrator\Application Data\m\shared\JOC Master Shutdown 1.0.1.7.zip C:\Documents and Settings\Administrator\Application Data\m\shared\John Deere World Time 1.0.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Kaspersky.6.ITA.+.key.zip C:\Documents and Settings\Administrator\Application Data\m\shared\KBTracker 0.5.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Keywarden 1.4 (Crack).zip C:\Documents and Settings\Administrator\Application Data\m\shared\Kinar KeepSafe FreeMail 1.51.9.zip C:\Documents and Settings\Administrator\Application Data\m\shared\LingvoSoft Picture Dictionary 2007 Portuguese - Chinese Mandarin Traditional 1.1.20 .zip C:\Documents and Settings\Administrator\Application Data\m\shared\LinkMail 1.1.0.0 [Serial].zip C:\Documents and Settings\Administrator\Application Data\m\shared\Localsearch 2.1 (With Crack).zip C:\Documents and Settings\Administrator\Application Data\m\shared\Magic Math Space Tour for the Age 11-12 1.0.zip C:\Documents and Settings\Administrator\Application Data\m\shared\MailZip Pro 1.0.zip C:\Documents and Settings\Administrator\Application Data\m\shared\MaxDB Data Wizard 7.3.0.1 Cracked.zip C:\Documents and Settings\Administrator\Application Data\m\shared\MaxPatrol 7.0.1070.zip C:\Documents and Settings\Administrator\Application Data\m\shared\MCE Drinks Database 1.4.3.zip C:\Documents and Settings\Administrator\Application Data\m\shared\MeowMultiSound 1.01.zip C:\Documents and Settings\Administrator\Application Data\m\shared\MessageBlockerXP 2.1.zip C:\Documents and Settings\Administrator\Application Data\m\shared\MIDletPascal 2.02 [Serial].zip C:\Documents and Settings\Administrator\Application Data\m\shared\Milf Warrior Desperate Brides 1.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Mountain Climbing Journal 1.3.zip C:\Documents and Settings\Administrator\Application Data\m\shared\MSDict English Synonymous Dictionary (Symbian UIQ) 2.40.zip C:\Documents and Settings\Administrator\Application Data\m\shared\MultiClipBoard 3.2.0.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Multiple Integration 1.00.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Music Database 2000 2.251 [Patch].zip C:\Documents and Settings\Administrator\Application Data\m\shared\Mycitymate Frankfurt (Nokia S60v2) 1.4.zip C:\Documents and Settings\Administrator\Application Data\m\shared\MySQL Administrator for Windows 5.0 r10.zip C:\Documents and Settings\Administrator\Application Data\m\shared\n2uSmartClient 1.0.1.zip C:\Documents and Settings\Administrator\Application Data\m\shared\NeatHtml 1.0.zip C:\Documents and Settings\Administrator\Application Data\m\shared\NetGong 6.2 Build 715 (Patch).zip C:\Documents and Settings\Administrator\Application Data\m\shared\NewsMaker 1.zip C:\Documents and Settings\Administrator\Application Data\m\shared\NOD32.Antivirus.v2.50.41.FR.(Version.Windows_95_98_ME).Incl-Crack.par.eMule-Paradise.com.zip C:\Documents and Settings\Administrator\Application Data\m\shared\NORTON_ANTIVIRUS_2007_ITA_CRACK.zip C:\Documents and Settings\Administrator\Application Data\m\shared\NoteTab Pro 5.1.zip C:\Documents and Settings\Administrator\Application Data\m\shared\One Must Fall Battlegrounds 2090 to 2095 Patch.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Outlook Messenger 2.7.zip C:\Documents and Settings\Administrator\Application Data\m\shared\PalmCrack 1.1.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Perfect Hunting - Mole Operation 1.1.zip C:\Documents and Settings\Administrator\Application Data\m\shared\PickPe 1.2.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Picword 1.8.zip C:\Documents and Settings\Administrator\Application Data\m\shared\PostNet and OneCode Barcode Font Package 6.09 (KeyGen).zip C:\Documents and Settings\Administrator\Application Data\m\shared\PowerQuote 12.024 Key.zip C:\Documents and Settings\Administrator\Application Data\m\shared\PowerTCP Telnet Tool 1.8.3.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Pressure Converter 1.0.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Projectexplorer 2.3.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Puma Video To MP4 Converter 2.33.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Quite Place Screensaver 1.0.zip C:\Documents and Settings\Administrator\Application Data\m\shared\R-Linux 1.0.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Rats ScreenMate 1.0.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Read 2000 American Newspapers 1.5.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Redline 1.zip C:\Documents and Settings\Administrator\Application Data\m\shared\ReducePhotoSize 1.1.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Registry Medic 3.01 build 408.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Replace Copyright 1.0.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Return to Castle Wolfenstein Enemy Territory Source Code.zip C:\Documents and Settings\Administrator\Application Data\m\shared\RoboFolder 1.2.0.66 [KeyGen].zip C:\Documents and Settings\Administrator\Application Data\m\shared\ROM With a View 3.4 Build 3004 Key+Serial.zip C:\Documents and Settings\Administrator\Application Data\m\shared\S.W.I.N.E. French retail patch 1.3-1.4.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Sav ZBase 8.1.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Score First 1.0.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Shared Address Book 1.0 KeyGen.zip C:\Documents and Settings\Administrator\Application Data\m\shared\SIGuardian 1.71 Build 361 (Key).zip C:\Documents and Settings\Administrator\Application Data\m\shared\Smart To-Do 1.8.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Smartfeed for Pocket PC 1.4.2159.zip C:\Documents and Settings\Administrator\Application Data\m\shared\SMSGate 3.11b1 [Key+Serial].zip C:\Documents and Settings\Administrator\Application Data\m\shared\Snowglobe 3D 1.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Softinabox Password Safe 1.3.0 Build 39.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Softinvestor 1.1.zip C:\Documents and Settings\Administrator\Application Data\m\shared\SohoCalendar 1.(x) (Patch).zip C:\Documents and Settings\Administrator\Application Data\m\shared\Sound Forge Audio Studio 8.0b With Crack.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Spell Catcher Plus 3.0 build 1842.zip C:\Documents and Settings\Administrator\Application Data\m\shared\SQL Server Backup 6.1.2.1326.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Stamina Typing Tutor 2.5.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Sunsets 1.0.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Supreme4 components 2.0.2 [Patch].zip C:\Documents and Settings\Administrator\Application Data\m\shared\Survey Annex 1.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Survey Power 6.30.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Suse.Kaspersky.Anti-Virus.For.Linux.Server.v4.0.1.0.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Sword of Valor 3D Screensaver 1.0.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Symantec.Norton.Antivirus.2007.Full.+.Symantec.Norton.Internet.Security.2007.Full.part1.zip C:\Documents and Settings\Administrator\Application Data\m\shared\TelStar 1.9.3.1 [KeyGen].zip C:\Documents and Settings\Administrator\Application Data\m\shared\Terminus 1.5 to 1.6 patch.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Terrorists 2.0.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Texas Holdem Poker Account Anti-Hacker Software 1.zip C:\Documents and Settings\Administrator\Application Data\m\shared\The Ultimate Video Screensaver 3.0.30.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Toolbar Doubler for Word 6.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Total 3D Home & Landscape Design Suite 9.0.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Unit Converter Opera Widget 1.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Virginia Tech Football Schedule 1.0.2.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Virtual Fashion Show 0.91 .zip C:\Documents and Settings\Administrator\Application Data\m\shared\VISaldo 1.0 With Crack.zip C:\Documents and Settings\Administrator\Application Data\m\shared\VoIPSurfer for Pocket PC 0.13.zip C:\Documents and Settings\Administrator\Application Data\m\shared\W32.Spybot.ACYR Removal Tool 1.44.0.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Wall Street Analyzer 1.23.zip C:\Documents and Settings\Administrator\Application Data\m\shared\WallAgent 0.2.0.80 Beta 3.zip C:\Documents and Settings\Administrator\Application Data\m\shared\WebCab Functions for .NET 2.0 [With Crack].zip C:\Documents and Settings\Administrator\Application Data\m\shared\WebPosition Professional 4.0a build 763 [Key+Serial].zip C:\Documents and Settings\Administrator\Application Data\m\shared\Wedding Album Maker 1.23 Key.zip C:\Documents and Settings\Administrator\Application Data\m\shared\WinCD 2.71 (Cracked).zip C:\Documents and Settings\Administrator\Application Data\m\shared\WindowShade X 4.0.1.zip C:\Documents and Settings\Administrator\Application Data\m\shared\WinMHT 1.4.zip C:\Documents and Settings\Administrator\Application Data\m\shared\WinPac 2 1.03b.zip C:\Documents and Settings\Administrator\Application Data\m\shared\Wondershare Pocket DVD Ripper 3.1.21.zip C:\Documents and Settings\Administrator\Application Data\m\shared\WordRight Realtime Spelling Assistant 1.zip C:\Documents and Settings\Administrator\Application Data\m\shared\WordStone 1.2.0 (KeyGen).zip C:\Documents and Settings\Administrator\Application Data\m\shared\WS-FTP Home 2007.zip C:\Documents and Settings\Administrator\Application Data\m\shared\xlUserMigrator 1.1.zip C:\Documents and Settings\Administrator\Application Data\m\shared\XVid;-) 2.2.0.7175.zip C:\Documents and Settings\Administrator\Application Data\m\srvlist.oct C:\Program Files\Common Files\{94B3A~1 C:\Program Files\Digital Media Reader\shwicon2k.exe C:\WINDOWS\system32\ban_list.txt C:\WINDOWS\system32\drivers\down C:\WINDOWS\system32\drivers\down\1002203.exe C:\WINDOWS\system32\drivers\down\1002734.exe C:\WINDOWS\system32\drivers\down\1003953.exe C:\WINDOWS\system32\drivers\down\1005937.exe C:\WINDOWS\system32\drivers\down\1016265.exe C:\WINDOWS\system32\drivers\down\102078.exe C:\WINDOWS\system32\drivers\down\1033468.exe C:\WINDOWS\system32\drivers\down\1035656.exe C:\WINDOWS\system32\drivers\down\103625.exe C:\WINDOWS\system32\drivers\down\1036375.exe C:\WINDOWS\system32\drivers\down\1038500.exe C:\WINDOWS\system32\drivers\down\1039031.exe C:\WINDOWS\system32\drivers\down\1042328.exe C:\WINDOWS\system32\drivers\down\104312.exe C:\WINDOWS\system32\drivers\down\1049015.exe C:\WINDOWS\system32\drivers\down\105406.exe C:\WINDOWS\system32\drivers\down\1054609.exe C:\WINDOWS\system32\drivers\down\1056984.exe C:\WINDOWS\system32\drivers\down\1063921.exe C:\WINDOWS\system32\drivers\down\1065500.exe C:\WINDOWS\system32\drivers\down\1065953.exe C:\WINDOWS\system32\drivers\down\107531.exe C:\WINDOWS\system32\drivers\down\108765.exe C:\WINDOWS\system32\drivers\down\1097828.exe C:\WINDOWS\system32\drivers\down\109906.exe C:\WINDOWS\system32\drivers\down\110640.exe C:\WINDOWS\system32\drivers\down\112062.exe C:\WINDOWS\system32\drivers\down\114125.exe C:\WINDOWS\system32\drivers\down\118671.exe C:\WINDOWS\system32\drivers\down\121421.exe C:\WINDOWS\system32\drivers\down\121562.exe C:\WINDOWS\system32\drivers\down\125312.exe C:\WINDOWS\system32\drivers\down\125859.exe C:\WINDOWS\system32\drivers\down\127078.exe C:\WINDOWS\system32\drivers\down\129078.exe C:\WINDOWS\system32\drivers\down\130000.exe C:\WINDOWS\system32\drivers\down\130359.exe C:\WINDOWS\system32\drivers\down\132390.exe C:\WINDOWS\system32\drivers\down\133937.exe C:\WINDOWS\system32\drivers\down\135265.exe C:\WINDOWS\system32\drivers\down\138984.exe C:\WINDOWS\system32\drivers\down\140984.exe C:\WINDOWS\system32\drivers\down\143609.exe C:\WINDOWS\system32\drivers\down\143640.exe C:\WINDOWS\system32\drivers\down\144796.exe C:\WINDOWS\system32\drivers\down\14543609.exe C:\WINDOWS\system32\drivers\down\14552734.exe C:\WINDOWS\system32\drivers\down\14564140.exe C:\WINDOWS\system32\drivers\down\14578781.exe C:\WINDOWS\system32\drivers\down\14580906.exe C:\WINDOWS\system32\drivers\down\14642640.exe C:\WINDOWS\system32\drivers\down\14644156.exe C:\WINDOWS\system32\drivers\down\14650921.exe C:\WINDOWS\system32\drivers\down\14652093.exe C:\WINDOWS\system32\drivers\down\14653031.exe C:\WINDOWS\system32\drivers\down\14658000.exe C:\WINDOWS\system32\drivers\down\14659140.exe C:\WINDOWS\system32\drivers\down\14735796.exe C:\WINDOWS\system32\drivers\down\14743671.exe C:\WINDOWS\system32\drivers\down\14751406.exe C:\WINDOWS\system32\drivers\down\14774968.exe C:\WINDOWS\system32\drivers\down\14787734.exe C:\WINDOWS\system32\drivers\down\14789156.exe C:\WINDOWS\system32\drivers\down\14794625.exe C:\WINDOWS\system32\drivers\down\14807953.exe C:\WINDOWS\system32\drivers\down\14810234.exe C:\WINDOWS\system32\drivers\down\14812296.exe C:\WINDOWS\system32\drivers\down\14814578.exe C:\WINDOWS\system32\drivers\down\14814750.exe C:\WINDOWS\system32\drivers\down\14816328.exe C:\WINDOWS\system32\drivers\down\14817312.exe C:\WINDOWS\system32\drivers\down\14819265.exe C:\WINDOWS\system32\drivers\down\14820562.exe C:\WINDOWS\system32\drivers\down\14822140.exe C:\WINDOWS\system32\drivers\down\14827062.exe C:\WINDOWS\system32\drivers\down\14827750.exe C:\WINDOWS\system32\drivers\down\14830546.exe C:\WINDOWS\system32\drivers\down\14833531.exe C:\WINDOWS\system32\drivers\down\14835359.exe C:\WINDOWS\system32\drivers\down\14835921.exe C:\WINDOWS\system32\drivers\down\14836046.exe C:\WINDOWS\system32\drivers\down\14840437.exe C:\WINDOWS\system32\drivers\down\14840953.exe C:\WINDOWS\system32\drivers\down\14842781.exe C:\WINDOWS\system32\drivers\down\14842859.exe C:\WINDOWS\system32\drivers\down\14845125.exe C:\WINDOWS\system32\drivers\down\14846953.exe C:\WINDOWS\system32\drivers\down\14848046.exe C:\WINDOWS\system32\drivers\down\14856796.exe C:\WINDOWS\system32\drivers\down\14872921.exe C:\WINDOWS\system32\drivers\down\148781.exe C:\WINDOWS\system32\drivers\down\14878984.exe C:\WINDOWS\system32\drivers\down\14884125.exe C:\WINDOWS\system32\drivers\down\14889140.exe C:\WINDOWS\system32\drivers\down\14892468.exe C:\WINDOWS\system32\drivers\down\14895890.exe C:\WINDOWS\system32\drivers\down\14898531.exe C:\WINDOWS\system32\drivers\down\14900781.exe C:\WINDOWS\system32\drivers\down\14901578.exe C:\WINDOWS\system32\drivers\down\14902968.exe C:\WINDOWS\system32\drivers\down\14904281.exe C:\WINDOWS\system32\drivers\down\14908703.exe C:\WINDOWS\system32\drivers\down\14909375.exe C:\WINDOWS\system32\drivers\down\14909437.exe C:\WINDOWS\system32\drivers\down\14914531.exe C:\WINDOWS\system32\drivers\down\14914796.exe C:\WINDOWS\system32\drivers\down\14918406.exe C:\WINDOWS\system32\drivers\down\14919734.exe C:\WINDOWS\system32\drivers\down\14921734.exe C:\WINDOWS\system32\drivers\down\14925921.exe C:\WINDOWS\system32\drivers\down\15046765.exe C:\WINDOWS\system32\drivers\down\15047656.exe C:\WINDOWS\system32\drivers\down\15048937.exe C:\WINDOWS\system32\drivers\down\15049390.exe C:\WINDOWS\system32\drivers\down\15049875.exe C:\WINDOWS\system32\drivers\down\15050468.exe C:\WINDOWS\system32\drivers\down\15064968.exe C:\WINDOWS\system32\drivers\down\15067484.exe C:\WINDOWS\system32\drivers\down\15090812.exe C:\WINDOWS\system32\drivers\down\15092593.exe C:\WINDOWS\system32\drivers\down\15093000.exe C:\WINDOWS\system32\drivers\down\15095046.exe C:\WINDOWS\system32\drivers\down\15098296.exe C:\WINDOWS\system32\drivers\down\15099359.exe C:\WINDOWS\system32\drivers\down\15099828.exe C:\WINDOWS\system32\drivers\down\15121687.exe C:\WINDOWS\system32\drivers\down\15128640.exe C:\WINDOWS\system32\drivers\down\15128687.exe C:\WINDOWS\system32\drivers\down\15134218.exe C:\WINDOWS\system32\drivers\down\15138015.exe C:\WINDOWS\system32\drivers\down\15149093.exe C:\WINDOWS\system32\drivers\down\15151265.exe C:\WINDOWS\system32\drivers\down\15153796.exe C:\WINDOWS\system32\drivers\down\15155531.exe C:\WINDOWS\system32\drivers\down\15156421.exe C:\WINDOWS\system32\drivers\down\15162406.exe C:\WINDOWS\system32\drivers\down\15164515.exe C:\WINDOWS\system32\drivers\down\15166453.exe C:\WINDOWS\system32\drivers\down\15166812.exe C:\WINDOWS\system32\drivers\down\15169078.exe C:\WINDOWS\system32\drivers\down\15169562.exe C:\WINDOWS\system32\drivers\down\15176375.exe C:\WINDOWS\system32\drivers\down\15178968.exe C:\WINDOWS\system32\drivers\down\15179093.exe C:\WINDOWS\system32\drivers\down\15179796.exe C:\WINDOWS\system32\drivers\down\152015.exe C:\WINDOWS\system32\drivers\down\15202218.exe C:\WINDOWS\system32\drivers\down\15216046.exe C:\WINDOWS\system32\drivers\down\15242000.exe C:\WINDOWS\system32\drivers\down\15258015.exe C:\WINDOWS\system32\drivers\down\15259687.exe C:\WINDOWS\system32\drivers\down\15266031.exe C:\WINDOWS\system32\drivers\down\15287593.exe C:\WINDOWS\system32\drivers\down\15299609.exe C:\WINDOWS\system32\drivers\down\15303515.exe C:\WINDOWS\system32\drivers\down\15374234.exe C:\WINDOWS\system32\drivers\down\15379953.exe C:\WINDOWS\system32\drivers\down\15389484.exe C:\WINDOWS\system32\drivers\down\15390937.exe C:\WINDOWS\system32\drivers\down\15396906.exe C:\WINDOWS\system32\drivers\down\154031.exe C:\WINDOWS\system32\drivers\down\15406218.exe C:\WINDOWS\system32\drivers\down\15422390.exe C:\WINDOWS\system32\drivers\down\15441437.exe C:\WINDOWS\system32\drivers\down\15478437.exe C:\WINDOWS\system32\drivers\down\15493968.exe C:\WINDOWS\system32\drivers\down\15495062.exe C:\WINDOWS\system32\drivers\down\15503078.exe C:\WINDOWS\system32\drivers\down\15521640.exe C:\WINDOWS\system32\drivers\down\15526234.exe C:\WINDOWS\system32\drivers\down\15532125.exe C:\WINDOWS\system32\drivers\down\157015.exe C:\WINDOWS\system32\drivers\down\159578.exe C:\WINDOWS\system32\drivers\down\162234.exe C:\WINDOWS\system32\drivers\down\164781.exe C:\WINDOWS\system32\drivers\down\165781.exe C:\WINDOWS\system32\drivers\down\166203.exe C:\WINDOWS\system32\drivers\down\167906.exe C:\WINDOWS\system32\drivers\down\169250.exe C:\WINDOWS\system32\drivers\down\174890.exe C:\WINDOWS\system32\drivers\down\181187.exe C:\WINDOWS\system32\drivers\down\184484.exe C:\WINDOWS\system32\drivers\down\18469296.exe C:\WINDOWS\system32\drivers\down\18475437.exe C:\WINDOWS\system32\drivers\down\18489000.exe C:\WINDOWS\system32\drivers\down\18526921.exe C:\WINDOWS\system32\drivers\down\18527281.exe C:\WINDOWS\system32\drivers\down\18539281.exe C:\WINDOWS\system32\drivers\down\18542171.exe C:\WINDOWS\system32\drivers\down\18551843.exe C:\WINDOWS\system32\drivers\down\18553890.exe C:\WINDOWS\system32\drivers\down\18556281.exe C:\WINDOWS\system32\drivers\down\18564796.exe C:\WINDOWS\system32\drivers\down\18567781.exe C:\WINDOWS\system32\drivers\down\18568187.exe C:\WINDOWS\system32\drivers\down\18568625.exe C:\WINDOWS\system32\drivers\down\18569140.exe C:\WINDOWS\system32\drivers\down\18575000.exe C:\WINDOWS\system32\drivers\down\18576906.exe C:\WINDOWS\system32\drivers\down\18610953.exe C:\WINDOWS\system32\drivers\down\18613734.exe C:\WINDOWS\system32\drivers\down\189390.exe C:\WINDOWS\system32\drivers\down\194234.exe C:\WINDOWS\system32\drivers\down\194656.exe C:\WINDOWS\system32\drivers\down\196390.exe C:\WINDOWS\system32\drivers\down\201750.exe C:\WINDOWS\system32\drivers\down\202906.exe C:\WINDOWS\system32\drivers\down\205421.exe C:\WINDOWS\system32\drivers\down\206437.exe C:\WINDOWS\system32\drivers\down\207515.exe C:\WINDOWS\system32\drivers\down\208031.exe C:\WINDOWS\system32\drivers\down\208859.exe C:\WINDOWS\system32\drivers\down\209625.exe C:\WINDOWS\system32\drivers\down\210015.exe C:\WINDOWS\system32\drivers\down\218234.exe C:\WINDOWS\system32\drivers\down\219140.exe C:\WINDOWS\system32\drivers\down\220546.exe C:\WINDOWS\system32\drivers\down\225109.exe C:\WINDOWS\system32\drivers\down\226937.exe C:\WINDOWS\system32\drivers\down\227625.exe C:\WINDOWS\system32\drivers\down\229656.exe C:\WINDOWS\system32\drivers\down\230375.exe C:\WINDOWS\system32\drivers\down\231171.exe C:\WINDOWS\system32\drivers\down\232453.exe C:\WINDOWS\system32\drivers\down\235562.exe C:\WINDOWS\system32\drivers\down\243171.exe C:\WINDOWS\system32\drivers\down\252343.exe C:\WINDOWS\system32\drivers\down\253046.exe C:\WINDOWS\system32\drivers\down\253140.exe C:\WINDOWS\system32\drivers\down\253937.exe C:\WINDOWS\system32\drivers\down\254703.exe C:\WINDOWS\system32\drivers\down\257203.exe C:\WINDOWS\system32\drivers\down\258281.exe C:\WINDOWS\system32\drivers\down\258687.exe C:\WINDOWS\system32\drivers\down\261203.exe C:\WINDOWS\system32\drivers\down\262843.exe C:\WINDOWS\system32\drivers\down\264234.exe C:\WINDOWS\system32\drivers\down\264437.exe C:\WINDOWS\system32\drivers\down\265296.exe C:\WINDOWS\system32\drivers\down\265375.exe C:\WINDOWS\system32\drivers\down\266609.exe C:\WINDOWS\system32\drivers\down\266781.exe C:\WINDOWS\system32\drivers\down\268156.exe C:\WINDOWS\system32\drivers\down\268656.exe C:\WINDOWS\system32\drivers\down\269421.exe C:\WINDOWS\system32\drivers\down\272531.exe C:\WINDOWS\system32\drivers\down\273421.exe C:\WINDOWS\system32\drivers\down\273828.exe C:\WINDOWS\system32\drivers\down\280312.exe C:\WINDOWS\system32\drivers\down\280671.exe C:\WINDOWS\system32\drivers\down\281312.exe C:\WINDOWS\system32\drivers\down\284328.exe C:\WINDOWS\system32\drivers\down\285171.exe C:\WINDOWS\system32\drivers\down\285437.exe C:\WINDOWS\system32\drivers\down\285765.exe C:\WINDOWS\system32\drivers\down\287343.exe C:\WINDOWS\system32\drivers\down\289328.exe C:\WINDOWS\system32\drivers\down\289406.exe C:\WINDOWS\system32\drivers\down\290000.exe C:\WINDOWS\system32\drivers\down\290890.exe C:\WINDOWS\system32\drivers\down\293078.exe C:\WINDOWS\system32\drivers\down\293312.exe C:\WINDOWS\system32\drivers\down\295453.exe C:\WINDOWS\system32\drivers\down\301234.exe C:\WINDOWS\system32\drivers\down\302218.exe C:\WINDOWS\system32\drivers\down\303406.exe C:\WINDOWS\system32\drivers\down\304656.exe C:\WINDOWS\system32\drivers\down\305796.exe C:\WINDOWS\system32\drivers\down\308125.exe C:\WINDOWS\system32\drivers\down\309656.exe C:\WINDOWS\system32\drivers\down\309921.exe C:\WINDOWS\system32\drivers\down\310578.exe C:\WINDOWS\system32\drivers\down\312125.exe C:\WINDOWS\system32\drivers\down\315234.exe C:\WINDOWS\system32\drivers\down\315437.exe C:\WINDOWS\system32\drivers\down\317000.exe C:\WINDOWS\system32\drivers\down\318343.exe C:\WINDOWS\system32\drivers\down\318562.exe C:\WINDOWS\system32\drivers\down\318968.exe C:\WINDOWS\system32\drivers\down\320484.exe C:\WINDOWS\system32\drivers\down\322078.exe C:\WINDOWS\system32\drivers\down\324125.exe C:\WINDOWS\system32\drivers\down\324312.exe C:\WINDOWS\system32\drivers\down\324562.exe C:\WINDOWS\system32\drivers\down\324921.exe C:\WINDOWS\system32\drivers\down\326140.exe C:\WINDOWS\system32\drivers\down\327562.exe C:\WINDOWS\system32\drivers\down\328062.exe C:\WINDOWS\system32\drivers\down\328531.exe C:\WINDOWS\system32\drivers\down\328921.exe C:\WINDOWS\system32\drivers\down\329984.exe C:\WINDOWS\system32\drivers\down\330562.exe C:\WINDOWS\system32\drivers\down\330875.exe C:\WINDOWS\system32\drivers\down\333203.exe C:\WINDOWS\system32\drivers\down\333640.exe C:\WINDOWS\system32\drivers\down\334125.exe C:\WINDOWS\system32\drivers\down\337046.exe C:\WINDOWS\system32\drivers\down\337593.exe C:\WINDOWS\system32\drivers\down\337921.exe C:\WINDOWS\system32\drivers\down\339453.exe C:\WINDOWS\system32\drivers\down\342625.exe C:\WINDOWS\system32\drivers\down\346171.exe C:\WINDOWS\system32\drivers\down\346515.exe C:\WINDOWS\system32\drivers\down\352984.exe C:\WINDOWS\system32\drivers\down\353031.exe C:\WINDOWS\system32\drivers\down\353875.exe C:\WINDOWS\system32\drivers\down\355906.exe C:\WINDOWS\system32\drivers\down\356953.exe C:\WINDOWS\system32\drivers\down\359500.exe C:\WINDOWS\system32\drivers\down\360140.exe C:\WINDOWS\system32\drivers\down\360375.exe C:\WINDOWS\system32\drivers\down\360656.exe C:\WINDOWS\system32\drivers\down\361203.exe C:\WINDOWS\system32\drivers\down\361734.exe C:\WINDOWS\system32\drivers\down\363500.exe C:\WINDOWS\system32\drivers\down\364218.exe C:\WINDOWS\system32\drivers\down\364390.exe C:\WINDOWS\system32\drivers\down\365250.exe C:\WINDOWS\system32\drivers\down\365500.exe C:\WINDOWS\system32\drivers\down\366015.exe C:\WINDOWS\system32\drivers\down\366453.exe C:\WINDOWS\system32\drivers\down\366890.exe C:\WINDOWS\system32\drivers\down\366953.exe C:\WINDOWS\system32\drivers\down\367015.exe C:\WINDOWS\system32\drivers\down\367093.exe C:\WINDOWS\system32\drivers\down\367515.exe C:\WINDOWS\system32\drivers\down\369218.exe C:\WINDOWS\system32\drivers\down\369687.exe C:\WINDOWS\system32\drivers\down\369734.exe C:\WINDOWS\system32\drivers\down\369843.exe C:\WINDOWS\system32\drivers\down\370234.exe C:\WINDOWS\system32\drivers\down\371546.exe C:\WINDOWS\system32\drivers\down\373500.exe C:\WINDOWS\system32\drivers\down\374781.exe C:\WINDOWS\system32\drivers\down\376390.exe C:\WINDOWS\system32\drivers\down\376968.exe C:\WINDOWS\system32\drivers\down\377062.exe C:\WINDOWS\system32\drivers\down\3774656.exe C:\WINDOWS\system32\drivers\down\378593.exe C:\WINDOWS\system32\drivers\down\3786750.exe C:\WINDOWS\system32\drivers\down\379312.exe C:\WINDOWS\system32\drivers\down\380000.exe C:\WINDOWS\system32\drivers\down\380765.exe C:\WINDOWS\system32\drivers\down\382046.exe C:\WINDOWS\system32\drivers\down\3846046.exe C:\WINDOWS\system32\drivers\down\3847578.exe C:\WINDOWS\system32\drivers\down\385875.exe C:\WINDOWS\system32\drivers\down\386421.exe C:\WINDOWS\system32\drivers\down\3878171.exe C:\WINDOWS\system32\drivers\down\3880890.exe C:\WINDOWS\system32\drivers\down\3897187.exe C:\WINDOWS\system32\drivers\down\3904109.exe C:\WINDOWS\system32\drivers\down\391156.exe C:\WINDOWS\system32\drivers\down\3912468.exe C:\WINDOWS\system32\drivers\down\392515.exe C:\WINDOWS\system32\drivers\down\3928687.exe C:\WINDOWS\system32\drivers\down\3934062.exe C:\WINDOWS\system32\drivers\down\3937546.exe C:\WINDOWS\system32\drivers\down\394406.exe C:\WINDOWS\system32\drivers\down\3944671.exe C:\WINDOWS\system32\drivers\down\395062.exe C:\WINDOWS\system32\drivers\down\3951156.exe C:\WINDOWS\system32\drivers\down\3959437.exe C:\WINDOWS\system32\drivers\down\3967203.exe C:\WINDOWS\system32\drivers\down\397515.exe C:\WINDOWS\system32\drivers\down\4004625.exe C:\WINDOWS\system32\drivers\down\401343.exe C:\WINDOWS\system32\drivers\down\4028734.exe C:\WINDOWS\system32\drivers\down\405203.exe C:\WINDOWS\system32\drivers\down\406062.exe C:\WINDOWS\system32\drivers\down\406453.exe C:\WINDOWS\system32\drivers\down\407171.exe C:\WINDOWS\system32\drivers\down\408765.exe C:\WINDOWS\system32\drivers\down\409203.exe C:\WINDOWS\system32\drivers\down\409796.exe C:\WINDOWS\system32\drivers\down\410703.exe C:\WINDOWS\system32\drivers\down\414265.exe C:\WINDOWS\system32\drivers\down\415187.exe C:\WINDOWS\system32\drivers\down\415265.exe C:\WINDOWS\system32\drivers\down\415359.exe C:\WINDOWS\system32\drivers\down\416156.exe C:\WINDOWS\system32\drivers\down\416843.exe C:\WINDOWS\system32\drivers\down\418515.exe C:\WINDOWS\system32\drivers\down\418625.exe C:\WINDOWS\system32\drivers\down\421875.exe C:\WINDOWS\system32\drivers\down\423875.exe C:\WINDOWS\system32\drivers\down\427171.exe C:\WINDOWS\system32\drivers\down\429718.exe C:\WINDOWS\system32\drivers\down\431062.exe C:\WINDOWS\system32\drivers\down\435734.exe C:\WINDOWS\system32\drivers\down\436390.exe C:\WINDOWS\system32\drivers\down\43810250.exe C:\WINDOWS\system32\drivers\down\43820250.exe C:\WINDOWS\system32\drivers\down\43828562.exe C:\WINDOWS\system32\drivers\down\43874312.exe C:\WINDOWS\system32\drivers\down\43875953.exe C:\WINDOWS\system32\drivers\down\43891953.exe C:\WINDOWS\system32\drivers\down\43897171.exe C:\WINDOWS\system32\drivers\down\43899390.exe C:\WINDOWS\system32\drivers\down\43902140.exe C:\WINDOWS\system32\drivers\down\43906921.exe C:\WINDOWS\system32\drivers\down\43922000.exe C:\WINDOWS\system32\drivers\down\43925156.exe C:\WINDOWS\system32\drivers\down\43929187.exe C:\WINDOWS\system32\drivers\down\43929687.exe C:\WINDOWS\system32\drivers\down\43933546.exe C:\WINDOWS\system32\drivers\down\43936640.exe C:\WINDOWS\system32\drivers\down\43942921.exe C:\WINDOWS\system32\drivers\down\43972640.exe C:\WINDOWS\system32\drivers\down\43975468.exe C:\WINDOWS\system32\drivers\down\440484.exe C:\WINDOWS\system32\drivers\down\441375.exe C:\WINDOWS\system32\drivers\down\442796.exe C:\WINDOWS\system32\drivers\down\442875.exe C:\WINDOWS\system32\drivers\down\443312.exe C:\WINDOWS\system32\drivers\down\443421.exe C:\WINDOWS\system32\drivers\down\444343.exe C:\WINDOWS\system32\drivers\down\444984.exe C:\WINDOWS\system32\drivers\down\448078.exe C:\WINDOWS\system32\drivers\down\451968.exe C:\WINDOWS\system32\drivers\down\452468.exe C:\WINDOWS\system32\drivers\down\456859.exe C:\WINDOWS\system32\drivers\down\460281.exe C:\WINDOWS\system32\drivers\down\461453.exe C:\WINDOWS\system32\drivers\down\465421.exe C:\WINDOWS\system32\drivers\down\469093.exe C:\WINDOWS\system32\drivers\down\475500.exe C:\WINDOWS\system32\drivers\down\476984.exe C:\WINDOWS\system32\drivers\down\478906.exe C:\WINDOWS\system32\drivers\down\479734.exe C:\WINDOWS\system32\drivers\down\482828.exe C:\WINDOWS\system32\drivers\down\483171.exe C:\WINDOWS\system32\drivers\down\494671.exe C:\WINDOWS\system32\drivers\down\498125.exe C:\WINDOWS\system32\drivers\down\505531.exe C:\WINDOWS\system32\drivers\down\506281.exe C:\WINDOWS\system32\drivers\down\506921.exe C:\WINDOWS\system32\drivers\down\507859.exe C:\WINDOWS\system32\drivers\down\508687.exe C:\WINDOWS\system32\drivers\down\509390.exe C:\WINDOWS\system32\drivers\down\510375.exe C:\WINDOWS\system32\drivers\down\607656.exe C:\WINDOWS\system32\drivers\down\608406.exe C:\WINDOWS\system32\drivers\down\614109.exe C:\WINDOWS\system32\drivers\down\620281.exe C:\WINDOWS\system32\drivers\down\622484.exe C:\WINDOWS\system32\drivers\down\634515.exe C:\WINDOWS\system32\drivers\down\653281.exe C:\WINDOWS\system32\drivers\down\670375.exe C:\WINDOWS\system32\drivers\down\673968.exe C:\WINDOWS\system32\drivers\down\685062.exe C:\WINDOWS\system32\drivers\down\687140.exe C:\WINDOWS\system32\drivers\down\694171.exe C:\WINDOWS\system32\drivers\down\69500.exe C:\WINDOWS\system32\drivers\down\696593.exe C:\WINDOWS\system32\drivers\down\701671.exe C:\WINDOWS\system32\drivers\down\703859.exe C:\WINDOWS\system32\drivers\down\706703.exe C:\WINDOWS\system32\drivers\down\707406.exe C:\WINDOWS\system32\drivers\down\708906.exe C:\WINDOWS\system32\drivers\down\710750.exe C:\WINDOWS\system32\drivers\down\711171.exe C:\WINDOWS\system32\drivers\down\712343.exe C:\WINDOWS\system32\drivers\down\715031.exe C:\WINDOWS\system32\drivers\down\717609.exe C:\WINDOWS\system32\drivers\down\71984.exe C:\WINDOWS\system32\drivers\down\719890.exe C:\WINDOWS\system32\drivers\down\721484.exe C:\WINDOWS\system32\drivers\down\722609.exe C:\WINDOWS\system32\drivers\down\725593.exe C:\WINDOWS\system32\drivers\down\725671.exe C:\WINDOWS\system32\drivers\down\726921.exe C:\WINDOWS\system32\drivers\down\730609.exe C:\WINDOWS\system32\drivers\down\733906.exe C:\WINDOWS\system32\drivers\down\737921.exe C:\WINDOWS\system32\drivers\down\741109.exe C:\WINDOWS\system32\drivers\down\742484.exe C:\WINDOWS\system32\drivers\down\74750.exe C:\WINDOWS\system32\drivers\down\748281.exe C:\WINDOWS\system32\drivers\down\750093.exe C:\WINDOWS\system32\drivers\down\750640.exe C:\WINDOWS\system32\drivers\down\752875.exe C:\WINDOWS\system32\drivers\down\757000.exe C:\WINDOWS\system32\drivers\down\758656.exe C:\WINDOWS\system32\drivers\down\759109.exe C:\WINDOWS\system32\drivers\down\77453.exe C:\WINDOWS\system32\drivers\down\78328.exe C:\WINDOWS\system32\drivers\down\80625.exe C:\WINDOWS\system32\drivers\down\809671.exe C:\WINDOWS\system32\drivers\down\812015.exe C:\WINDOWS\system32\drivers\down\81578.exe C:\WINDOWS\system32\drivers\down\823968.exe C:\WINDOWS\system32\drivers\down\83109.exe C:\WINDOWS\system32\drivers\down\84125.exe C:\WINDOWS\system32\drivers\down\846937.exe C:\WINDOWS\system32\drivers\down\84984.exe C:\WINDOWS\system32\drivers\down\85140.exe C:\WINDOWS\system32\drivers\down\851531.exe C:\WINDOWS\system32\drivers\down\855921.exe C:\WINDOWS\system32\drivers\down\85765.exe C:\WINDOWS\system32\drivers\down\87390.exe C:\WINDOWS\system32\drivers\down\879640.exe C:\WINDOWS\system32\drivers\down\88312.exe C:\WINDOWS\system32\drivers\down\885765.exe C:\WINDOWS\system32\drivers\down\892156.exe C:\WINDOWS\system32\drivers\down\89625.exe C:\WINDOWS\system32\drivers\down\899343.exe C:\WINDOWS\system32\drivers\down\901125.exe C:\WINDOWS\system32\drivers\down\901218.exe C:\WINDOWS\system32\drivers\down\909078.exe C:\WINDOWS\system32\drivers\down\90937.exe C:\WINDOWS\system32\drivers\down\92078.exe C:\WINDOWS\system32\drivers\down\92562.exe C:\WINDOWS\system32\drivers\down\928812.exe C:\WINDOWS\system32\drivers\down\939421.exe C:\WINDOWS\system32\drivers\down\94156.exe C:\WINDOWS\system32\drivers\down\943375.exe C:\WINDOWS\system32\drivers\down\943812.exe C:\WINDOWS\system32\drivers\down\945421.exe C:\WINDOWS\system32\drivers\down\946875.exe C:\WINDOWS\system32\drivers\down\94906.exe C:\WINDOWS\system32\drivers\down\95171.exe C:\WINDOWS\system32\drivers\down\95281.exe C:\WINDOWS\system32\drivers\down\958656.exe C:\WINDOWS\system32\drivers\down\960234.exe C:\WINDOWS\system32\drivers\down\960984.exe C:\WINDOWS\system32\drivers\down\964468.exe C:\WINDOWS\system32\drivers\down\968421.exe C:\WINDOWS\system32\drivers\down\968671.exe C:\WINDOWS\system32\drivers\down\97156.exe C:\WINDOWS\system32\drivers\down\974375.exe C:\WINDOWS\system32\drivers\down\976406.exe C:\WINDOWS\system32\drivers\down\977000.exe C:\WINDOWS\system32\drivers\down\982968.exe C:\WINDOWS\system32\drivers\down\993687.exe C:\WINDOWS\system32\drivers\down\998140.exe C:\WINDOWS\system32\drivers\down\998796.exe C:\WINDOWS\system32\drivers\hldrrr.exe C:\WINDOWS\system32\drivers\npf.sys C:\WINDOWS\system32\drivers\srosa.sys C:\WINDOWS\system32\mdelk.exe C:\WINDOWS\system32\MSINET.oca C:\WINDOWS\system32\packet.dll C:\WINDOWS\system32\pthreadVC.dll C:\WINDOWS\system32\wanpacket.dll C:\WINDOWS\system32\wintems.exe C:\WINDOWS\system32\wpcap.dll C:\WINDOWS\WINDOWS C:\WINDOWS\WINDOWS\pulableaga.sys D:\Autorun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NPF -------\Legacy_SROSA -------\Service_NPF -------\Service_srosa ((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 ))))))))))))))))))))))))))))))) . 2008-06-01 12:38 . 2008-06-01 16:38 <DIR> d-------- C:\Mamicata ti 2008-06-01 12:36 . 2008-06-01 12:33 2,205,157 --a------ C:\Copy of IceSword122en.zip 2008-06-01 12:33 . 2008-06-01 12:33 2,205,157 --a------ C:\IceSword122en.zip 2008-06-01 12:20 . 2008-06-01 12:20 0 --------- C:\hldrrr.exe 2008-06-01 12:15 . 2008-06-01 12:15 0 --a------ C:\WINDOWS\system32\drivers\hldrr.exe 2008-05-31 19:39 . 2008-05-31 19:40 <DIR> d-------- C:\Program Files\Hamachi 2008-05-30 11:00 . 2008-05-31 19:39 10,345 --a------ C:\WINDOWS\system32\drivers\hamachi.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-01 13:58 --------- d-----w C:\Program Files\Digital Media Reader 2008-06-01 13:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype 2008-05-26 15:37 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent 2008-05-23 12:57 --------- d-----w C:\Program Files\OpenOffice.org 2.0 2008-05-23 12:53 --------- d-----w C:\Program Files\Opera 2006-09-07 09:41 54,312 ----a-w C:\Program Files\tor-bundle-uninstall.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-02-07 09:40 118784] "CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 16:47 57344] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 22:00 15360] C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ Privoxy.lnk - C:\Program Files\Privoxy\privoxy.exe [2004-01-31 14:18:30 212480] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.ffds"= C:\Program Files\ffdshow\ffdshow.ax [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ] --a------ 2005-06-03 02:03 1957888 C:\Program Files\Ahead\Nero BackItUp\NBJ.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1 "<NO NAME>"= [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" "Symantec NetDriver Monitor"=C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer "igfxtray"=C:\WINDOWS\system32\igfxtray.exe "NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe "igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\BitComet\\BitComet.exe"= "C:\\Program Files\\Tor\\tor.exe"= "C:\\WINDOWS\\system32\\sessmgr.exe"= "C:\\Program Files\\Peer2Mail\\P2M.exe"= "C:\\Program Files\\ICQ6\\ICQ.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "25934:TCP"= 25934:TCP:BitComet port "25934:UDP"= 25934:UDP:BitComet port "25:TCP"= 25:TCP2M port "80:TCP"= 80:TCP2M port R2 sensorsview;sensorsview;C:\WINDOWS\system32\drivers\sensorsview.sys [2006-02-09 14:54] S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2003-10-22 16:27] S3 ALSysIO;ALSysIO;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ALSysIO.sys [] S3 ddsxeiservice;ddsxeiservice2;C:\Program Files\sXe Injected\ddsxei.sys [] S3 esiasdrv;esiasdrv;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\esiasdrv.sys [] S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS [2004-03-24 05:12] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c4af8b18-d871-11da-a80f-00032522de2c}] \Shell\AutoRun\command - F:\AUTORUN.EXE . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-01 17:02:51 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\sessmgr.exe C:\WINDOWS\system32\locator.exe C:\WINDOWS\system32\wdfmgr.exe . ************************************************************************** . Completion time: 2008-06-01 17:07:58 - machine was rebooted ComboFix-quarantined-files.txt 2008-06-01 14:07:53 Pre-Run: 4,412,100,608 bytes free Post-Run: 4,485,865,472 bytes free 877 --- E O F --- 2008-01-17 22:23:30 ======================================== This is the HJT log ========================================= Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:24:03, on 01.6.2008 г. Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Privoxy\privoxy.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Mamicata ti\Туй че те утепа\туйчетеутепа.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scroogle.org/cgi-bin/scraper.htm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8118;https=127.0.0.1:8118;socks=127.0.0.1:8118 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;127.0.0.1 O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O15 - Trusted Zone: http://download.windowsupdate.com O17 - HKLM\System\CCS\Services\Tcpip\..\{CE095E15-67E2-4FCA-BD5B-9956C94D9DFD}: NameServer = 208.67.220.220,208.67.222.222,85.187.164.17,80.72.64.4 O17 - HKLM\System\CCS\Services\Tcpip\..\{EBEC8675-4173-4A8E-9ECD-7AF9FB48EC73}: NameServer = 85.187.164.17,80.72.64.4 O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe -- End of file - 3096 bytes ====================================

Blade81 · Jun 1, 2008

Hi

Move kombiniramfiks.exe file from C:\Mamicata ti\цомбофикс folder to the root of c: drive (c:\) to make sure following run will go smoothly.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
C:\hldrrr.exe
C:\WINDOWS\system32\drivers\hldrr.exe

Save this as
CFScript

Refering to the picture above, drag CFScript into kombiniramfiks.exe
Then post the resultant log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Please run an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, click Yes.

The program will launch and start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings and select the following:

Scan using the following Anti-Virus database:

Extended (If available, otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases

Click OK.
Under
select a target to scan
, select My Computer.
The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.

Once the scan is complete:

Click on the Save as Text button.
Save the file to your desktop.
Copy and paste that information into your next post if the AV content will fit into one post only. Post a fresh hjt log (without forgetting above meantioned ComboFix resultant log) too.
If the results of the anti virus scan itself will take more than one post to contain, you may upload it to http://rapidshare.com

Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

If having a problme doing the above

Make sure that your Internet security settings are set to default values.

To set default security settings for Internet Explorer:

* Open Internet Explorer.
* Go to the Tools menu, then choose Internet Options.
* Click on the Security tab.
* Make sure that all four item (Internet, Local intranet, Trusted sites, and Restricted sites) are set to their default settings.

skoman · Jun 1, 2008

BTW If you are wondering about this file hldrr.exe which is located in c:\windows\system32\drivers I made it myself, hoping that this action would fool the malware, so I can delete it.After I made this file it completely disappear.I could not see it anymore, I could not find it using the search assistant from WnXP.This was very weird so I tried the same procedure in other location -> c:\
It happened exactly the same.
After ComboFix has finished its work I am able to see the files that I created one with name hldrr.exe in c:\windows\system32\drivers adn the other one in c:\ hldrrr.exe.

So should I do what you told me to with the script and so on ?Or I can just delete the above mentioned files manually shift+del ?

Blade81 · Jun 1, 2008

Please do just according to the instructions

That way we can be more sure that all goes according to the plan.

skoman · Jun 2, 2008

Hi Blade81,
This is what happed during the online scan.
The Kasperski online scan was going very slow, so I left th emachine unattended.After one maybe one and a half hour I came back to check it.I saw black screen with text something like "No bootable partition found.Insert boot media and press any key", like I do not have a OS installed.Pretty weird.I pressed key a couple of times , but the text reappeard again.So I had to restart the machine using power on/off button.
The second online scan went fine.
I have a lot of locked objects.Should I be concern about them?

Blade81 · Jun 2, 2008

Hi

No need to be concerned of locked files. It's normal to have more or less those in the report

May I see the logs, please?

skoman · Jun 2, 2008

This is the ComboFix log :
===========================================
ComboFix 08-05-29.1 - Administrator 2008-06-01 18:51:35.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.381.1033.18.643 [GMT 3:00]
Running from: C:\kombiniramfiks.exe
Command switches used :: C:\CFScript
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\hldrrr.exe
C:\WINDOWS\system32\drivers\hldrr.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\hldrrr.exe
C:\WINDOWS\system32\drivers\hldrr.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 )))))))))))))))))))))))))))))))
.

2008-06-01 18:20 . 2008-06-01 18:20 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-01 18:20 . 2008-06-01 18:20 <DIR> d-------- C:\WINDOWS\LastGood
2008-06-01 18:20 . 2008-06-01 18:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-01 16:20 . 2008-06-01 16:21 1,948,397 --a------ C:\kombiniramfiks.exe
2008-06-01 12:38 . 2008-06-01 18:47 <DIR> d-------- C:\Mamicata ti
2008-05-31 19:39 . 2008-05-31 19:40 <DIR> d-------- C:\Program Files\Hamachi
2008-05-30 11:00 . 2008-05-31 19:39 10,345 --a------ C:\WINDOWS\system32\drivers\hamachi.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-01 13:58 --------- d-----w C:\Program Files\Digital Media Reader
2008-06-01 13:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-05-26 15:37 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-05-23 12:57 --------- d-----w C:\Program Files\OpenOffice.org 2.0
2008-05-23 12:53 --------- d-----w C:\Program Files\Opera
2006-09-07 09:41 54,312 ----a-w C:\Program Files\tor-bundle-uninstall.exe
.

((((((((((((((((((((((((((((( snapshot@2008-06-01_17.07.01.78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-24 09:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 12:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 12:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-02-07 09:40 118784]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 16:47 57344]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 22:00 15360]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Privoxy.lnk - C:\Program Files\Privoxy\privoxy.exe [2004-01-31 14:18:30 212480]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\Program Files\ffdshow\ffdshow.ax

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--a------ 2005-06-03 02:03 1957888 C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
"<NO NAME>"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"Symantec NetDriver Monitor"=C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
"igfxtray"=C:\WINDOWS\system32\igfxtray.exe
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Tor\\tor.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Peer2Mail\\P2M.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"25934:TCP"= 25934:TCP:BitComet port
"25934:UDP"= 25934:UDP:BitComet port
"25:TCP"= 25:TCP

2M port
"80:TCP"= 80:TCP

2M port

R2 sensorsview;sensorsview;C:\WINDOWS\system32\drivers\sensorsview.sys [2006-02-09 14:54]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2003-10-22 16:27]
S3 ALSysIO;ALSysIO;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ALSysIO.sys []
S3 ddsxeiservice;ddsxeiservice2;C:\Program Files\sXe Injected\ddsxei.sys []
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS [2004-03-24 05:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c4af8b18-d871-11da-a80f-00032522de2c}]
\Shell\AutoRun\command - F:\AUTORUN.EXE

*Newly Created Service* - ISDRV122
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-01 18:54:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\esiasdrv]
"ImagePath"="\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\esiasdrv.sys"
.
Completion time: 2008-06-01 18:56:08
ComboFix-quarantined-files.txt 2008-06-01 15:56:02
ComboFix2.txt 2008-06-01 14:07:59

Pre-Run: 4,521,807,872 bytes free
Post-Run: 4,502,638,592 bytes free

120 --- E O F --- 2008-01-17 22:23:30
===========================================

skoman · Jun 2, 2008

This is a link to my KAV online scan.It is too big file to be attached , and too long to be posted.

Blade81 · Jun 2, 2008

Hi

Of some reason file wasn't there. Just some message that I couldn't figure out. Could you upload the report to http://rapidshare.com and post back download link to it? May I see a fresh hjt log too, please?

skoman · Jun 2, 2008

I did not know that I can not edit my posts.Otherwise I'd not make so many.Sorry :red:
This is the hijackthis log.
Since the hijackthis did not manage to reveal the worm' s processes when it was active in my system, should we trust and rely on this application in the future?

===========================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:14, on 02.6.2008 г.
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Privoxy\privoxy.exe
C:\Program Files\Hamachi\hamachi.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Mamicata ti\Туй че те утепа\туйчетеутепа.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scroogle.org/cgi-bin/scraper.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8118;https=127.0.0.1:8118;socks=127.0.0.1:8118
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;127.0.0.1
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CE095E15-67E2-4FCA-BD5B-9956C94D9DFD}: NameServer = 208.67.220.220,208.67.222.222,85.187.164.17,80.72.64.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{EBEC8675-4173-4A8E-9ECD-7AF9FB48EC73}: NameServer = 85.187.164.17,80.72.64.4
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

--
End of file - 3218 bytes
===========================================

skoman · Jun 2, 2008

This is the rapidshare link for my KAV online scan log.

Blade81 · Jun 2, 2008

This is getting difficult..

Hi

Looks like Rapidshare doesn't let free users download as often as before. Could you archive the report into zip file and just attach it to your reply?

skoman · Jun 2, 2008

Off course silly me.

Blade81 · Jun 2, 2008

Hi

It's ok. I should had suggested that in first place

Delete c:\!KillBox folder.

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis

Now lets uninstall ComboFix:

Click START then RUN
Now type (or copy-paste bolded part) "C:\kombiniramfiks.exe" /u in the runbox and click OK

Re-run Kaspersky online scanner and post the report & a fresh hjt log.

skoman · Jun 3, 2008

Hi Blade81 ,
I followed your instructions.
This is the KAV scan report:
===========================================
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, June 03, 2008 4:27:39 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/06/2008
Kaspersky Anti-Virus database records: 821972
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 62147
Number of viruses found: 2
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 02:21:45

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\My Documents\За Пренасяне\Програми\SmitfraudFix\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Administrator\My Documents\За Пренасяне\Програми\SmitfraudFix\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\found.000\file0000.chk Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP1\change.log Object is locked skipped
C:\Torpark\Torpark_2.0.0.3a.exe/Torpark 2.0.0.3a/App/Tconfig.exe/data0004 Infected: not-a-virus:RiskTool.Win32.FWDisabler.a skipped
C:\Torpark\Torpark_2.0.0.3a.exe/Torpark 2.0.0.3a/App/Tconfig.exe Infected: not-a-virus:RiskTool.Win32.FWDisabler.a skipped
C:\Torpark\Torpark_2.0.0.3a.exe 7-Zip: infected - 2 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{313A8198-CB84-4F4E-841A-2843420C67C6}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
===========================================
This is the HJT log:

===========================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:12:55, on 03.6.2008 г.
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Privoxy\privoxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Mamicata ti\Туй че те утепа\this will kill u.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scroogle.org/cgi-bin/scraper.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8118;https=127.0.0.1:8118;socks=127.0.0.1:8118
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;127.0.0.1
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CE095E15-67E2-4FCA-BD5B-9956C94D9DFD}: NameServer = 208.67.220.220,208.67.222.222,85.187.164.17,80.72.64.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{EBEC8675-4173-4A8E-9ECD-7AF9FB48EC73}: NameServer = 85.187.164.17,80.72.64.4
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

--
End of file - 3299 bytes
===========================================
Would you please tell me what the red boded text in ComboFix log means?
"This machine does not have a recovery console installed ?"
And since the HJT was unable to reveal the worm's processes, should I trust to this application in the future?
Another thing I noticed is that HJT does not report all the processes that are running.I have more processes in task manager than in the HJT log.Why is that?Is that normal?I'll be very happy if you could answer to those questions of mine.
Thank you very much for your dedicated help with virus removal.I really appreciated.

Blade81 · Jun 3, 2008

Would you please tell me what the red boded text in ComboFix log means?
"This machine does not have a recovery console installed ?"

Hi

That was explained in Bleeping Computer's ComboFix tutorial here

And since the HJT was unable to reveal the worm's processes, should I trust to this application in the future?

HJT is not general removing tool. It's used only in special occasions. Also, this worm contains rootkit stealth and that's why it wasn't showing up.

Another thing I noticed is that HJT does not report all the processes that are running.I have more processes in task manager than in the HJT log.Why is that?Is that normal?I'll be very happy if you could answer to those questions of mine.

Yes, that's normal. Hjt doesn't show all Windows' own processes.

Anyway, logs look ok now. Kaspersky findings are not bad anymore.

Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.

First we remove used tools.

Please download OTMoveIt2 and save it to desktop.

Double-click OTMoveIt2.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet, please allow it to do so.

UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

Comodo BOCLEAN <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Download Adaware
Adaware is a free program. It scans for known spyware on your computer. These scans should be run at least once every two weeks. For more information, see this tutorial
The program is available for download here
Download Spybot
Spybot is a scanner like adaware. It scans for spyware and other malicious programs. It is important to have both Adaware and Spybot on your computer because each program provides unique detection and pretection measures. Spybot has preventitive tools that stop programs from even installing on your computer.
To see how to set this up as well as more spybot features, see here
Spybot can be downloaded at this location
Download SpywareBlaster
Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
kill bits
in the registry, so that certain activex controls can't install.
If you don't know what activex controls are, see here
You can download SpywareBlaster here here
SpywareBlaster tutorial
Download iespyad
It puts many bad webpages on your restricted zones list. This means that you can still view the
bad
webpages, but the webpages cannot do certain things (such as use javascripts and cookies).
If you need help understanding how it works, there is a tutorial here
Download it here
hosts file:
- Every version of windows has a hosts file as part of them.
- In a very basic sense, they are used to locate webpages.
- We can customize a hosts file so that it blocks certain webpages.
- However, it can slow down certain computers.
- This is why using a hosts file is optional!!
Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
1. [*]Click the start button (at the lower left hand corner of your screen) [*]Click run [*]In the dialog box, type services.msc [*]hit enter, then locate dns client [*]Highlight it, then double-click it. [*]On the dropdown box, change the setting from automatic to manual. [*]Click ok
Get Anti Virus Software and keep it updated - Most AVs will update automatically, but if not I would recommend making updating the AV the first job every time the PC is connected to the internet. An AV that is using defs that are seven days old is not going to be much protection. If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out. See here to choose one
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
See here to choose one

Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Run the spybot and adaware regularly. (Once or twice a week minimum.)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade

skoman · Jun 3, 2008

Hi Blade,
Thanks again for the answers and the help.Before I continue with the instructions, I'd like to fix first my main problem .It appears that after I got infected my WIFI NIC does not work because the Wireless Zero Configuration services cannot be started.One of its dependences fail to start - NDIS I/O user mode.I searched for ndusio.sys but search assistant did not find it.How should I proceed ?

Blade81 · Jun 3, 2008

Hi

Since that seems to be networking connection problem I recommend to ask at http://forums.pcpitstop.com. They have also technical help there while we are concentrated mainly on malware issues here

Infected with flec006.exe.

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus