View Full Version : Help! Recurring Fake.Wget and Bifrose.LA + Spybot detects Smitfraud-C in install exes
I'm getting recurring infections of Fake.Wget and Bifrose.LA and on a possibly related note, Spybot is detecting Smitfraud-C in pretty much every game patch i try to run; it is terminating the processes before the patches can be installed and so far, spybot is not detecting Smitfraud-C when i scan the computer. Please help!
PS:
-i ran the trend micro test four times and each time, after a little more than an hour, the browser window just closed itself without warning.
-i ran the etrust online antivirus detector and it found nothing. unfortunately, i found no option to save a log.
-the bit defender link provided in the "before you post" topic is dead. is it supposed to link to this?: http://www.bitdefender.com/scan8/ie.html
-i have provided below a HijackThis log, a Spybot log and a Nod32 log.
-i'm using XP with SP2
Logfile of HijackThis v1.99.1
Scan saved at 12:36:00 AM, on 1/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5746\GoogleToolbarNotifier.exe
C:\Program Files\Kerio\WinRoute Firewall\WrCtrl.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Kerio\WinRoute Firewall\winroute.exe
C:\Program Files\Kerio\WinRoute Firewall\avServer.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dictionary.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CoTGT_BHO Class - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [startkey] C:\WINDOWS\system32\server.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5746\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [startkey] C:\WINDOWS\system32\server.exe
O4 - HKCU\..\Run: [WrCtrl] "C:\Program Files\Kerio\WinRoute Firewall\WrCtrl.exe"
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{411E73ED-9C60-42F1-992B-34D03F659D35}: NameServer = 216.165.239.2,216.165.239.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{411E73ED-9C60-42F1-992B-34D03F659D35}: NameServer = 216.165.239.2,216.165.239.4
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: RadClock - Unknown owner - C:\Program Files\RadLinker\RadClock.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Kerio WinRoute Firewall (WinRoute) - Kerio Technologies - C:\Program Files\Kerio\WinRoute Firewall\winroute.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
spybot log part 1
--- Search result list ---
Bifrose.LA: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}
Fake.Wget: Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-329068152-220523388-839522115-1003\Software\Wget
Fake.Wget: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Wget
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-11-28 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-01-05 Includes\Cookies.sbi (*)
2006-12-08 Includes\Dialer.sbi (*)
2007-01-05 Includes\DialerC.sbi (*)
2006-11-24 Includes\Hijackers.sbi (*)
2007-01-05 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2007-01-05 Includes\KeyloggersC.sbi (*)
2006-12-22 Includes\Malware.sbi (*)
2007-01-05 Includes\MalwareC.sbi (*)
2006-10-20 Includes\PUPS.sbi (*)
2007-01-05 Includes\PUPSC.sbi (*)
2007-01-05 Includes\Revision.sbi (*)
2006-12-08 Includes\Security.sbi (*)
2007-01-05 Includes\SecurityC.sbi (*)
2006-10-13 Includes\Spybots.sbi (*)
2007-01-05 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-12-08 Includes\Trojans.sbi (*)
2007-01-05 Includes\TrojansC.sbi (*)
--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ Microsoft .NET Framework 2.0: This Security Update is for Microsoft .NET Framework 2.0. \n
If you later install a more recent service pack, this Security Update will be uninstalled automatically. \n
For more information, visit http://support.microsoft.com/kb/917283
/ Microsoft .NET Framework 2.0: This Security Update is for Microsoft .NET Framework 2.0. \n
If you later install a more recent service pack, this Security Update will be uninstalled automatically. \n
For more information, visit http://support.microsoft.com/kb/922770
/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
/ Windows / SP1: Microsoft National Language Support Downlevel APIs
/ Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)
/ Windows XP / SP10: Microsoft Compression Client Pack 1.0 for Windows XP
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB894391)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896423)
/ Windows XP / SP3: Security Update for Windows XP (KB896424)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Security Update for Windows XP (KB899587)
/ Windows XP / SP3: Security Update for Windows XP (KB899591)
/ Windows XP / SP3: Update for Windows XP (KB900485)
/ Windows XP / SP3: Security Update for Windows XP (KB900725)
/ Windows XP / SP3: Security Update for Windows XP (KB901017)
/ Windows XP / SP3: Security Update for Windows XP (KB901190)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Security Update for Windows XP (KB902400)
/ Windows XP / SP3: Security Update for Windows XP (KB904706)
/ Windows XP / SP3: Security Update for Windows XP (KB905414)
/ Windows XP / SP3: Security Update for Windows XP (KB905749)
/ Windows XP / SP3: Security Update for Windows XP (KB908519)
/ Windows XP / SP3: Update for Windows XP (KB908531)
/ Windows XP / SP3: Update for Windows XP (KB910437)
/ Windows XP / SP3: Update for Windows XP (KB911280)
/ Windows XP / SP3: Security Update for Windows XP (KB911562)
/ Windows XP / SP3: Security Update for Windows XP (KB911567)
/ Windows XP / SP3: Security Update for Windows XP (KB911927)
/ Windows XP / SP3: Security Update for Windows XP (KB912919)
/ Windows XP / SP3: Security Update for Windows XP (KB913580)
/ Windows XP / SP3: Security Update for Windows XP (KB914388)
/ Windows XP / SP3: Security Update for Windows XP (KB914389)
/ Windows XP / SP3: Hotfix for Windows XP (KB915865)
/ Windows XP / SP3: Update for Windows XP (KB916595)
/ Windows XP / SP3: Security Update for Windows XP (KB917422)
/ Windows XP / SP3: Security Update for Windows XP (KB917953)
/ Windows XP / SP3: Security Update for Windows XP (KB918439)
/ Windows XP / SP3: Security Update for Windows XP (KB919007)
/ Windows XP / SP3: Security Update for Windows XP (KB920213)
/ Windows XP / SP3: Security Update for Windows XP (KB920214)
/ Windows XP / SP3: Security Update for Windows XP (KB920670)
/ Windows XP / SP3: Security Update for Windows XP (KB920683)
/ Windows XP / SP3: Security Update for Windows XP (KB920685)
/ Windows XP / SP3: Update for Windows XP (KB920872)
/ Windows XP / SP3: Security Update for Windows XP (KB921398)
/ Windows XP / SP3: Update for Windows XP (KB922582)
/ Windows XP / SP3: Security Update for Windows XP (KB922616)
/ Windows XP / SP3: Security Update for Windows XP (KB922819)
/ Windows XP / SP3: Security Update for Windows XP (KB923191)
/ Windows XP / SP3: Security Update for Windows XP (KB923414)
/ Windows XP / SP3: Security Update for Windows XP (KB923694)
/ Windows XP / SP3: Security Update for Windows XP (KB923980)
/ Windows XP / SP3: Security Update for Windows XP (KB924191)
/ Windows XP / SP3: Security Update for Windows XP (KB924270)
/ Windows XP / SP3: Hotfix for Windows XP (KB926239)
/ Windows XP / SP3: Security Update for Windows XP (KB926255)
--- Startup entries list ---
Located: HK_LM:Run, ATICCC
command: "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
file: C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe
size: 90112
MD5: 0dc2e1b6951bd2170bc47f0eebf629b3
Located: HK_LM:Run, DAEMON Tools
command: "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
file: C:\Program Files\DAEMON Tools\daemon.exe
size: 157592
MD5: 4323a5ee3ebc7f5681cd41b69360d2d4
Located: HK_LM:Run, DiskeeperSystray
command: "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
file: C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
size: 163840
MD5: cc2286749c3063e989519db234284fbe
Located: HK_LM:Run, KernelFaultCheck
command: C:\WINDOWS\system32\dumprep 0 -k
file: C:\WINDOWS\system32\dumprep.exe
size: 10752
MD5: 13922eb54890c77005268882629a31fe
Located: HK_LM:Run, NeroFilterCheck
command: "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
file: C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
size: 155648
MD5: c93ab037a8c792d5f8a1a9fc88a7c7c5
Located: HK_LM:Run, nod32kui
command: "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
file: C:\Program Files\Eset\nod32kui.exe
size: 950664
MD5: 1db8ebbea939fb03542574ad70f29dd6
Located: HK_LM:Run, NVMixerTray
command: "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
file: C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
size: 131072
MD5: 46ee79e42e5e056e91ea4eb07e7b807a
Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 282624
MD5: caf03357de72f8f19fa099581a685c1a
Located: HK_LM:Run, startkey
command: C:\WINDOWS\system32\server.exe
file: C:\WINDOWS\system32\server.exe
size: 1362113
MD5: 8d00ac79d04db184f9c93bc8e6c6e8e3
Located: HK_LM:Run, SunJavaUpdateSched (DISABLED)
command: "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
file: C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
size: 49263
MD5: 409c45da1cfbc3fc19eec7cbfe9b2786
Located: HK_CU:Run, BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}
command: "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
file: C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
size: 139264
MD5: 3dbe5b70fca1f15be651a5eb02594b84
Located: HK_CU:Run, ctfmon.exe
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996a38c0b0cf151c2140ae29fc8
Located: HK_CU:Run, SpybotSD TeaTimer
command: "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1415824
MD5: 70496eee0ddbe485f658693826f44d38
Located: HK_CU:Run, startkey
command: C:\WINDOWS\system32\server.exe
file: C:\WINDOWS\system32\server.exe
size: 1362113
MD5: 8d00ac79d04db184f9c93bc8e6c6e8e3
Located: HK_CU:Run, STYLEXP
command: C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
file:
Located: HK_CU:Run, swg
command: "C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5746\GoogleToolbarNotifier.exe"
file: C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5746\GoogleToolbarNotifier.exe
size: 165304
MD5: d81021fff83b946d110aff16f0a26062
Located: HK_CU:Run, WrCtrl
command: "C:\Program Files\Kerio\WinRoute Firewall\WrCtrl.exe"
file: C:\Program Files\Kerio\WinRoute Firewall\WrCtrl.exe
size: 188416
MD5: e26df5909bbc2ed15de7a5e65689bfdc
Located: HK_CU:Run, Window Washer (DISABLED)
command: "C:\Program Files\Webroot\Washer\wwDisp.exe"
file: C:\Program Files\Webroot\Washer\wwDisp.exe
size: 894464
MD5: 831134deaa2a470bdde9308f8bae4733
Located: Startup (common), Adobe Reader Speed Launch.lnk
command: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
file: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
size: 29696
MD5: 43362b96870ce8649f4f2ec893da93f0
Located: Startup (user), SpywareGuard.lnk
command: C:\Program Files\SpywareGuard\sgmain.exe
file: C:\Program Files\SpywareGuard\sgmain.exe
size: 360448
MD5: 61c028aba5e49573a6332f4a7c744e87
Located: System.ini, AtiExtEvent
command: Ati2evxx.dll
file: Ati2evxx.dll
Located: System.ini, crypt32chain
command: crypt32.dll
file: crypt32.dll
Located: System.ini, cryptnet
command: cryptnet.dll
file: cryptnet.dll
Located: System.ini, cscdll
command: cscdll.dll
file: cscdll.dll
Located: System.ini, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, Schedule
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
Located: System.ini, SensLogn
command: WlNotify.dll
file: WlNotify.dll
Located: System.ini, termsrv
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, wlballoon
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, WRNotifier
command: WRLogonNTF.dll
file: WRLogonNTF.dll
spybot log part 2
--- Browser helper object list ---
{02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
BHO name:
CLSID name: Yahoo! Toolbar Helper
description: Yahoo Companion!
classification: Legitimate
known filename: Ycomp*_*_*_*.dll
info link: http://companion.yahoo.com/
info source: TonyKlein
Path: C:\Program Files\Yahoo!\Companion\Installs\cpn\
Long name: yt.dll
Short name:
Date (created): 11/30/2006 6:42:00 PM
Date (last access): 1/9/2007 11:44:40 PM
Date (last write): 6/7/2006 10:09:22 AM
Filesize: 399352
Attributes: archive
MD5: 8BBB9FEEC360F11867B28059B5360843
CRC32: 12033757
Version: 2005.11.4.1
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
BHO name:
CLSID name: Adobe PDF Reader Link Helper
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 7.0\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 1/12/2006 8:38:22 PM
Date (last access): 1/9/2007 11:44:40 PM
Date (last write): 1/12/2006 8:38:22 PM
Filesize: 63128
Attributes: archive
MD5: F17B2B264072B921FC66A0BE16626BAB
CRC32: 5184CFEA
Version: 7.0.7.142
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7} (IeCatch5 Class)
BHO name:
CLSID name: IeCatch5 Class
Path: C:\PROGRA~1\FlashGet\
Long name: Jccatch.dll
Short name:
Date (created): 11/28/2006 8:56:02 PM
Date (last access): 1/9/2007 11:44:40 PM
Date (last write): 5/16/2006 3:19:42 PM
Filesize: 81920
Attributes: archive
MD5: 8AB453E6168A5FEDFDDF44BC13F42E70
CRC32: 47363548
Version: 1.1.5.0
{4A368E80-174F-4872-96B5-0B27DDD11DB2} (SpywareGuard Download Protection)
BHO name: SpywareGuard Download Protection
CLSID name: SpywareGuardDLBLOCK.CBrowserHelper
description: SpywareGuard download protection
classification: Legitimate
known filename: dlprotect.dll
info link: http://www.wilderssecurity.net/spywareguard.html
info source: TonyKlein
Path: C:\Program Files\SpywareGuard\
Long name: dlprotect.dll
Short name: DLPROT~1.DLL
Date (created): 8/2/2003 11:24:02 PM
Date (last access): 1/9/2007 11:44:40 PM
Date (last write): 8/2/2003 11:24:02 PM
Filesize: 192512
Attributes: readonly archive
MD5: 964621E8B2415FEAA99026ED4F29D198
CRC32: DC8CF59D
Version: 2.2.0.0
{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 11/28/2006 8:35:02 PM
Date (last access): 1/9/2007 11:44:40 PM
Date (last write): 5/31/2005 1:04:00 AM
Filesize: 853672
Attributes: archive
MD5: 250D787A5712D7768DDC133B3E477759
CRC32: D4589A41
Version: 1.4.0.0
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
BHO name:
CLSID name: SSVHelper Class
Path: C:\Program Files\Java\jre1.5.0_09\bin\
Long name: ssv.dll
Short name:
Date (created): 10/12/2006 3:10:58 AM
Date (last access): 1/9/2007 11:44:42 PM
Date (last write): 10/12/2006 3:25:44 AM
Filesize: 434279
Attributes: archive
MD5: D62E335F137D9E0F9F4DBE09564959B1
CRC32: 72699310
Version: 5.0.90.3
{AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
BHO name:
CLSID name: Google Toolbar Helper
description: Google toolbar
classification: Open for discussion
known filename: googletoolbar.dll<br>googletoolbar*.dll<br>(* = number)<br>googletoolbar_en_*.**-big.dll<br>Googletoolbar_en_*.*.**-deleon.dll
info link: http://toolbar.google.com/
info source: TonyKlein
Path: c:\program files\google\
Long name: GoogleToolbar1.dll
Short name: GOOGLE~1.DLL
Date (created): 11/28/2006 8:56:22 PM
Date (last access): 1/9/2007 11:44:42 PM
Date (last write): 11/28/2006 8:56:22 PM
Filesize: 2018368
Attributes: readonly archive
MD5: C022FABC464CEA9DF382C000351223E2
CRC32: B1A33DE4
Version: 4.0.1019.5266
{C333CF63-767F-4831-94AC-E683D962C63C} (CoTGT_BHO Class)
BHO name:
CLSID name: CoTGT_BHO Class
Path: C:\Program Files\TGTSoft\StyleXP\
Long name: TGT_BHO.dll
Short name:
Date (created): 5/9/2006 3:13:48 PM
Date (last access): 1/9/2007 11:44:42 PM
Date (last write): 5/9/2006 3:13:48 PM
Filesize: 65536
Attributes: archive
MD5: 107CC933CCB8FC9AD8F2160657B9D6D6
CRC32: FA073C35
{F156768E-81EF-470C-9057-481BA8380DBA} (gFlash Class)
BHO name:
CLSID name: gFlash Class
Path: C:\PROGRA~1\FlashGet\
Long name: getflash.dll
Short name:
Date (created): 11/28/2006 8:56:02 PM
Date (last access): 1/9/2007 11:44:44 PM
Date (last write): 9/12/2006 10:50:56 AM
Filesize: 126976
Attributes: archive
MD5: C281625E4775F8AD88448C50AFEB4561
CRC32: EC424799
Version: 1.0.0.1
--- ActiveX list ---
{166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
Installer: C:\WINDOWS\Downloaded Program Files\erma.inf
Codebase: http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
description: Macromedia ShockWave Flash Player 7
classification: Legitimate
known filename: SWDIR.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\macromed\Director\
Long name: SwDir.dll
Short name:
Date (created): 12/9/2006 2:43:18 AM
Date (last access): 1/10/2007 12:22:50 AM
Date (last write): 9/3/2006 11:10:30 PM
Filesize: 54960
Attributes: archive
MD5: EB271B21EA6104B7C6946EF32D558C91
CRC32: CEC4E0C2
Version: 10.1.4.20
{7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class)
DPF name:
CLSID name: WScanCtl Class
Installer: C:\WINDOWS\Downloaded Program Files\webscan.inf
Codebase: http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
description:
classification: Legitimate
known filename: webscan.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: webscan.dll
Short name:
Date (created): 11/20/2006 12:02:34 PM
Date (last access): 1/9/2007 11:46:36 PM
Date (last write): 11/20/2006 12:02:34 PM
Filesize: 180282
Attributes: archive
MD5: 76EA3ABECE61FBA3C07F61E42BB0CA48
CRC32: AECD0E4D
Version: 1.1.0.1049
{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_09
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre1.5.0_09\bin\
Long name: NPJPI150_09.dll
Short name: NPJPI1~1.DLL
Date (created): 10/12/2006 3:10:58 AM
Date (last access): 1/10/2007 12:22:50 AM
Date (last write): 10/12/2006 3:25:44 AM
Filesize: 69746
Attributes: archive
MD5: A3CDEB59B6B8C2EA81B9ED2D3EF4C95E
CRC32: 2A32A9A2
Version: 5.0.90.3
{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_09
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
description:
classification: Legitimate
known filename: NPJPI150_09.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre1.5.0_09\bin\
Long name: NPJPI150_09.dll
Short name: NPJPI1~1.DLL
Date (created): 10/12/2006 3:10:58 AM
Date (last access): 1/10/2007 12:22:50 AM
Date (last write): 10/12/2006 3:25:44 AM
Filesize: 69746
Attributes: archive
MD5: A3CDEB59B6B8C2EA81B9ED2D3EF4C95E
CRC32: 2A32A9A2
Version: 5.0.90.3
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_09
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre1.5.0_09\bin\
Long name: NPJPI150_09.dll
Short name: NPJPI1~1.DLL
Date (created): 10/12/2006 3:10:58 AM
Date (last access): 1/10/2007 12:22:50 AM
Date (last write): 10/12/2006 3:25:44 AM
Filesize: 69746
Attributes: archive
MD5: A3CDEB59B6B8C2EA81B9ED2D3EF4C95E
CRC32: 2A32A9A2
Version: 5.0.90.3
{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase: http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Flash\
Long name: Flash9b.ocx
Short name:
Date (created): 11/9/2006 2:46:28 PM
Date (last access): 1/10/2007 12:14:36 AM
Date (last write): 11/9/2006 2:46:28 PM
Filesize: 2262648
Attributes: readonly archive
MD5: F3B3EE66CA76C94510555ABE9D00A353
CRC32: A51F3CB4
Version: 9.0.28.0
--- Process list ---
PID: 0 ( 0) [System]
PID: 580 ( 4) \SystemRoot\System32\smss.exe
PID: 668 ( 580) \??\C:\WINDOWS\system32\csrss.exe
PID: 756 ( 580) \??\C:\WINDOWS\system32\winlogon.exe
PID: 808 ( 756) C:\WINDOWS\system32\services.exe
size: 108032
MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID: 820 ( 756) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID: 996 ( 808) C:\WINDOWS\system32\Ati2evxx.exe
size: 430080
MD5: F57801F641E6DF9F4FD4B29D6DEB422C
PID: 1036 ( 808) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1104 ( 808) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1252 ( 808) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1348 ( 756) C:\WINDOWS\system32\Ati2evxx.exe
size: 430080
MD5: F57801F641E6DF9F4FD4B29D6DEB422C
PID: 1424 ( 808) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1500 ( 808) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1672 ( 808) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: DA81EC57ACD4CDC3D4C51CF3D409AF9F
PID: 1884 (1828) C:\WINDOWS\Explorer.EXE
size: 1032192
MD5: A0732187050030AE399B241436565E64
PID: 252 ( 232) C:\Program Files\Internet Explorer\IEXPLORE.EXE
size: 622080
MD5: 5334D4461AA92A7B008755FE6D13C5F2
PID: 680 (1884) C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
size: 131072
MD5: 46EE79E42E5E056E91EA4EB07E7B807A
PID: 712 (1884) C:\Program Files\Eset\nod32kui.exe
size: 950664
MD5: 1DB8EBBEA939FB03542574AD70F29DD6
PID: 988 (1884) C:\Program Files\DAEMON Tools\daemon.exe
size: 157592
MD5: 4323A5EE3EBC7F5681CD41B69360D2D4
PID: 1164 (1884) C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
size: 139264
MD5: 3DBE5B70FCA1F15BE651A5EB02594B84
PID: 1180 (1076) C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
size: 45056
MD5: 64C4C17BF6A40FF1CD21205E6FD415B8
PID: 1208 (1884) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1415824
MD5: 70496EEE0DDBE485F658693826F44D38
PID: 1228 (1884) C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8
PID: 1364 (1036) C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
size: 884736
MD5: 1E55333843B8398B2EB60EA8C39569FA
PID: 1324 (1884) C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5746\GoogleToolbarNotifier.exe
size: 165304
MD5: D81021FFF83B946D110AFF16F0A26062
PID: 1720 (1884) C:\Program Files\Kerio\WinRoute Firewall\WrCtrl.exe
size: 188416
MD5: E26DF5909BBC2ED15DE7A5E65689BFDC
PID: 272 (1884) C:\Program Files\SpywareGuard\sgmain.exe
size: 360448
MD5: 61C028ABA5E49573A6332F4A7C744E87
PID: 648 ( 272) C:\Program Files\SpywareGuard\sgbhp.exe
size: 233472
MD5: A80D0704537C0EF97DB2BEF24B99AF1A
PID: 692 ( 808) C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
size: 892928
MD5: 26E09498268C88BD6A7C791EBC71DBE5
PID: 932 ( 808) C:\Program Files\Eset\nod32krn.exe
size: 549256
MD5: C0C81A2BE22F496B26B3E1EF3F559B83
PID: 2416 ( 808) C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
size: 3297792
MD5: 5D587C0FDE956DF030F79166DA595F2C
PID: 2868 ( 808) C:\WINDOWS\system32\wwSecure.exe
size: 487936
MD5: E189A58938E5E1EA269D73AAD84C9311
PID: 1980 ( 808) C:\Program Files\Kerio\WinRoute Firewall\winroute.exe
size: 3796992
MD5: FDE4CD78238F55CB028CA8D9F81BE116
PID: 3632 (1980) C:\Program Files\Kerio\WinRoute Firewall\avServer.exe
size: 98304
MD5: E3B31D987612F341EDA28F1D940965BC
PID: 3544 ( 712) C:\Program Files\Eset\nod32.exe
size: 496000
MD5: FFFFADC7124F9FCA9AF86B8710F038E8
PID: 500 (1884) C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
size: 214528
MD5: F0543ACEEB5CD8821469958C9F3DD9A4
PID: 2560 (1884) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09CA174A605B480318731E691DC98539
PID: 3288 (1884) C:\Program Files\Internet Explorer\iexplore.exe
size: 622080
MD5: 5334D4461AA92A7B008755FE6D13C5F2
PID: 4 ( 0) System
spybot log part 3
--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 1/10/2007 12:25:36 AM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.dictionary.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
--- Winsock Layered Service Provider list ---
Protocol 0: NOD32 protected [MSAFD Tcpip [TCP/IP]]
GUID: {B48ACC25-CAB4-4DE9-837F-8C120A873F90}
Filename: C:\WINDOWS\system32\imon.dll
Protocol 1: NOD32 protected [MSAFD Tcpip [UDP/IP]]
GUID: {8E1EEC56-55EE-43D7-A8F6-53AB316ADF36}
Filename: C:\WINDOWS\system32\imon.dll
Protocol 2: NOD32 protected [MSAFD Tcpip [RAW/IP]]
GUID: {250C32B6-032A-48BD-A13A-38A15A1CB53E}
Filename: C:\WINDOWS\system32\imon.dll
Protocol 3: NOD32 protected [RSVP UDP Service Provider]
GUID: {EA0A9921-BA4C-4518-AE40-78E75B059F6C}
Filename: C:\WINDOWS\system32\imon.dll
Protocol 4: NOD32 protected [RSVP TCP Service Provider]
GUID: {35F57BA0-370A-4982-9299-7D08343254F4}
Filename: C:\WINDOWS\system32\imon.dll
Protocol 5: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 6: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 7: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 8: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 9: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 10: NOD32
GUID: {28A4D8DA-E908-4C6F-A926-A66CC7AD3224}
Filename: C:\WINDOWS\system32\imon.dll
Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{411E73ED-9C60-42F1-992B-34D03F659D35}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{411E73ED-9C60-42F1-992B-34D03F659D35}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A0C0EB0D-E98C-40D1-B79F-C4470749A84C}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A0C0EB0D-E98C-40D1-B79F-C4470749A84C}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A265649F-21B5-43ED-8BC1-8309317AB8BD}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A265649F-21B5-43ED-8BC1-8309317AB8BD}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1F707684-D174-4A91-8AC4-35583D1CE198}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1F707684-D174-4A91-8AC4-35583D1CE198}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP
Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS
Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace
Nod32 scan log part 1
Scan performed at: 1/10/2007 8:42:27 AM
Scanning Log
NOD32 version 1959 (20070105) NT
Operating memory - is OK
Date: 10.1.2007 Time: 08:42:52
Anti-Stealth technology is enabled.
Scanned disks, folders and files: C:; E:
C:\hiberfil.sys - error opening (File locked) [4]
C:\pagefile.sys - error opening (File locked) [4]
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BifroseLA.zip »ZIP »sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BifroseLA.zip »ZIP »sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BifroseLA1.zip »ZIP »sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BifroseLA1.zip »ZIP »sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BifroseLA2.zip »ZIP »sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BifroseLA2.zip »ZIP »sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FakeWget.zip »ZIP »sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FakeWget.zip »ZIP »sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FakeWget1.zip »ZIP »sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FakeWget1.zip »ZIP »sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FakeWget2.zip »ZIP »sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FakeWget2.zip »ZIP »sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FakeWget3.zip »ZIP »sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FakeWget3.zip »ZIP »sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FakeWget4.zip »ZIP »sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FakeWget4.zip »ZIP »sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallDisableNotify.zip »ZIP »sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallDisableNotify.zip »ZIP »sbRecovery.ini - error - password-protected file
C:\Documents and Settings\LocalService\NTUSER.DAT - error opening (File locked) [4]
C:\Documents and Settings\LocalService\ntuser.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat - error opening (File locked) [4]
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\NTUSER.DAT - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\ntuser.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\whencan westartnow\NTUSER.DAT - error opening (File locked) [4]
C:\Documents and Settings\whencan westartnow\ntuser.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\whencan westartnow\Local Settings\Application Data\Ahead\Nero Home\bl.db-journal - error opening (File locked) [4]
C:\Documents and Settings\whencan westartnow\Local Settings\Application Data\Ahead\Nero Home\is2.db-journal - error opening (File locked) [4]
C:\Documents and Settings\whencan westartnow\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
C:\Documents and Settings\whencan westartnow\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »Ad-Aware SE Default.skn - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »arrow1.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »arrow2.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »bck1.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt11.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt12.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt13.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt21.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt22.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt23.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt31.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt32.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt33.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt41.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt42.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt43.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt51.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt52.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt53.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt61.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt62.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »checkbox1.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »checkbox2.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »checkbox3.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »checkbox4.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »defbtn1.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »defbtn2.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »defbtn3.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »glyph1.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »glyph2.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »glyph3.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »glyph4.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »glyph5.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »glyph6.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »glyph7.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »main.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »preview.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »sprite1.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »Ad-Aware SE Default.skn - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »arrow1.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »arrow2.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bck1.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt11.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt12.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt13.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt21.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt22.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt23.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt31.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt32.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt33.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt41.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt42.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt43.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt51.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt52.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt53.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt61.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt62.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »checkbox1.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »checkbox2.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »checkbox3.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »checkbox4.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »defbtn1.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »defbtn2.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »defbtn3.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »glyph1.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »glyph2.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »glyph3.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »glyph4.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »glyph5.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »glyph6.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »glyph7.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »main.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »preview.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »sprite1.bmp - error - password-protected file
C:\Program Files\Nero\Nero 7\Nero BackItUp\BackItUp_ImageTool\root.img »GZ - archive damaged
C:\Program Files\Webroot\Spy Sweeper\Masters.base - error opening (Access denied) [4]
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak - error opening (Access denied) [4]
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const - error opening (Access denied) [4]
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst - error opening (Access denied) [4]
C:\System Volume Information\MountPointManagerRemoteDatabase - error opening (Access denied) [4]
C:\WINDOWS\system32\config\default - error opening (File locked) [4]
C:\WINDOWS\system32\config\default.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\SAM - error opening (File locked) [4]
C:\WINDOWS\system32\config\SAM.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\SECURITY - error opening (File locked) [4]
C:\WINDOWS\system32\config\SECURITY.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\software - error opening (File locked) [4]
C:\WINDOWS\system32\config\software.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\system - error opening (File locked) [4]
C:\WINDOWS\system32\config\system.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\drivers\sptd.sys - error opening (File locked) [4]
E:\RECYCLED\De4.zip »ZIP »package.dll »RAR »kill.exe - Win32/Parite.B virus
E:\RECYCLED\De4.zip »ZIP »package.dll »RAR »winlogon.exe - a variant of Win32/Iroffer trojan
Number of scanned files: 491745
Number of threats found: 2
Number of active threats: 1
Time of completion: 14:02:16 Total scanning time: 19164 sec (05:19:24)
Notes:
[4] File cannot be opened. It may be in use by another application or operating system.
err, whoops, neglect the "part 1" from the nod32 log. that's all there is :oops:
just noticed the 'attachments' function and decided to attach the spybot log, the nod32 log and a fresh hijackthis log i created after renaming the program hjt.exe
an update: it seems that the latest spybot update wiped away the fake.wget and bifrose.la infections but spybot is still detecting and terminating smitfraud-c in every game patch i try to run. antivirus programs are still picking up nothing; i even tried running nod32 in safe mode and it found nothing... can anyone help?
here is a fresh hijackthis log:
decided to try running smitfraudfix and followed the instructions here: http://forums.spybot.info/showthread.php?t=4015
still no success. the safemode spybot scan only picked up 6 tracking cookies and i'm not sure if smitfraudfix found anything; i've included below a smitfraudfix report, the log from the safemode spybot scan and a fresh hijackthis log after giving the program a new, less predictible name.
the symptoms of my infection are as so: whenever i try to install a game patch or mod from an install exe, teatimer/spybot detects smitfraud-c in the exe and terminates the process; essentially, i can't install patches or mods which is seriously hindering my gaming life. my antivirus/spyware programs pick up nothing... it seems like nothing is picking up anything! someone please help.
hi
9 posts in this thread, all by you.. i usually look for threads with 0 answers...
my first suggestion is to format the drive and reinstall windows
then i recommend these actions:
1) use a known secure computer to change all of your online passwords
2) contact your bank and credit card company for possible unauthorised transactions
more info can be found here:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
some further reading:
Security Management - May 2004
Help: I Got Hacked. Now What Do I Do?
http://www.microsoft.com/technet/community...gmt/sm0504.mspx (http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx)
Security Management - July 2004
Help: I Got Hacked. Now What Do I Do? Part II
http://www.microsoft.com/technet/community...gmt/sm0704.mspx (http://www.microsoft.com/technet/community/columns/secmgmt/sm0704.mspx)
and finally some more considerations:
When should I re-format? How should I reinstall?
http://www.dslreports.com/faq/10063
if you choose to format and reinstall see this link for instructions:
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html
please let me know what you decide to do
many thanks for your help thus far! i'm sorry for not writing back sooner; i decided to take your advice but wanted to try out a few new applications for the new install. ultimately, a few of the new anti malware programs i picked up found and disabled a few more pieces of malware that were on my system which precipitated the infection somehow jumping onto a program that i have used for years without incidence, webroot's 'windows washer.' -it cannot be coincidence that this is the program i open most often, right next to wordpad. i installed comodo firewall and boclean and somehow that slowed my system to a literal crawl (windows explorer and other apps took over a minute to open -i literally developed a nosebleed dealing with the pc at that point) soon after that, spybot began stopping operations that i did not initiate which is something that never happened before and ultimately i now find myself unable to log into windows.
here are my questions for you. I'd like some advice as to how to proceed from this point out. it's obvious that i'm dealing with a VERY nasty infection here. the problem is, i've got about 190 gb of data i'd like to recover on that ntfs hdd. i'm not sure if it's safe but i'm planning on using a 'slax' linux live cd to access and copy those files (unless you have a better method to recommend).
as i type, i am using a backup installation of windows 98 on another hdd and am currently connected to the internet by the same ip as my infected computer; it is interesting to note that i've been using windows 98 for years without incidence but after switching to xp for little more than a month, problems started appearing like this; i guess the old os is just not as attractive a target for attack (i switched over mainly for game compatibility). my question here is, should i ask my isp to change my ip #? i'd do it on principle except that the connection i have right now is pretty good -i know all the settings and how to optimize it- and i don't really want to hold a phone to my ear for half an hour for service.
i'd like a recommendation for a safe, easy to configure firewall that has a very small memory footprint; based on my research, i thought that was comodo but... well, honestly, i don't know what bogged down my pc but something went awry and it was after i installed a firewall and an antitrojan application which is the other thing i'd like a recommendation for. I'd like something that is small, effective and doesn't take a lot of resources. some of the programs i had tried were effective but used huge amounts of memory and cputime. Many thanks for your help so far; i really appreciate you doing this and i hope i'm not overstepping my bounds by making these requests.
hi
my personal favorites re security programs:
antivirus: NOD32 and DrWeb
firewall: Kerio, the old one http://www.247fixes.com/downloads/kerio-pf-2.1.5-en-win.exe
its the most resource friendly for an old laptop like mine
anti-malware: BOClean
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.