PDA

View Full Version : win32/darksma.x



poolshark
2007-05-23, 06:08
Seems likes lots of folks have the darksma.x malware !!! Blade... HELP !!!
Here's my HT log



Logfile of HijackThis v1.99.1
Scan saved at 11:02:19 PM, on 5/22/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2evxx.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINNT\System32\DRIVERS\dcfssvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINNT\system32\HPZinw12.exe

F2 - REG:system.ini: Shell=
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar6.dll
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINNT\system32\csvpfhxg.dll",realset
O4 - HKLM\..\Run: [mav_startupmon] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe"
O4 - Startup: Greetings Workshop Reminders.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\Netscape\Communicator\Program\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135782094636
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab58570.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
O16 - DPF: {ff348b6e-fd21-11d4-a3f0-00c04fa32518} -
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINNT\System32\DRIVERS\dcfssvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

poolshark
2007-05-26, 00:32
Hi-
I have tried for a few days to shake this malware but can't seem to do it. Can someone please help ???
Thx

poolshark
2007-05-26, 02:51
Hi-
I have tried for a few days to shake this malware but can't seem to do it. Can someone please help ???
Thx

Logfile of HijackThis v1.99.1
Scan saved at 7:51:58 PM, on 5/25/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2evxx.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINNT\System32\DRIVERS\dcfssvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\LicReg.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINNT\system32\HPZipm12.exe

F2 - REG:system.ini: Shell=
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar6.dll
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINNT\system32\ydwfcnnu.dll",realset
O4 - Startup: Greetings Workshop Reminders.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\Netscape\Communicator\Program\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135782094636
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab58570.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
O16 - DPF: {ff348b6e-fd21-11d4-a3f0-00c04fa32518} -
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINNT\System32\DRIVERS\dcfssvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

Shaba
2007-05-26, 12:19
Hi poolshark

Rename HijackThis.exe to scanner.exe and post back a fresh HijackThis log, please :)

poolshark
2007-05-26, 16:12
Hi, I don't know what happend to my computer but my antivirus found the darksma virus...

I posted 2 days ago but the thread disappeared ... please tell me if I'm not following procedure!! :sick:
Thank you
Jerry

tashi
2007-05-26, 18:04
Hi poolshark

Please click 'Post Reply' and not 'New Thread'

Thanks. ;)

poolshark
2007-05-26, 23:05
Sorry to get off to a rocky start ... :oops:
I renamed HJT to "Scanner.exe" ... Here's the output:


Logfile of HijackThis v1.99.1
Scan saved at 4:07:19 PM, on 5/26/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2evxx.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINNT\System32\DRIVERS\dcfssvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINNT\system32\HPZinw12.exe
C:\Program Files\Hijackthis\scanner.exe

F2 - REG:system.ini: Shell=
O2 - BHO: (no name) - {1E85472C-2398-464D-A7BC-A6FE32A9BA82} - C:\WINNT\system32\ddcyv.dll
O2 - BHO: (no name) - {3A790138-7D03-4371-BC52-FC3BB2538456} - \
O2 - BHO: (no name) - {3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5} - C:\WINNT\system32\tuvtrol.dll
O2 - BHO: 0 - {40D87560-F618-4B9E-2F86-A6EB5B9D8F30} - (no file)
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINNT\system32\uqmryanc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {93FFB93E-5113-4154-9F9B-88C6DD5DBB3D} - \
O2 - BHO: (no name) - {9675BE7E-8CD0-44D7-B7B8-6CC597FFF32A} - \
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar6.dll
O2 - BHO: (no name) - {CA01EFD7-E78E-4C43-90D8-357582902AE1} - C:\WINNT\system32\ydjfmydl.dll
O2 - BHO: (no name) - {DA11D82C-A0D8-448D-A95A-8205ED1DE453} - \
O2 - BHO: (no name) - {DDDFCD51-EF17-4CCF-976D-069318474C21} - \
O2 - BHO: (no name) - {FBFD9255-337A-4FAF-B5B3-D39C49D87E0E} - \
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar6.dll
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINNT\system32\ydwfcnnu.dll",realset
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKCU\..\Run: [A00F4E7E7A5.exe] C:\DOCUME~1\TRANTG~1.GPT\LOCALS~1\Temp\_A00F4E7E7A5.exe
O4 - HKCU\..\Run: [A00F4E81A6B.exe] C:\DOCUME~1\TRANTG~1.GPT\LOCALS~1\Temp\_A00F4E81A6B.exe
O4 - Startup: Greetings Workshop Reminders.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\Netscape\Communicator\Program\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135782094636
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab58570.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
O16 - DPF: {ff348b6e-fd21-11d4-a3f0-00c04fa32518} -
O20 - Winlogon Notify: ddcyv - C:\WINNT\system32\ddcyv.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: tuvtrol - C:\WINNT\SYSTEM32\tuvtrol.dll
O20 - Winlogon Notify: __c00C9AF9 - C:\WINNT\system32\__c00C9AF9.dat
O20 - Winlogon Notify: __c00F1BA4 - C:\WINNT\system32\__c00F1BA4.dat
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINNT\System32\DRIVERS\dcfssvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

Shaba
2007-05-27, 11:53
Hi

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

poolshark
2007-05-28, 19:43
This is a very STUBBORN malware !!!
I ran VundoFix ... it couldn't delete a few .dll ...

It said to reboot to try to remove upon startup ...
Still issues ...

I went into Safe Mode and used KillBox to delete
tuvtrol.dll
ddcyv.dll
vycdd.ini

KillBox couldn't delete but said it could delete upon reboot .. so I tried to have KillBox delete all 3 upon reboot ...
Malware still there !!!

Shaba... HELP !!!!



From Vundofix.txt:
-----------------------------------------------
Beginning removal...

Attempting to delete C:\WINNT\system32\ddcyv.dll
C:\WINNT\system32\ddcyv.dll Could not be deleted.

Attempting to delete C:\WINNT\system32\tuvtrol.dll
C:\WINNT\system32\tuvtrol.dll Could not be deleted.

Attempting to delete C:\WINNT\system32\vycdd.ini
C:\WINNT\system32\vycdd.ini Has been deleted!

Performing Repairs to the registry.
Done!


From HJT file:

Logfile of HijackThis v1.99.1
Scan saved at 12:29:18 PM, on 5/28/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2evxx.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINNT\System32\DRIVERS\dcfssvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Desktop\VundoFix.exe
C:\Program Files\Hijackthis\scanner.exe

F2 - REG:system.ini: Shell=
O2 - BHO: (no name) - {3A790138-7D03-4371-BC52-FC3BB2538456} - \
O2 - BHO: (no name) - {3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5} - C:\WINNT\system32\tuvtrol.dll
O2 - BHO: 0 - {40D87560-F618-4B9E-2F86-A6EB5B9D8F30} - (no file)
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINNT\system32\uqmryanc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {93FFB93E-5113-4154-9F9B-88C6DD5DBB3D} - \
O2 - BHO: (no name) - {9675BE7E-8CD0-44D7-B7B8-6CC597FFF32A} - \
O2 - BHO: (no name) - {9F0A3E6E-C8FD-4210-A700-1602295F9E0B} - C:\WINNT\system32\ddcyv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar6.dll
O2 - BHO: (no name) - {CA01EFD7-E78E-4C43-90D8-357582902AE1} - C:\WINNT\system32\ydjfmydl.dll
O2 - BHO: (no name) - {DA11D82C-A0D8-448D-A95A-8205ED1DE453} - \
O2 - BHO: (no name) - {DDDFCD51-EF17-4CCF-976D-069318474C21} - \
O2 - BHO: (no name) - {FBFD9255-337A-4FAF-B5B3-D39C49D87E0E} - \
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar6.dll
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKCU\..\Run: [A00F4E7E7A5.exe] C:\DOCUME~1\TRANTG~1.GPT\LOCALS~1\Temp\_A00F4E7E7A5.exe
O4 - HKCU\..\Run: [A00F4E81A6B.exe] C:\DOCUME~1\TRANTG~1.GPT\LOCALS~1\Temp\_A00F4E81A6B.exe
O4 - Startup: Greetings Workshop Reminders.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\Netscape\Communicator\Program\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135782094636
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab58570.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
O16 - DPF: {ff348b6e-fd21-11d4-a3f0-00c04fa32518} -
O20 - Winlogon Notify: ddcyv - C:\WINNT\system32\ddcyv.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: tuvtrol - C:\WINNT\SYSTEM32\tuvtrol.dll
O20 - Winlogon Notify: __c00C9AF9 - C:\WINNT\system32\__c00C9AF9.dat
O20 - Winlogon Notify: __c00F1BA4 - C:\WINNT\system32\__c00F1BA4.dat
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINNT\System32\DRIVERS\dcfssvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

Shaba
2007-05-28, 19:48
Hi

KillBox won't help here. Vundo is more clever than KillBox. However, we can use it to delete some other baddies, so please don't delete it.

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
and save it to your desktop.

2. Go to start -> run.
type this in box and click ok

"%userprofile%\desktop\ComboFix.exe" /v tuvtrol uqmryanc ddcyv ydjfmydl

3. When finished, it shall produce a log for you. Post that log in your next reply

4. Reboot

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post:

- a fresh HijackThis log
- combofix report

poolshark
2007-05-28, 21:14
Logfile of HijackThis v1.99.1
Scan saved at 2:17:57 PM, on 5/28/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2evxx.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINNT\System32\DRIVERS\dcfssvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\scanner.exe

O2 - BHO: (no name) - {3A790138-7D03-4371-BC52-FC3BB2538456} - \
O2 - BHO: 0 - {40D87560-F618-4B9E-2F86-A6EB5B9D8F30} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {93FFB93E-5113-4154-9F9B-88C6DD5DBB3D} - \
O2 - BHO: (no name) - {9675BE7E-8CD0-44D7-B7B8-6CC597FFF32A} - \
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar6.dll
O2 - BHO: (no name) - {DA11D82C-A0D8-448D-A95A-8205ED1DE453} - \
O2 - BHO: (no name) - {DDDFCD51-EF17-4CCF-976D-069318474C21} - \
O2 - BHO: (no name) - {FBFD9255-337A-4FAF-B5B3-D39C49D87E0E} - \
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar6.dll
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - Startup: Greetings Workshop Reminders.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\Netscape\Communicator\Program\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135782094636
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab58570.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
O16 - DPF: {ff348b6e-fd21-11d4-a3f0-00c04fa32518} -
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: __c00C9AF9 - C:\WINNT\system32\__c00C9AF9.dat
O20 - Winlogon Notify: __c00F1BA4 - C:\WINNT\system32\__c00F1BA4.dat
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINNT\System32\DRIVERS\dcfssvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

poolshark
2007-05-29, 01:47
I had to strip off some of the date/size/properties on the Find3M report .. dile too big to post ...

trant - 05/28/2007 18:25:01 Service Pack 4
ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Desktop\"
Command switches used :: "/v tuvtrol uqmryanc ddcyv ydjfmydl"


((((((((((((((((((((((((((((((( Files Created from 05/2-01-07 to 05/28/2007 ))))))))))))))))))))))))))))))))))


No new files created in this timespan


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINNT\system32\__c00C9AF9.dat
C:\xcrashdump.dat
C:\WINNT\yc.exe
C:\Program Files\Common Files\WinAntiVirus Pro 2007
C:\Program Files\Common Files\Companion Wizard
C:\DOCUME~1\TRANTG~1.GPT\APPLIC~1\WinAntiVirus Pro 2007
C:\WINNT\system32\zllictbl.dat
C:\WINNT\system32\drivers\vetmonnt.sys
C:\WINNT\system32\drivers\VetEFile.sys
C:\WINNT\system32\drivers\VetEBoot.sys
C:\WINNT\system32\VetRedir.dll
C:\WINNT\UnVet32.exe
C:\WINNT\AVShlExt.dll
C:\WINNT\system32\drivers\Vet-Filt.sys
C:\WINNT\system32\drivers\VetFDDNT.sys
C:\WINNT\system32\drivers\Vet-Rec.sys
C:\TTC.dll
C:\WINNT\system32\msi.dll
C:\WINNT\system32\WINSRV.DLL
C:\WINNT\system32\USER32.DLL
C:\WINNT\system32\mf3216.dll
C:\WINNT\system32\GDI32.DLL
C:\WINNT\system32\WIN32K.SYS
C:\DOCUME~1\TRANTG~1.GPT\APPLIC~1\Viewpoint
C:\Program Files\Google
C:\WINNT\system32\odbc32.dll
C:\WINNT\system32\spupdsvc.exe
C:\Program Files\Codec Pack - All In 1
C:\WINNT\iun6002.exe
C:\Program Files\LEAD Technologies, Inc
C:\Program Files\InstallShield Installation Information
C:\Program Files\Gabest
C:\Program Files\Cucusoft
C:\WINNT\system32\cdg.dll
C:\WINNT\system32\odbcji32.dll
C:\WINNT\system32\odbcjt32.dll
C:\WINNT\system32\odtext32.dll
C:\WINNT\system32\odpdx32.dll
C:\WINNT\system32\odfox32.dll
C:\WINNT\system32\odexl32.dll
C:\WINNT\system32\oddbse32.dll
C:\WINNT\system32\ODBCCP32.dll
C:\WINNT\system32\INETCOMM.DLL
C:\WINNT\system32\msxml4.dll
C:\WINNT\system32\MFC40U.DLL
C:\WINNT\system32\mfc42u.dll
C:\Program Files\Greetings Workshop
C:\DOCUME~1\TRANTG~1.GPT\APPLIC~1\Google
C:\WINNT\system32\OLEDLG.DLL
C:\Program Files\LangPad Spanish
C:\Program Files\Norton Utilities
C:\Program Files\Common Files\Symantec Shared
C:\Program Files\Symantec
C:\WINNT\system32\cdga.dll
C:\WINNT\system32\msxml3.dll
C:\Program Files\Carnivores 2
C:\Program Files\Common Files\Sonic Shared
C:\Program Files\Common Files\HP
C:\Program Files\Common Files\Hewlett-Packard
C:\WINNT\system32\NWAPI32.DLL
C:\WINNT\system32\NWPROVAU.DLL
C:\WINNT\system32\drivers\nwrdr.sys
C:\WINNT\system32\comctl32.dll
C:\WINNT\system32\drivers\fltmgr.sys
C:\WINNT\system32\dxmasf.dll
C:\WINNT\system32\strmdll.dll
C:\WINNT\system32\WKSSVC.DLL
C:\WINNT\system32\LSASRV.DLL
C:\WINNT\system32\drivers\SRV.SYS
C:\DOCUME~1\TRANTG~1.GPT\APPLIC~1\GTek
C:\WINNT\system32\mmcndmgr.dll
C:\WINNT\nircmd.exe
C:\WINNT\system32\hlink.dll
C:\WINNT\system32\A_reg.reg
C:\WINNT\system32\mmc.exe
C:\WINNT\system32\dnsrslvr.dll
C:\WINNT\system32\query.dll
C:\WINNT\system32\drivers\mrxsmb.sys
C:\WINNT\system32\sp3res.dll
C:\WINNT\system32\drivers\tcpip.sys
C:\WINNT\system32\msdtclog.dll
C:\WINNT\system32\msdtcprx.dll
C:\WINNT\system32\mtxclu.dll
C:\WINNT\system32\xolehlp.dll
C:\WINNT\system32\msdtcui.dll
C:\WINNT\system32\mtxoci.dll
C:\WINNT\system32\msdtctm.dll
C:\WINNT\system32\rpcrt4.dll
C:\WINNT\system32\verclsid.exe
C:\WINNT\system32\dtcsetup.exe
C:\WINNT\system32\INETRES.DLL
C:\WINNT\system32\MSOEACCT.DLL
C:\WINNT\system32\MSOERT2.DLL
C:\WINNT\system32\MSIDENT.DLL
C:\Program Files\MSXML 4.0
C:\Program Files\TuneUp Utilities 2006
C:\Program Files\Linksys
C:\WINNT\hpoins06.dat
C:\Program Files\Hewlett-Packard
C:\Program Files\HP
C:\DOCUME~1\TRANTG~1.GPT\APPLIC~1\HP
C:\Program Files\Support.com
C:\WINNT\unins000.dat
C:\WINNT\unins000.exe
C:\Program Files\OfficeUpdate11
C:\Program Files\Dell
C:\WINNT\system32\xvidcore.dll
C:\Program Files\Common Files\Wise Installation Wizard
C:\WINNT\system32\divx_xx0c.dll
C:\WINNT\system32\divx_xx07.dll
C:\WINNT\system32\divx_xx11.dll
C:\WINNT\PowerReg.dat
C:\Program Files\directx
C:\Program Files\Hasbro Interactive
C:\WINNT\system32\fontsub.dll
C:\WINNT\system32\t2embed.dll
C:\WINNT\system32\DivXsm.exe
C:\WINNT\opuc.dll
C:\WINNT\system32\webvw.dll
C:\WINNT\system32\linkinfo.dll
C:\Program Files\WindowsUpdate
C:\WINNT\system32\stclient.dll
C:\WINNT\system32\mtxlegih.dll
C:\WINNT\system32\mtxdm.dll
C:\WINNT\system32\comuid.dll
C:\WINNT\system32\comsvcs.dll
C:\WINNT\system32\comrepl.dll
C:\WINNT\system32\clbcatex.dll
C:\WINNT\system32\catsrvut.dll
C:\WINNT\system32\clbcatq.dll
C:\WINNT\system32\colbact.dll
C:\WINNT\system32\txfaux.dll
C:\WINNT\system32\OLECNV32.DLL
C:\WINNT\system32\catsrv.dll
C:\WINNT\system32\OLE32.DLL
C:\WINNT\system32\es.dll
C:\WINNT\system32\rpcss.dll
C:\Program Files\CCleaner
C:\Program Files\LiveUpdate
C:\Program Files\mobile PhoneTools
C:\Program Files\Common Files\InstallShield
C:\WINNT\system32\UMPNPMGR.DLL
C:\WINNT\system32\quartz.dll
C:\WINNT\system32\cdosys.dll
C:\Program Files\Scholastic
C:\WINNT\system32\NWWKS.DLL
C:\WINNT\system32\NTDLL.DLL
C:\WINNT\system32\drivers\mountmgr.sys
C:\WINNT\system32\netman.dll
C:\WINNT\system32\qt-dx331.dll
C:\WINNT\system32\MSIEFTP.DLL
C:\WINNT\system32\drivers\fastfat.sys
C:\WINNT\system32\drivers\rdbss.sys
C:\WINNT\system32\drivers\SCSIPORT.SYS
C:\WINNT\system32\WIN32SPL.DLL
C:\WINNT\system32\spoolss.dll
C:\WINNT\system32\GWFSPidGen.dll
C:\WINNT\system32\spoolsv.exe
C:\DOCUME~1\TRANTG~1.GPT\APPLIC~1\Help
C:\WINNT\system32\dvda.exe
C:\WINNT\system32\tapisrv.dll
C:\Program Files\Common Files\Scanner
C:\WINNT\system32\mscms.dll
C:\WINNT\system32\icm32.dll
C:\WINNT\system32\kerberos.dll
C:\WINNT\system32\ntdsa.dll
C:\WINNT\hpomdl06.dat
C:\Program Files\Ahead
C:\WINNT\system32\muweb.dll
C:\WINNT\system32\wuapi.dll
C:\WINNT\system32\wups.dll
C:\WINNT\system32\wuaueng1.dll
C:\WINNT\system32\wups2.dll
C:\WINNT\system32\wuweb.dll
C:\WINNT\system32\wuauclt1.exe
C:\WINNT\system32\wucltui.dll
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\wuaueng.dll
C:\WINNT\system32\cdm.dll
C:\WINNT\system32\iuengine.dll
C:\WINNT\system32\drivers\ntfs.sys
C:\WINNT\system32\hpz3l3xu.dll
C:\WINNT\system32\msimsg.dll
C:\WINNT\system32\msiexec.exe
C:\WINNT\system32\msihnd.dll
C:\WINNT\system32\msisip.dll
C:\WINNT\system32\hhsetup.dll
C:\WINNT\system32\itircl.dll
C:\WINNT\system32\itss.dll
C:\WINNT\system32\cryptsvc.dll
C:\WINNT\system32\ADVAPI32.DLL
C:\WINNT\system32\drivers\AFD.SYS
C:\WINNT\hh.exe
C:\WINNT\system32\mpr.dll
C:\WINNT\system32\samlib.dll
C:\WINNT\system32\NTLANMAN.DLL
C:\WINNT\system32\CRYPTNET.DLL
C:\WINNT\system32\SAMSRV.DLL
C:\WINNT\system32\adsldp.dll
C:\WINNT\system32\srvsvc.dll
C:\WINNT\system32\browser.dll
C:\WINNT\system32\RASMAN.DLL
C:\WINNT\system32\wlnotify.dll
C:\WINNT\system32\CRYPT32.DLL
C:\WINNT\system32\msasn1.dll
C:\WINNT\system32\EVENTLOG.DLL
C:\WINNT\system32\w32time.dll
C:\WINNT\system32\NETLOGON.DLL
C:\WINNT\system32\MSGSVC.DLL
C:\WINNT\system32\MSGINA.DLL
C:\WINNT\system32\LOCALSPL.DLL
C:\WINNT\system32\RASAPI32.DLL
C:\WINNT\system32\seclogon.dll
C:\WINNT\system32\adsldpc.dll
C:\WINNT\system32\PSBASE.DLL
C:\WINNT\system32\USERENV.DLL
C:\WINNT\system32\WLDAP32.DLL
C:\WINNT\system32\SCHANNEL.DLL
C:\WINNT\system32\MSV1_0.DLL
C:\WINNT\system32\SERVICES.EXE
C:\WINNT\system32\WINLOGON.EXE
C:\WINNT\system32\drivers\cdfs.sys
C:\WINNT\system32\drivers\netbt.sys
C:\WINNT\system32\sfcfiles.dll
C:\WINNT\system32\hpotpusd.dll
C:\WINNT\system32\hpovst09.dll
C:\WINNT\system32\hpotiop2.dll
C:\WINNT\system32\hpzids01.dll
C:\WINNT\system32\HPZc3212.dll
C:\WINNT\unezfw.exe
C:\WINNT\unezas.exe
C:\WINNT\system32\olecli32.dll
C:\WINNT\system32\fltlib.dll
C:\WINNT\system32\HPTcpMUI.dll
C:\WINNT\system32\HPTcpMon.dll
C:\WINNT\system32\HPTcpMib.dll
C:\Program Files\JavaSoft
C:\Program Files\Viewpoint
C:\WINNT\system32\drivers\BCMWL5.SYS
C:\WINNT\system32\VDMDBG.DLL
C:\WINNT\system32\hpzjsn01.dll
C:\WINNT\system32\authz.dll
C:\WINNT\unicows.dll
C:\WINNT\system32\iSafProd.dll
C:\WINNT\system32\ISafeIf.dll
C:\WINNT\system32\vsutil_oem1051.dll
C:\WINNT\system32\drivers\pxhelp20.sys
C:\WINNT\system32\hpzjrd01.dll
C:\WINNT\system32\PXWMA.dll
C:\WINNT\system32\CSRSRV.DLL
C:\WINNT\system32\adsmsext.dll
C:\WINNT\system32\UNTFS.DLL
C:\WINNT\system32\umandlg.dll
C:\WINNT\system32\wow32.dll
C:\WINNT\system32\profmap.dll
C:\WINNT\system32\ntvdmd.dll
C:\WINNT\system32\netcfgx.dll
C:\WINNT\system32\mstask.dll
C:\WINNT\system32\NDDENB32.DLL
C:\WINNT\system32\newdev.dll
C:\WINNT\system32\hypertrm.dll
C:\WINNT\system32\ipnathlp.dll
C:\WINNT\system32\gpedit.dll
C:\WINNT\system32\dsprop.dll
C:\WINNT\system32\h323msp.dll
C:\WINNT\system32\faxui.dll
C:\WINNT\system32\ciodm.dll
C:\WINNT\system32\BASESRV.DLL
C:\WINNT\system32\RASSCRPT.DLL
C:\WINNT\system32\cabinet.dll
C:\WINNT\system32\RASDLG.DLL
C:\WINNT\system32\CRYPTUI.DLL
C:\WINNT\system32\scecli.dll
C:\WINNT\system32\scesrv.dll
C:\WINNT\system32\WINTRUST.DLL
C:\WINNT\system32\LSASS.EXE
C:\WINNT\system32\drivers\bcm42rly.sys
C:\WINNT\system32\bcm42rly.sys
C:\WINNT\system32\NTVDM.EXE
C:\WINNT\system32\GRPCONV.EXE
C:\WINNT\system32\fltmc.exe
C:\WINNT\system32\drivers\udfs.sys
C:\WINNT\system32\drivers\mup.sys
C:\WINNT\system32\drivers\ftdisk.sys
C:\WINNT\system32\FONTVIEW.EXE
C:\WINNT\system32\CMD.EXE
C:\WINNT\system32\divxdec_0411.dll
C:\WINNT\system32\divxdec_040c.dll
C:\WINNT\system32\divxdec_0407.dll
C:\WINNT\system32\mstext40.dll
C:\WINNT\system32\TomsMoComp_ff.dll
C:\WINNT\system32\libavcodec.dll
C:\WINNT\system32\winhttp.dll
C:\DOCUME~1\TRANTG~1.GPT\APPLIC~1\TuneUp Software
C:\WINNT\system32\libmplayer.dll
C:\WINNT\system32\qmgrprxy.dll
C:\WINNT\system32\qmgr.dll
C:\WINNT\system32\bitsprx2.dll
C:\WINNT\system32\bitsprx3.dll
C:\WINNT\system32\libmpeg2_ff.dll
C:\WINNT\system32\HPZipr12.dll
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\HPZidr12.dll
C:\WINNT\system32\HPZisn12.dll
C:\WINNT\system32\HPZipt12.dll
C:\WINNT\system32\HPZinw12.exe
C:\WINNT\system32\drivers\odysseyIM4.sys
C:\WINNT\system32\ffdshow.reg
C:\WINNT\system32\mstask.exe
C:\WINNT\system32\drivers\ipnat.sys
C:\WINNT\Twunk_32.dll
C:\WINNT\Twunk_16.dll
C:\WINNT\system32\msrepl40.dll
C:\WINNT\system32\mspbde40.dll
C:\WINNT\system32\msjtes40.dll
C:\WINNT\system32\msjet40.dll
C:\WINNT\system32\msexcl40.dll
C:\WINNT\system32\msxbde40.dll
C:\WINNT\system32\NETDDE.EXE
C:\WINNT\eReg.dat
C:\WINNT\wrt.dat
C:\WINNT\muninst.exe
C:\WINNT\system32\DDMI2.sys
C:\WINNT\system32\xpob2res.dll
C:\Program Files\Common Files\Vivi10
C:\Program Files\ViviCam 10 and 20
C:\DOCUME~1\TRANTG~1.GPT\APPLIC~1\Ulead Systems
C:\WINNT\eSellerateEngine.dll
C:\WINNT\system32\HPODXPAT.DLL
C:\WINNT\system32\cygwin1.dll
C:\WINNT\system32\psxss.exe
C:\WINNT\system32\cygxml2-2.dll
C:\WINNT\system32\amshellext.dll
C:\WINNT\system32\dplayx.dll
C:\WINNT\system32\dpwsockx.dll
C:\Program Files\Maxis
C:\WINNT\system32\w32tm.exe
C:\WINNT\system32\msjetoledb40.dll
C:\WINNT\system32\xvid.dll
C:\WINNT\system32\iuctl.dll
C:\WINNT\EReg077.dat
C:\Program Files\CA
C:\WINNT\system32\CHKDSK.EXE
C:\WINNT\system32\AUTOCHK.EXE
C:\WINNT\system32\hpzjfw01.dll
C:\WINNT\system32\cygz.dll
C:\WINNT\vgxuninst.exe
C:\WINNT\system32\sqlsrv32.dll
C:\WINNT\system32\odbcbcp.dll
C:\WINNT\nsreg.dat
C:\WINNT\system32\mswdat10.dll
C:\WINNT\system32\mswstr10.dll
C:\WINNT\system32\msrd2x40.dll
C:\WINNT\system32\msrd3x40.dll
C:\WINNT\system32\msltus40.dll
C:\WINNT\system32\msjter40.dll
C:\WINNT\system32\msjint40.dll
C:\WINNT\system32\msexch40.dll
C:\WINNT\system32\expsrv.dll
C:\WINNT\system32\vbajet32.dll
C:\DOCUME~1\TRANTG~1.GPT\APPLIC~1\Arcsoft
C:\WINNT\system32\drivers\grmnusb.sys
C:\WINNT\system32\drivers\grmngen.sys
C:\WINNT\system32\drivers\WDMSTUB.sys
C:\WINNT\system32\drivers\ksecdd.sys
C:\Program Files\ArcSoft
C:\WINNT\system32\LCodcCMPe.dll
C:\WINNT\system32\cygiconv-2.dll
C:\WINNT\GoogleToolbar.dll
C:\WINNT\uneng.exe
C:\Program Files\Common Files\Adaptec Shared
C:\WINNT\system32\drivers\cdr4_2K.sys
C:\WINNT\system32\cdrtc.dll
C:\WINNT\system32\cdral.dll
C:\WINNT\system32\drivers\cdralw2k.sys
C:\Program Files\Windows NT
C:\WINNT\system32\W32N50CT.dll
C:\WINNT\system32\CBTNDIS5.sys
C:\WINNT\oeuninst.exe
C:\WINNT\system32\modemui.dll
C:\WINNT\system32\vfpodbc.dll
C:\WINNT\system32\rtm.dll
C:\WINNT\system32\iasrad.dll
C:\WINNT\system32\imm32.dll
C:\WINNT\system32\sfc.dll
C:\WINNT\system32\FAXSVC.EXE
C:\WINNT\system32\drivers\ndiswan.sys
C:\WINNT\system32\dskquota.dll
C:\WINNT\system32\faxadmin.dll
C:\WINNT\system32\xactsrv.dll
C:\WINNT\system32\KRNL386.EXE
C:\WINNT\system32\drivers\NWLNKIPX.SYS
C:\WINNT\system32\trkwks.dll
C:\WINNT\system32\drivers\cmbatt.sys
C:\WINNT\system32\drivers\gameenum.sys
C:\WINNT\system32\drivers\compbatt.sys
C:\WINNT\system32\wuauserv.dll
C:\WINNT\system32\drivers\ndistapi.sys
C:\WINNT\system32\nlhtml.dll
C:\WINNT\system32\NSLOOKUP.EXE
C:\WINNT\system32\TASKMGR.EXE
C:\WINNT\system32\drivers\atapi.sys
C:\WINNT\system32\smlogsvc.exe
C:\WINNT\system32\ntsdexts.dll
C:\WINNT\system32\vga.dll
C:\WINNT\system32\UFAT.DLL
C:\WINNT\system32\cmnquery.dll
C:\WINNT\system32\stobject.dll
C:\WINNT\system32\telnet.exe
C:\WINNT\system32\faxcom.dll
C:\WINNT\system32\autolfn.exe
C:\WINNT\system32\wshirda.dll
C:\WINNT\system32\RECOVER.EXE
C:\WINNT\system32\DISKCOPY.COM
C:\WINNT\system32\ntdskcc.dll
C:\WINNT\system32\winscard.dll
C:\WINNT\system32\avifil32.dll
C:\WINNT\system32\aclui.dll
C:\WINNT\system32\scripto.dll
C:\WINNT\system32\RASAUTO.DLL
C:\WINNT\system32\gpresult.exe
C:\WINNT\system32\rsvpsp.dll
C:\WINNT\system32\msw3prt.dll
C:\WINNT\system32\hotplug.dll
C:\WINNT\system32\mdhcp.dll
C:\WINNT\system32\iasads.dll
C:\WINNT\system32\DHCPSAPI.DLL
C:\WINNT\system32\atl.dll
C:\WINNT\system32\wmicore.dll
C:\WINNT\system32\dsauth.dll
C:\WINNT\system32\drivers\wdmaud.sys
C:\WINNT\system32\irmon.dll
C:\WINNT\regedit.exe
C:\WINNT\system32\LOCATOR.EXE
C:\WINNT\system32\isign32.dll
C:\WINNT\system32\DRWTSN32.EXE
C:\WINNT\system32\netui0.dll
C:\WINNT\system32\olethk32.dll
C:\WINNT\system32\drivers\diskperf.sys
C:\WINNT\system32\drivers\fs_rec.sys
C:\WINNT\system32\svcpack.dll
C:\WINNT\system32\sensapi.dll
C:\WINNT\system32\msswchx.exe
C:\WINNT\system32\control.exe
C:\WINNT\system32\c_is2022.dll
C:\WINNT\system32\drivers\dmload.sys
C:\WINNT\system32\drivers\battc.sys
C:\WINNT\system32\OPENGL32.DLL
C:\WINNT\system32\ws2_32.dll
C:\WINNT\system32\mprddm.dll
C:\WINNT\system32\shim.dll
C:\WINNT\system32\unimdmat.dll
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\drivers\i81xnt5.sys
C:\WINNT\system32\SAVEDUMP.EXE
C:\WINNT\system32\ntdsetup.dll
C:\WINNT\system32\IFSUTIL.DLL
C:\WINNT\system32\tcpmonui.dll
C:\WINNT\system32\inetpp.dll
C:\WINNT\system32\NTPRINT.DLL
C:\WINNT\system32\LOADPERF.DLL
C:\WINNT\system32\servdeps.dll
C:\WINNT\system32\drivers\nwlnknb.sys
C:\WINNT\system32\mswsock.dll
C:\WINNT\system32\OLEAUT32.DLL
C:\WINNT\system32\sstext3d.scr
C:\WINNT\system32\drivers\serial.sys
C:\WINNT\system32\dfrgfat.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\oiui400.dll
C:\WINNT\system32\RASCHAP.DLL
C:\WINNT\system32\drivers\psched.sys
C:\WINNT\system32\drivers\parallel.sys
C:\WINNT\system32\iassvcs.dll
C:\WINNT\system32\iasnap.dll
C:\WINNT\system32\skdll.dll
C:\WINNT\system32\ntlsapi.dll
C:\WINNT\system32\KBDCA.DLL
C:\WINNT\system32\perfvd.exe
C:\WINNT\system32\kbdlt1.dll
C:\WINNT\system32\hccoin.dll
C:\WINNT\system32\drivers\pci.sys
C:\WINNT\system32\winfax.dll
C:\WINNT\system32\AUTOCONV.EXE
C:\WINNT\system32\imejpknl.dll
C:\WINNT\system32\SETUPAPI.DLL
C:\WINNT\system32\ntdsapi.dll
C:\WINNT\system32\drivers\irda.sys
C:\WINNT\system32\drivers\mf.sys
C:\WINNT\system32\ocmanage.dll
C:\WINNT\system32\mydocs.dll
C:\WINNT\system32\autofmt.exe
C:\WINNT\system32\drivers\DLC.SYS
C:\WINNT\system32\mprui.dll
C:\WINNT\system32\esentutl.exe
C:\WINNT\system32\CLUSAPI.DLL
C:\WINNT\system32\tlntsess.exe
C:\WINNT\system32\wsecedit.dll
C:\WINNT\system32\drivers\swmidi.sys
C:\WINNT\system32\ntmsapi.dll
C:\WINNT\system32\packager.exe
C:\WINNT\system32\wzcdlg.dll
C:\WINNT\system32\drivers\rasl2tp.sys
C:\WINNT\system32\msxml.dll
C:\WINNT\system32\vfwwdm32.dll
C:\WINNT\system32\SYSSETUP.DLL
C:\WINNT\system32\drivers\videoprt.sys
C:\WINNT\system32\fdeploy.dll
C:\WINNT\system32\dllhst3g.exe
C:\WINNT\system32\ixsso.dll
C:\WINNT\system32\drivers\usbhub20.sys
C:\WINNT\system32\i81xdnt5.dll
C:\WINNT\system32\secur32.dll
C:\WINNT\system32\drivers\atmlane.sys
C:\WINNT\system32\drivers\raspptp.sys
C:\WINNT\system32\loghours.dll
C:\WINNT\system32\scrdx86.dll
C:\WINNT\system32\scrdenrl.dll
C:\WINNT\system32\netshell.dll
C:\WINNT\system32\ssbezier.scr
C:\WINNT\system32\drivers\sysaudio.sys
C:\WINNT\system32\mprdim.dll
C:\WINNT\system32\MSPRIVS.DLL
C:\WINNT\system32\drivers\isapnp.sys
C:\WINNT\system32\drivers\i8042prt.sys
C:\WINNT\system32\SMSS.EXE
C:\WINNT\system32\skeys.exe
C:\WINNT\system32\msmqprop.exe
C:\WINNT\system32\cmstp.exe
C:\WINNT\system32\oieng400.dll
C:\WINNT\system32\rsm.exe
C:\WINNT\system32\cryptdll.dll
C:\WINNT\system32\magnify.exe
C:\WINNT\system32\dmutil.dll
C:\WINNT\system32\certmgr.dll
C:\WINNT\system32\webhits.dll
C:\WINNT\system32\dfrgsnap.dll

poolshark
2007-05-29, 01:49
C:\WINNT\system32\ODBC32GT.dll
C:\WINNT\system32\narrator.exe
C:\WINNT\system32\msdart32.dll
C:\WINNT\system32\ds32gt.dll
C:\WINNT\system32\drivers\openhci.sys
C:\WINNT\system32\drivers\hidclass.sys
C:\WINNT\system32\drivers\kbdclass.sys
C:\WINNT\system32\rpcns4.dll
C:\WINNT\system32\ftpqfe.exe
C:\WINNT\system32\winsmon.dll
C:\WINNT\system32\msclus.dll
C:\WINNT\system32\at.exe
C:\WINNT\system32\drivers\hidparse.sys
C:\WINNT\system32\avtapi.dll
C:\WINNT\system32\appmgr.dll
C:\WINNT\system32\devmgr.dll
C:\WINNT\system32\osk.exe
C:\WINNT\system32\dfsshlex.dll
C:\WINNT\system32\utilman.exe
C:\WINNT\system32\routeext.dll
C:\WINNT\system32\drivers\usbser.sys
C:\WINNT\system32\cmutil.dll
C:\WINNT\system32\drivers\sonydcam.sys
C:\WINNT\system32\drivers\pciidex.sys
C:\WINNT\system32\confmsp.dll
C:\WINNT\system32\objsel.dll
C:\WINNT\system32\snmpsnap.dll
C:\WINNT\system32\drivers\usbprint.sys
C:\WINNT\system32\wsock32.dll
C:\WINNT\system32\LPDSVC.DLL
C:\WINNT\system32\HTICONS.DLL
C:\WINNT\system32\drivers\mouclass.sys
C:\WINNT\system32\spupdw2k.exe
C:\WINNT\system32\stimon.exe
C:\WINNT\system32\drivers\agp440.sys
C:\WINNT\system32\infosoft.dll
C:\WINNT\system32\adsnt.dll
C:\WINNT\system32\odbccu32.dll
C:\WINNT\system32\FONTEXT.DLL
C:\WINNT\system32\sclgntfy.dll
C:\WINNT\system32\NBTSTAT.EXE
C:\WINNT\system32\iasperf.dll
C:\WINNT\system32\batmeter.dll
C:\WINNT\system32\drivers\usbd.sys
C:\WINNT\system32\VWIPXSPX.DLL
C:\WINNT\system32\lpk.dll
C:\WINNT\system32\iasuserr.dll
C:\WINNT\system32\drivers\msircomm.sys
C:\WINNT\system32\rasppp.dll
C:\WINNT\system32\odbccr32.dll
C:\WINNT\system32\wzcsvc.dll
C:\WINNT\system32\cmdial32.dll
C:\WINNT\winrep.exe
C:\WINNT\system32\drivers\irsir.sys
C:\WINNT\system32\drivers\rasirda.sys
C:\WINNT\system32\mimefilt.dll
C:\WINNT\system32\drivers\usbehci.sys
C:\WINNT\system32\drivers\flpydisk.sys
C:\WINNT\system32\thumbvw.dll
C:\WINNT\system32\eudcedit.exe
C:\WINNT\system32\spcmdcon.sys
C:\WINNT\system32\tlntsvr.exe
C:\WINNT\system32\faxt30.dll
C:\WINNT\system32\activeds.dll
C:\WINNT\system32\hid.dll
C:\WINNT\system32\sp4iis.exe
C:\WINNT\system32\rsvp.exe
C:\WINNT\system32\dmdlgs.dll
C:\WINNT\system32\netplwiz.dll
C:\WINNT\system32\ntmsdba.dll
C:\WINNT\system32\drivers\UPDATE.SYS
C:\WINNT\system32\drivers\ndis.sys
C:\WINNT\system32\drivers\asyncmac.sys
C:\WINNT\system32\wshtcpip.dll
C:\WINNT\system32\USERINIT.EXE
C:\WINNT\system32\tftp.exe
C:\WINNT\system32\SNMPAPI.DLL
C:\WINNT\system32\FMIFS.DLL
C:\WINNT\system32\drivers\ptilink.sys
C:\WINNT\system32\CACLS.EXE
C:\WINNT\system32\secedit.exe
C:\WINNT\system32\mobsync.dll
C:\WINNT\system32\ntdsutil.exe
C:\WINNT\system32\OLEPRO32.DLL
C:\WINNT\system32\adsnds.dll
C:\arcsetup.exe
C:\WINNT\system32\dmdskmgr.dll
C:\WINNT\system32\drivers\acpi.sys
C:\WINNT\system32\dbghelp.dll
C:\WINNT\system32\drivers\tdi.sys
C:\WINNT\system32\version.dll
C:\WINNT\system32\NDDEAPI.DLL
C:\WINNT\system32\diskcopy.dll
C:\WINNT\system32\cmprops.dll
C:\WINNT\system32\iprtrmgr.dll
C:\WINNT\system32\els.dll
C:\WINNT\system32\dsquery.dll
C:\WINNT\system32\ciadmin.dll
C:\WINNT\system32\wavemsp.dll
C:\WINNT\system32\ODBCTRAC.dll
C:\WINNT\system32\msorcl32.dll
C:\WINNT\system32\rasmontr.dll
C:\WINNT\system32\pdh.dll
C:\WINNT\system32\accwiz.exe
C:\arcldr.exe
C:\WINNT\system32\sisbkup.dll
C:\WINNT\system32\faxdrv.dll
C:\WINNT\system32\drivers\sfmatalk.sys
C:\WINNT\system32\drivers\kmixer.sys
C:\WINNT\system32\drivers\portcls.sys
C:\WINNT\system32\dmadmin.exe
C:\WINNT\system32\dssenh.dll
C:\WINNT\system32\dskquoui.dll
C:\WINNT\system32\DSSBASE.DLL
C:\WINNT\system32\ASYCFILT.DLL
C:\WINNT\system32\uniplat.dll
C:\WINNT\system32\RASSAPI.DLL
C:\WINNT\system32\msswch.dll
C:\WINNT\system32\drivers\diskdump.sys
C:\WINNT\system32\drivers\serenum.sys
C:\WINNT\system32\rsh.exe
C:\WINNT\system32\MGMTAPI.DLL
C:\WINNT\system32\diskperf.exe
C:\WINNT\system32\CONVERT.EXE
C:\WINNT\system32\atkctrs.dll
C:\WINNT\system32\regedt32.exe
C:\WINNT\system32\drivers\usbport.sys
C:\WINNT\system32\ss3dfo.scr
C:\WINNT\system32\INITPKI.DLL
C:\WINNT\system32\drivers\dmio.sys
C:\WINNT\system32\certcli.dll
C:\WINNT\system32\rsaenh.dll
C:\WINNT\system32\RSABASE.DLL
C:\WINNT\system32\netid.dll
C:\WINNT\system32\logon.scr
C:\WINNT\system32\CLUSTER.EXE
C:\WINNT\system32\mscpxl32.dLL
C:\WINNT\system32\powrprof.dll
C:\WINNT\system32\tcpmib.dll
C:\WINNT\system32\dmintf.dll
C:\WINNT\system32\CHKNTFS.EXE
C:\WINNT\system32\spiisupd.exe
C:\WINNT\system32\IMAGEHLP.DLL
C:\WINNT\system32\capesnpn.dll
C:\WINNT\system32\TAPI32.DLL
C:\WINNT\system32\net1.exe
C:\WINNT\system32\dmdskres.dll
C:\WINNT\system32\idq.dll
C:\WINNT\system32\appmgmts.dll
C:\WINNT\system32\dmserver.dll
C:\WINNT\system32\gptext.dll
C:\WINNT\system32\msvfw32.dll
C:\WINNT\system32\DCOMCNFG.EXE
C:\WINNT\system32\adsnw.dll
C:\WINNT\system32\mobsync.exe
C:\WINNT\system32\dsuiext.dll
C:\WINNT\system32\mycomput.dll
C:\WINNT\system32\offfilt.dll
C:\WINNT\system32\drivers\ndisuio.sys
C:\WINNT\system32\drivers\partmgr.sys
C:\WINNT\system32\drivers\mouhid.sys
C:\WINNT\system32\usbmon.dll
C:\WINNT\system32\drivers\acpiec.sys
C:\WINNT\system32\sptsupd.exe
C:\WINNT\system32\REGSVR32.EXE
C:\WINNT\system32\msrle32.dll
C:\WINNT\system32\LABEL.EXE
C:\WINNT\system32\drivers\pcmcia.sys
C:\WINNT\system32\msafd.dll
C:\WINNT\system32\rsnotify.exe
C:\WINNT\system32\sndrec32.exe
C:\WINNT\system32\oleprn.dll
C:\WINNT\system32\rend.dll
C:\WINNT\system32\NTMARTA.DLL
C:\WINNT\system32\sspipes.scr
C:\WINNT\system32\mdminst.dll
C:\WINNT\system32\cscdll.dll
C:\WINNT\system32\rastls.dll
C:\WINNT\system32\iassam.dll
C:\WINNT\system32\scardsvr.exe
C:\WINNT\system32\drivers\tape.sys
C:\WINNT\system32\dmremote.exe
C:\WINNT\system32\DISKCOMP.COM
C:\WINNT\system32\drivers\sfloppy.sys
C:\WINNT\system32\drivers\irenum.sys
C:\WINNT\system32\wshatm.dll
C:\WINNT\system32\subst.exe
C:\WINNT\system32\runas.exe
C:\WINNT\system32\lz32.dll
C:\WINNT\system32\LMHSVC.DLL
C:\WINNT\system32\find.exe
C:\WINNT\system32\MSVBVM60.DLL
C:\WINNT\system32\NTBACKUP.EXE
C:\WINNT\system32\esent.dll
C:\WINNT\system32\mfc42.dll
C:\WINNT\system32\CRYPTDLG.DLL
C:\Program Files\QuickTime
C:\Program Files\Broderbund
C:\WINNT\system32\dxdiag.exe
C:\WINNT\system32\d3dim700.dll
C:\WINNT\system32\devenum.dll
C:\WINNT\system32\qdvd.dll
C:\WINNT\system32\dxdiagn.dll
C:\WINNT\system32\d3d9.dll
C:\WINNT\system32\dx8vb.dll
C:\WINNT\system32\divx.dll
C:\WINNT\system32\xsystem.dll
C:\WINNT\system32\polagent.dll
C:\WINNT\system32\rastapi.dll
C:\WINNT\system32\oakley.dll
C:\WINNT\system32\polstore.dll
C:\WINNT\system32\unrar.dll
C:\WINNT\system32\ipsecmon.exe
C:\WINNT\system32\drivers\ipsec.sys
C:\Program Files\Common Files\xing shared
C:\Program Files\Common Files\Real
C:\WINNT\ST6UNST.EXE
C:\WINNT\ST5UNST.EXE
C:\WINNT\KIX32.EXE
C:\WINNT\AolCInUn.exe
C:\WINNT\dla.exe
C:\WINNT\tppaldr.exe
C:\WINNT\system32\WINDBVER.EXE
C:\WINNT\system32\unam4ie.exe
C:\WINNT\system32\TPPUN.EXE
C:\WINNT\system32\Channel Screen Saver.scr
C:\WINNT\unvise32qt.exe
C:\WINNT\unvise32.exe
C:\WINNT\tppnttry.exe
C:\WINNT\ifmember.exe
C:\WINNT\CDAC13BA.EXE
C:\regfix.exe
C:\WINNT\system32\drivers\biosread.sys
C:\DOCUME~1\TRANTG~1.GPT\APPLIC~1\STOPzilla!
C:\WINNT\system32\dpnhupnp.dll
C:\WINNT\system32\dpnhpast.dll
C:\WINNT\system32\drivers\CdaC15BA.SYS
C:\WINNT\system32\mfc71.dll
C:\WINNT\system32\mfc71u.dll
C:\WINNT\system32\MFC71ENU.DLL
C:\WINNT\system32\MFC71KOR.DLL
C:\WINNT\system32\MFC71ITA.DLL
C:\WINNT\system32\MFC71ESP.DLL
C:\WINNT\system32\MFC71CHT.DLL
C:\WINNT\system32\MFC71CHS.DLL
C:\WINNT\system32\MFC71DEU.DLL
C:\WINNT\system32\MFC71FRA.DLL
C:\WINNT\system32\MFC71JPN.DLL
C:\WINNT\system32\msvcp71.dll
C:\WINNT\system32\atl71.dll
C:\WINNT\system32\DLPT2.sys
C:\WINNT\ieuninst.exe
C:\WINNT\Q330994.exe
C:\WINNT\system32\wjview.exe
C:\WINNT\setdebug.exe
C:\WINNT\system32\jview.exe
C:\WINNT\system32\jdbgmgr.exe
C:\WINNT\system32\msjava.dll
C:\WINNT\system32\clspack.exe
C:\WINNT\system32\vmhelper.dll
C:\WINNT\system32\msjdbc10.dll
C:\WINNT\system32\jit.dll
C:\WINNT\system32\msawt.dll
C:\WINNT\system32\javaprxy.dll
C:\WINNT\system32\javart.dll
C:\WINNT\system32\javaee.dll
C:\WINNT\system32\javacypt.dll
C:\WINNT\system32\zonedon.reg
C:\WINNT\system32\zonedoff.reg
C:\WINNT\jautoexp.dat
C:\WINNT\system32\dx3j.dll
C:\WINNT\system32\msvcr71.dll
C:\WINNT\system32\netfxperf.dll
C:\WINNT\system32\mscories.dll
C:\WINNT\system32\mscoree.dll
C:\WINNT\system32\mscorier.dll
C:\WINNT\system32\msvidctl.dll
C:\WINNT\system32\wstdecod.dll
C:\WINNT\system32\drivers\wstcodec.sys
C:\WINNT\system32\drivers\nabtsfec.sys
C:\WINNT\system32\psisdecd.dll
C:\WINNT\system32\msyuv.dll
C:\WINNT\system32\drivers\streamip.sys
C:\WINNT\system32\drivers\slip.sys
C:\WINNT\system32\drivers\ndisip.sys
C:\WINNT\system32\drivers\msdv.sys
C:\WINNT\system32\drivers\ccdecode.sys
C:\WINNT\system32\drivers\mpe.sys
C:\WINNT\system32\drivers\bdasup.sys
C:\WINNT\system32\drivers\grmn0200.sys
C:\DOCUME~1\TRANTG~1.GPT\APPLIC~1\Symantec
C:\Program Files\Common Files\Vbox
C:\DOCUME~1\TRANTG~1.GPT\APPLIC~1\Envivio
C:\WINNT\system32\livesnth.dll
C:\WINNT\system32\clrviddc.dll
C:\DOCUME~1\TRANTG~1.GPT\APPLIC~1\Real
C:\WINNT\system32\sporder.dll
C:\Program Files\Common Files\csshare
C:\WINNT\system32\d3d8caps.dat
C:\WINNT\system32\ir50_qc.dll
C:\WINNT\system32\ir50_qcx.dll
C:\WINNT\system32\msvcr70.dll
C:\WINNT\system32\dmstyle.dll
C:\WINNT\system32\dmusic.dll
C:\WINNT\system32\dpvsetup.exe
C:\WINNT\system32\dmscript.dll
C:\WINNT\system32\qedwipes.dll
C:\WINNT\system32\drivers\mskssrv.sys
C:\WINNT\system32\d3d8thk.dll
C:\WINNT\system32\dsdmoprp.dll
C:\WINNT\system32\amstream.dll
C:\WINNT\system32\dx7vb.dll
C:\WINNT\system32\d3dramp.dll
C:\WINNT\system32\dmcompos.dll
C:\WINNT\system32\qedit.dll
C:\WINNT\system32\drivers\mstee.sys
C:\WINNT\system32\drivers\mspclock.sys
C:\WINNT\system32\d3dxof.dll
C:\WINNT\system32\drivers\stream.sys
C:\WINNT\system32\d3dim.dll
C:\WINNT\system32\ksuser.dll
C:\WINNT\system32\drivers\swenum.sys
C:\WINNT\system32\dpnet.dll
C:\WINNT\system32\d3dpmesh.dll
C:\WINNT\system32\d3drm.dll
C:\WINNT\system32\mciqtz32.dll
C:\WINNT\system32\dsound.dll
C:\WINNT\system32\dmloader.dll
C:\WINNT\system32\dpnlobby.dll
C:\WINNT\system32\dpnaddr.dll
C:\WINNT\system32\dplaysvr.exe
C:\WINNT\system32\dmband.dll
C:\WINNT\system32\qdv.dll
C:\WINNT\system32\ddraw.dll
C:\WINNT\system32\dpmodemx.dll
C:\WINNT\system32\dpvoice.dll
C:\WINNT\system32\mswebdvd.dll
C:\WINNT\system32\dpvacm.dll
C:\WINNT\system32\dsdmo.dll
C:\WINNT\system32\encapi.dll
C:\WINNT\system32\dswave.dll
C:\WINNT\system32\qcap.dll
C:\WINNT\system32\dmime.dll
C:\WINNT\system32\dpnsvr.exe
C:\WINNT\system32\drivers\ks.sys
C:\WINNT\system32\msdmo.dll
C:\WINNT\system32\dpvvox.dll
C:\WINNT\system32\dmsynth.dll
C:\WINNT\system32\dsound3d.dll
C:\WINNT\system32\d3d8.dll
C:\WINNT\system32\dxdllreg.exe
C:\WINNT\system32\wmsdmod.dll
C:\WINNT\system32\mp43dmod.dll
C:\WINNT\system32\wmadmod.dll
C:\WINNT\system32\wmvdmod.dll
C:\WINNT\system32\wmspdmod.dll
C:\WINNT\system32\drmclien.dll
C:\WINNT\system32\drmv2clt.dll
C:\WINNT\system32\msscp.dll
C:\WINNT\system32\msnetobj.dll
C:\WINNT\system32\blackbox.dll
C:\WINNT\system32\drmstor.dll
C:\WINNT\system32\wmpns.dll
C:\WINNT\system32\wmvdmoe2.dll
C:\WINNT\system32\wmpshell.dll
C:\WINNT\system32\wmspdmoe.dll
C:\WINNT\system32\wmadmoe.dll
C:\WINNT\system32\qasf.dll
C:\WINNT\system32\mpg4dmod.dll
C:\WINNT\system32\wmpdxm.dll
C:\WINNT\system32\wmploc.dll
C:\WINNT\system32\wmpasf.dll
C:\WINNT\system32\wmsdmoe2.dll
C:\WINNT\system32\wmnetmgr.dll
C:\WINNT\system32\wmasf.dll
C:\WINNT\system32\asferror.dll
C:\WINNT\system32\laprxy.dll
C:\WINNT\system32\mp4sdmod.dll
C:\WINNT\system32\wmidx.dll
C:\WINNT\system32\wmerror.dll
C:\WINNT\system32\wmpui.dll
C:\WINNT\system32\wmpcore.dll
C:\WINNT\system32\wmpcd.dll
C:\WINNT\system32\logagent.exe
C:\WINNT\system32\vobsub.dll
C:\WINNT\system32\drivers\SECDRV.SYS
C:\WINNT\system32\mspmsnsv.dll
C:\WINNT\system32\wmdmlog.dll
C:\WINNT\system32\mswmdm.dll
C:\WINNT\system32\wmdmps.dll
C:\WINNT\system32\mspmsp.dll
C:\WINNT\system32\CEWMDM.dll
C:\WINNT\system32\MMAVILNG.exe
C:\WINNT\EReg515.dat
C:\WINNT\system32\MMSwitch.dll
C:\WINNT\CDAC14BA.DLL
C:\WINNT\system32\inetclnt.dll
C:\WINNT\system32\IR41_QCX.dll
C:\WINNT\system32\OggDS.dll
C:\WINNT\system32\VorbisEnc.dll
C:\WINNT\system32\vorbis.dll
C:\WINNT\system32\ogg.dll
C:\WINNT\system32\fwsvpn.dll
C:\WINNT\system32\drivers\grmn1200.sys
C:\WINNT\system32\actxprxy.dll
C:\WINNT\system32\msencode.dll
C:\WINNT\system32\csseqchk.dll
C:\WINNT\system32\browsewm.dll
C:\WINNT\system32\browselc.dll
C:\WINNT\system32\msratelc.dll
C:\WINNT\system32\mlang.dll
C:\WINNT\system32\iesetup.dll
C:\WINNT\system32\mshtmler.dll
C:\WINNT\system32\digest.dll
C:\WINNT\system32\shdoclc.dll
C:\WINNT\system32\setupwbv.dll
C:\WINNT\system32\msxml3r.dll
C:\WINNT\system32\imgutil.dll
C:\WINNT\system32\msxml3a.dll
C:\WINNT\system32\mshta.exe
C:\WINNT\system32\shfolder.dll
C:\WINNT\system32\sendmail.dll
C:\WINNT\system32\corpol.dll
C:\WINNT\system32\msidntld.dll
C:\WINNT\system32\inetcplc.dll
C:\WINNT\system32\acctres.dll
C:\WINNT\NuNinst.exe
C:\WINNT\system32\drivers\bsudf.sys
C:\WINNT\system32\drivers\el575ND5.sys
C:\WINNT\system32\gtcodec.dll
C:\WINNT\system32\odbcint.dll
C:\WINNT\system32\schmupd.exe
C:\WINNT\system32\command.com
C:\WINNT\system32\key01.sys
C:\WINNT\system32\KEYBOARD.SYS
C:\WINNT\system32\MPG4C32.DLL
C:\WINNT\system32\msiregmv.exe
C:\WINNT\system32\mspatcha.dll
C:\WINNT\system32\msxmlr.dll
C:\WINNT\system32\wdluc48b.dll
C:\WINNT\system32\waluc48b.dll
C:\WINNT\system32\wcluc48b.exe
C:\WINNT\system32\drivers\wlluc48b.sys
C:\WINNT\system32\XENROLL.DLL
C:\WINNT\system32\infcpy.dll
C:\WINNT\system32\drivers\asctrm.sys
C:\WINNT\UNMRW.exe
C:\WINNT\system32\drivers\incdrm.sys
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\TLCUninstall.exe

poolshark
2007-05-29, 01:50
C:\WINNT\system32\drivers\USB100.sys
C:\WINNT\system32\csddial.dll
C:\Program Files\Common Files\Intuit
C:\WINNT\system32\S32STAT.DLL
C:\WINNT\system32\vbscript.dll
C:\WINNT\system32\vboxs.dll
C:\WINNT\system32\msxml4r.dll
C:\WINNT\system32\hpocoi07.dll
C:\WINNT\system32\hpocon07.exe
C:\WINNT\system32\drivers\hpoipr07.sys
C:\WINNT\system32\drivers\hpoid407.sys
C:\WINNT\system32\drivers\hpoius07.sys
C:\WINNT\system32\hpoidm07.dll
C:\WINNT\system32\hpousd07.dll
C:\WINNT\system32\hpomem07.dll
C:\WINNT\system32\HPOtap07.dll
C:\WINNT\system32\hpoipr07.dll
C:\WINNT\system32\hpoipm07.exe
C:\WINNT\system32\hpoinw07.exe
C:\WINNT\system32\hpoidr07.dll
C:\WINNT\system32\msvcp60.dll
C:\WINNT\system32\mfc70.dll
C:\WINNT\system32\mfc70u.dll
C:\WINNT\system32\msvcp70.dll
C:\WINNT\system32\drivers\gt891x1.sys
C:\WINNT\system32\dimap.dll
C:\WINNT\system32\diactfrm.dll
C:\WINNT\system32\pid.dll
C:\WINNT\system32\gcdef.dll
C:\WINNT\system32\dinput8.dll
C:\WINNT\system32\dinput.dll
C:\WINNT\system32\wuv3is.dll
C:\WINNT\system32\drivers\GT891xD.sys
C:\WINNT\system32\Fashusd.dll
C:\WINNT\system32\drivers\wanatw4.sys
C:\WINNT\wanmpsvc.exe
C:\WINNT\PANICNT.dll
C:\WINNT\system32\WINHTTP5.DLL
C:\WINNT\system32\PROXYCFG.EXE
C:\WINNT\system32\gdiplus.dll
C:\WINNT\system32\drivers\tpp725.sys
C:\WINNT\system32\drivers\tpp200.sys
C:\WINNT\system32\drivers\TPP300.SYS
C:\WINNT\system32\TPPUI32.DLL
C:\Program Files\Common Files\tppupd2k.dll
C:\WINNT\system32\sdbapiU.dll
C:\WINNT\system32\drivers\PQNTDRV.SYS
C:\WINNT\system32\XMNT2001.EXE
C:\WINNT\system32\drivers\gt890x.sys
C:\WINNT\system32\atcliun.exe
C:\WINNT\system32\wshcon.dll
C:\WINNT\system32\wshext.dll
C:\WINNT\system32\wscript.exe
C:\WINNT\system32\cscript.exe
C:\WINNT\system32\dispex.dll
C:\WINNT\system32\scrrun.dll
C:\WINNT\system32\scrobj.dll
C:\WINNT\system32\tfswapi.dll
C:\Program Files\Common Files\KODAK
C:\Program Files\Common Files\MGI Shared
C:\WINNT\system32\drivers\drvmcdb.sys
C:\WINNT\system32\drivers\sscdbhk5.sys
C:\WINNT\system32\drivers\ssrtln.sys
C:\WINNT\system32\cehelper.dll
C:\WINNT\system32\cddbcontrol.dll
C:\WINNT\PANIC32.dll
C:\WINNT\system32\VxDMDcDlg.dll
C:\WINNT\system32\wmv8dmod.dll
C:\WINNT\system32\wmvdmoe.dll
C:\WINNT\system32\wmsdmoe.dll
C:\WINNT\system32\wmv8dmoe.dll
C:\WINNT\system32\drivers\fips.sys
C:\WINNT\system32\country.sys
C:\WINNT\system32\drivers\drvnddm.sys
C:\WINNT\system32\mindex.dll
C:\WINNT\system32\wmstream.dll
C:\WINNT\system32\wmerrenu.dll
C:\WINNT\system32\updcrl.exe
C:\WINNT\system32\JinPanel.dll
C:\WINNT\system32\cpuinf32.dll
C:\WINNT\system32\SVCPACK1.DLL
C:\WINNT\system32\drivers\ExportIt.sys
C:\WINNT\system32\PackethSvc.exe
C:\WINNT\system32\drivers\wandrv.sys
C:\citrix.bat
C:\Program Files\Apoint
C:\WINNT\system32\drivers\DCFS2k.sys
C:\WINNT\system32\drivers\DcLps.sys
C:\WINNT\system32\drivers\DcPtp.sys
C:\WINNT\system32\drivers\DcFpoint.sys
C:\WINNT\system32\drivers\DcCam.sys
C:\WINNT\system32\INETWH32.dll
C:\WINNT\system32\d3dref.dll
C:\WINNT\system32\d3dref8.dll
C:\WINNT\system32\TTSServer.dll
C:\Program Files\microsoft frontpage
C:\Program Files\Adaptec
C:\MSDOS.SYS
C:\IO.SYS
C:\CONFIG.SYS
C:\AUTOEXEC.BAT
C:\WINNT\system32\emptyregdb.dat
C:\Program Files\Accessories
C:\Program Files\Common Files\ODBC
C:\WINNT\system32\NavLogon.dll
C:\WINNT\system32\GRC.DAT
C:\WINNT\system32\roboex32.dll
C:\WINNT\system32\pds.dll
C:\WINNT\system32\nts.dll
C:\WINNT\system32\msgsys.dll
C:\WINNT\system32\cba.dll
C:\WINNT\system32\LOC32VC0.DLL
C:\WINNT\system32\VBAR332.DLL
C:\WINNT\system32\drivers\HPUATA.SYS
C:\WINNT\cd32.exe
C:\WINNT\system32\nabapi32.dll
C:\WINNT\system32\lyrasp.dll
C:\WINNT\system32\cliconfg.dll
C:\WINNT\system32\sqlwoa.dll
C:\WINNT\system32\cliconfg.exe
C:\WINNT\system32\dbnmpntw.dll
C:\WINNT\system32\dbmsvinn.dLL
C:\WINNT\system32\dbmsrpcn.dll
C:\WINNT\system32\NTDOS.SYS
C:\WINNT\system32\sqlstr.dll
C:\WINNT\system32\drivers\ati2mpab.sys
C:\WINNT\system32\ati2drab.dll
C:\WINNT\system32\atiicdxx.dll
C:\WINNT\system32\atiphexx.exe
C:\WINNT\system32\atipuixx.dll
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\atippaxx.dll
C:\WINNT\system32\atipdsxx.dll
C:\WINNT\system32\atitvo32.dll
C:\WINNT\system32\msrdo20.dll
C:\WINNT\system32\ATIO2KAB.DLL
C:\WINNT\system32\atiiiexx.dll
C:\WINNT\system32\drivers\atinbtxx.sys
C:\WINNT\system32\drivers\KBSTUFF5.SYS
C:\WINNT\system32\ouv3is.dll
C:\WINNT\system32\wmplenc.dll
C:\WINNT\system32\atiidtxx.dll
C:\WINNT\system32\msstdfmt.dll
C:\WINNT\system32\msderun.dll
C:\WINNT\system32\rdocurs.dll
C:\WINNT\system32\atiiprxx.exe
C:\WINNT\system32\atiicdxx.sys
C:\WINNT\system32\drivers\maestro.sys
C:\WINNT\system32\ati2evxx.exe
C:\WINNT\system32\drivers\atinrvxx.sys
C:\WINNT\system32\drivers\atinraxx.sys
C:\WINNT\system32\drivers\atintuxx.sys
C:\WINNT\system32\drivers\atinxbxx.sys
C:\WINNT\system32\drivers\atinsnxx.sys
C:\WINNT\system32\ODBCMON.DLL
C:\WINNT\system32\drivers\Apfiltr.sys
C:\WINNT\system32\msisam11.dll
C:\WINNT\system32\msuni11.dll
C:\WINNT\system32\OUTLWAB.DLL
C:\WINNT\system32\npwmsdrm.dll
C:\WINNT\system32\dpserial.dll
C:\WINNT\system32\dplay.dll
C:\WINNT\system32\dpwsock.dll
C:\WINNT\system32\drivers\dxapi.sys
C:\WINNT\system32\Vxdif.dll
C:\WINNT\system32\atidrab.dll
C:\WINNT\system32\clipbrd.exe
C:\WINNT\system32\themes.exe
C:\WINNT\system32\winmine.exe
C:\WINNT\twain.dll
C:\WINNT\system32\gpkcsp.dll
C:\WINNT\system32\mfc40.dll
C:\WINNT\system32\mscdexnt.exe
C:\WINNT\system32\fde.dll
C:\WINNT\system32\calc.exe
C:\WINNT\system32\charmap.exe
C:\WINNT\system32\lzexpand.dll
C:\WINNT\system32\drivers\netdtect.sys
C:\WINNT\system32\rasauth.dll
C:\WINNT\system32\localui.dll
C:\WINNT\system32\faxsend.exe
C:\WINNT\system32\eventvwr.exe
C:\WINNT\system32\ckcnv.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\wifeman.dll
C:\WINNT\system32\ansi.sys
C:\WINNT\system32\ver.dll
C:\WINNT\system32\share.exe
C:\WINNT\system32\fastopen.exe
C:\WINNT\system32\sfmwshat.dll
C:\WINNT\system32\drivers\lvcam.sys
C:\WINNT\system32\ipxmontr.dll
C:\WINNT\system32\dgsetup.dll
C:\WINNT\system32\txflog.dll
C:\WINNT\system32\netsh.exe
C:\WINNT\system32\irftp.exe
C:\WINNT\system32\olecli.dll
C:\WINNT\system32\mciavi32.dll
C:\WINNT\system32\mprapi.dll
C:\WINNT\system32\makecab.exe
C:\WINNT\system32\diantz.exe
C:\WINNT\system32\msapsspc.dll
C:\WINNT\system32\winhlp32.exe
C:\WINNT\system32\rasautou.exe
C:\WINNT\system32\mll_mtf.dll
C:\WINNT\system32\mag_hook.dll
C:\WINNT\system32\lpr.exe
C:\WINNT\system32\igmpagnt.dll
C:\WINNT\system32\framebuf.dll
C:\WINNT\system32\vcdex.dll
C:\WINNT\system32\qosname.dll
C:\WINNT\system32\mciole32.dll
C:\WINNT\system32\kbdcan.dll
C:\WINNT\system32\hostname.exe
C:\WINNT\system32\faxshell.dll
C:\WINNT\system32\dciman32.dll
C:\WINNT\system32\chcp.com
C:\WINNT\system32\exe2bin.exe
C:\WINNT\system32\mciole16.dll
C:\WINNT\system32\gpkrsrc.dll
C:\WINNT\system32\drivers\rasacd.sys
C:\WINNT\system32\drivers\lvcodek.sys
C:\WINNT\system32\msvcirt.dll
C:\WINNT\system32\faxocm.dll
C:\WINNT\system32\avwav.dll
C:\WINNT\system32\ir50_32.dll
C:\WINNT\system32\narrhook.dll
C:\WINNT\system32\noise.dat
C:\WINNT\system32\msrclr40.dll
C:\WINNT\system32\ipxpromn.dll
C:\WINNT\system32\scarddlg.dll
C:\WINNT\_default.pif
C:\WINNT\system32\posix.exe
C:\WINNT\system32\shrpubw.exe
C:\WINNT\system32\wshnetbs.dll
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\sprestrt.exe
C:\WINNT\system32\psnppagn.dll
C:\WINNT\system32\nwevent.dll
C:\WINNT\system32\mscat32.dll
C:\WINNT\system32\mountvol.exe
C:\WINNT\system32\streamci.dll
C:\WINNT\system32\routetab.dll
C:\WINNT\system32\mll_qic.dll
C:\WINNT\system32\kbdsg.dll
C:\WINNT\system32\kbdfc.dll
C:\WINNT\system32\icmp.dll
C:\WINNT\system32\forcedos.exe
C:\WINNT\system32\fixmapi.exe
C:\WINNT\system32\msr2cenu.dll
C:\WINNT\system32\nlsfunc.exe
C:\WINNT\system32\edit.com
C:\WINNT\system32\msr2c.dll
C:\WINNT\system32\avicap.dll
C:\WINNT\system32\ipxsap.dll
C:\WINNT\system32\mmsystem.dll
C:\WINNT\system32\sndvol32.exe
C:\WINNT\system32\mlang.dat
C:\WINNT\system32\winchat.exe
C:\WINNT\system32\pidgen.dll
C:\WINNT\system32\msacm32.dll
C:\WINNT\system32\sigverif.exe
C:\WINNT\system32\avicap32.dll
C:\WINNT\system32\msvcrt40.dll
C:\WINNT\system32\xiffr3_0.dll
C:\WINNT\system32\msidlpm.dll
C:\WINNT\system32\verifier.exe
C:\WINNT\system32\ils.dll
C:\WINNT\system32\ipsecsnp.dll
C:\WINNT\system32\msacm.dll
C:\WINNT\system32\wextract.exe
C:\WINNT\system32\ntlanui.dll
C:\WINNT\system32\imgcmn.dll
C:\WINNT\system32\tlntsvrp.dll
C:\WINNT\system32\softpub.dll
C:\WINNT\system32\perfnw.dll
C:\WINNT\system32\msidpe.dll
C:\WINNT\system32\msdtc.exe
C:\WINNT\system32\lpq.exe
C:\WINNT\system32\kbdusx.dll
C:\WINNT\system32\kbdsw.dll
C:\WINNT\system32\kbdsp.dll
C:\WINNT\system32\kbdsf.dll
C:\WINNT\system32\kbdpo.dll
C:\WINNT\system32\kbdno.dll
C:\WINNT\system32\kbdne.dll
C:\WINNT\system32\kbdla.dll
C:\WINNT\system32\kbdic.dll
C:\WINNT\system32\kbdgr1.dll
C:\WINNT\system32\kbdgr.dll
C:\WINNT\system32\kbdfr.dll
C:\WINNT\system32\kbdfo.dll
C:\WINNT\system32\kbdfi.dll
C:\WINNT\system32\kbdes.dll
C:\WINNT\system32\kbdda.dll
C:\WINNT\system32\kbdbr.dll
C:\WINNT\system32\kbdbene.dll
C:\WINNT\system32\kbdbe.dll
C:\WINNT\system32\drivers\parvdm.sys
C:\WINNT\system32\write.exe
C:\WINNT\system32\wmi.dll
C:\WINNT\system32\tapiperf.dll
C:\WINNT\system32\pautoenr.dll
C:\WINNT\system32\os2ss.exe
C:\WINNT\system32\netdtect.dll
C:\WINNT\system32\msidle.dll
C:\WINNT\system32\kbdusr.dll
C:\WINNT\system32\kbdusl.dll
C:\WINNT\system32\kbdus.dll
C:\WINNT\system32\kbduk.dll
C:\WINNT\system32\kbdmac.dll
C:\WINNT\system32\kbdit142.dll
C:\WINNT\system32\kbdit.dll
C:\WINNT\system32\kbdir.dll
C:\WINNT\system32\kbdgae.dll
C:\WINNT\system32\faxperf.dll
C:\WINNT\system32\batt.dll
C:\WINNT\system32\drivers\rootmdm.sys
C:\WINNT\system32\faxtiff.dll
C:\WINNT\system32\drivers\vdmindvd.sys
C:\WINNT\system32\drivers\nwlnkspx.sys
C:\WINNT\system32\drivers\atmarpc.sys
C:\WINNT\system32\icwdial.dll
C:\WINNT\system32\msvcp50.dll
C:\WINNT\system32\ntdsxds.dll
C:\WINNT\system32\hpmon.dll
C:\WINNT\system32\tapiui.dll
C:\WINNT\system32\setreg.exe
C:\WINNT\system32\catsrvps.dll
C:\WINNT\system32\synceng.dll
C:\WINNT\system32\dosx.exe
C:\WINNT\system32\msconf.dll
C:\WINNT\system32\shimgvw.dll
C:\WINNT\system32\ieshwiz.exe
C:\WINNT\system32\drivers\tosdvd.sys
C:\WINNT\system32\npptools.dll
C:\WINNT\system32\icmui.dll
C:\WINNT\system32\vga256.dll
C:\WINNT\system32\notepad.exe
C:\WINNT\NOTEPAD.EXE
C:\WINNT\system32\msaudite.dll
C:\WINNT\system32\security.dll
C:\WINNT\system32\mssip32.dll
C:\WINNT\system32\kbddv.dll
C:\WINNT\system32\icfgnt5.dll
C:\WINNT\system32\ddmprxy.exe
C:\WINNT\system32\vjoy.dll
C:\WINNT\system32\regwiz.exe
C:\WINNT\system32\msimg32.dll
C:\WINNT\system32\cisvc.exe
C:\WINNT\system32\bootvrfy.exe
C:\WINNT\delttsul.exe
C:\WINNT\system32\winnls.dll
C:\WINNT\system32\shell.dll
C:\WINNT\twunk_16.exe
C:\WINNT\system32\icwphbk.dll
C:\WINNT\system32\cryptext.dll
C:\WINNT\system32\login.cmd
C:\WINNT\system32\rasgtwy.dll
C:\WINNT\system32\jobexec.dll
C:\WINNT\system32\sti_ci.dll
C:\WINNT\system32\proquota.exe
C:\WINNT\system32\ntshrui.dll
C:\WINNT\system32\user.exe
C:\WINNT\system32\wupdmgr.exe
C:\WINNT\system32\faxqueue.exe
C:\WINNT\system32\pmspl.dll
C:\WINNT\system32\mib.bin
C:\WINNT\twain_32.dll
C:\WINNT\system32\sfmmon.dll
C:\WINNT\system32\rtutils.dll
C:\WINNT\system32\pax.exe
C:\WINNT\system32\cnbjmon.dll
C:\WINNT\system32\ntmsmgr.dll
C:\WINNT\system32\docprop.dll
C:\WINNT\system32\console.dll
C:\WINNT\system32\sysocmgr.exe
C:\WINNT\system32\net.exe
C:\WINNT\system32\iaspipe.dll
C:\WINNT\system32\extrac32.exe
C:\WINNT\system32\cleanmgr.exe
C:\WINNT\system32\setupdll.dll
C:\WINNT\system32\vdmredir.dll
C:\WINNT\system32\ipxrtmgr.dll
C:\WINNT\discover.exe
C:\WINNT\system32\getuname.dll
C:\WINNT\system32\htui.dll
C:\WINNT\system32\esentprf.dll
C:\WINNT\system32\drivers\ndproxy.sys
C:\WINNT\system32\dataclen.dll
C:\WINNT\system32\unlodctr.exe
C:\WINNT\system32\iprtprio.dll
C:\WINNT\system32\bootok.exe
C:\WINNT\system32\himem.sys
C:\WINNT\system32\ds16gt.dLL
C:\WINNT\system32\mll_hp.dll
C:\WINNT\system32\localmon.dll
C:\WINNT\system32\acsetupc.dll
C:\WINNT\system32\drivers\wmilib.sys
C:\WINNT\system32\drivers\mnmdd.sys
C:\WINNT\system32\storage.dll
C:\WINNT\system32\drivers\beep.sys
C:\WINNT\system32\os2.exe
C:\WINNT\system32\ddeml.dll
C:\WINNT\system32\ole2.dll
C:\WINNT\system32\sfmapi.dll
C:\WINNT\system32\msports.dll
C:\WINNT\system32\mem.exe
C:\WINNT\system32\ntmsevt.dll
C:\WINNT\system32\admparse.dll
C:\WINNT\system32\dxtmsft3.dll
C:\WINNT\system32\cmdl32.exe
C:\WINNT\system32\jpeg2x32.dll
C:\WINNT\system32\pstorec.dll
C:\WINNT\system32\syskey.exe
C:\WINNT\system32\pifmgr.dll
C:\WINNT\system32\drivers\npfs.sys
C:\WINNT\welcome.exe
C:\WINNT\system32\regwizc.dll
C:\WINNT\system32\slbkygen.dll
C:\WINNT\system32\br549.dll
C:\WINNT\TASKMAN.EXE
C:\WINNT\system32\taskman.exe
C:\WINNT\system32\ipconfig.exe
C:\WINNT\system32\cmcfg32.dll
C:\WINNT\system32\drivers\nwlnkfwd.sys
C:\WINNT\system32\drivers\rawwan.sys
C:\WINNT\system32\graftabl.com
C:\WINNT\system32\drivers\ipfltdrv.sys
C:\WINNT\system32\sol.exe
C:\WINNT\system32\iashlpr.dll
C:\WINNT\system32\freecell.exe
C:\WINNT\system32\cmmon32.exe
C:\WINNT\system32\ccfgnt.dll
C:\WINNT\system32\lmrt.dll
C:\WINNT\system32\cdplayer.exe
C:\WINNT\system32\tifflt.dll
C:\WINNT\system32\efsadu.dll
C:\WINNT\system32\drivers\netbios.sys
C:\WINNT\system32\mnmdd.dll
C:\WINNT\system32\mmfutil.dll
C:\WINNT\system32\imeshare.dll
C:\WINNT\system32\syncapp.exe
C:\WINNT\system32\rasphone.exe
C:\WINNT\system32\psxdll.dll
C:\WINNT\system32\aaaamon.dll
C:\WINNT\system32\ippromon.dll
C:\WINNT\system32\mmdet.dll
C:\WINNT\system32\clipsrv.exe
C:\WINNT\system32\cabview.dll
C:\WINNT\system32\docprop2.dll
C:\WINNT\system32\rtipxmib.dll
C:\WINNT\system32\mbslgn32.dll
C:\WINNT\system32\lights.exe
C:\WINNT\system32\compobj.dll
C:\WINNT\system32\systray.exe
C:\WINNT\system32\riched32.dll
C:\WINNT\system32\mtxex.dll
C:\WINNT\system32\pubprn.vbs
C:\WINNT\system32\redir.exe
C:\WINNT\system32\wowfax.dll
C:\WINNT\system32\nw16.exe
C:\WINNT\system32\nmevtmsg.dll
C:\WINNT\system32\glmf32.dll
C:\WINNT\system32\comaddin.dll
C:\WINNT\system32\ntdos411.sys
C:\WINNT\system32\ntdos412.sys
C:\WINNT\system32\ntdos804.sys
C:\WINNT\system32\ntdos404.sys
C:\WINNT\system32\netui2.dll
C:\WINNT\system32\dbmssocn.dll
C:\WINNT\system32\psapi.dll
C:\WINNT\system32\xcopy.exe
C:\WINNT\system32\mpnotify.exe
C:\WINNT\system32\drwatson.exe
C:\WINNT\system32\commdlg.dll
C:\WINNT\system32\perfd009.dat
C:\WINNT\system32\dfrgres.dll
C:\WINNT\system32\drivers\cinemst2.sys
C:\WINNT\system32\perfi009.dat
C:\WINNT\system32\setup.exe
C:\WINNT\system32\msvidc32.dll
C:\WINNT\system32\jpeg1x32.dll
C:\WINNT\system32\faxxp32.dll
C:\WINNT\system32\ddeshare.exe
C:\WINNT\system32\adptif.dll
C:\WINNT\system32\ctl3dv2.dll
C:\WINNT\system32\ctl3d32.dll
C:\WINNT\system32\sethc.exe
C:\WINNT\system32\mfcsubs.dll
C:\WINNT\twunk_32.exe
C:\WINNT\system32\actmovie.exe
C:\WINNT\system32\odbc16gt.dll
C:\WINNT\winhelp.exe
C:\WINNT\system32\neth.dll
C:\WINNT\system32\msvcrt20.dll
C:\WINNT\system32\inetcfg.dll
C:\WINNT\system32\oitwa400.dll
C:\WINNT\system32\iaspolcy.dll
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\system32\iasrecst.dll
C:\WINNT\system32\win.com
C:\WINNT\system32\rassauth.dll
C:\WINNT\system32\mmcshext.dll
C:\WINNT\system32\gdi.exe
C:\WINNT\system32\sort.exe
C:\WINNT\system32\sendcmsg.dll
C:\WINNT\system32\ddrawex.dll
C:\WINNT\system32\olesvr.dll
C:\WINNT\system32\drivers\usbcamd.sys
C:\WINNT\system32\rasrad.dll
C:\WINNT\system32\dmocx.dll
C:\WINNT\system32\shscrap.dll
C:\WINNT\system32\sefilshr.dll
C:\WINNT\system32\rasmxs.dll
C:\WINNT\system32\mciwave.dll
C:\WINNT\system32\olesvr32.dll
C:\WINNT\system32\ipxrip.dll
C:\WINNT\system32\routemon.exe
C:\WINNT\system32\mciseq.dll
C:\WINNT\system32\ipxroute.exe
C:\WINNT\system32\drivers\tsbvcap.sys
C:\WINNT\system32\slbcsp.dll
C:\WINNT\system32\compstui.dll
C:\WINNT\system32\dssec.dat
C:\WINNT\system32\netui1.dll
C:\WINNT\system32\perfos.dll
C:\WINNT\system32\oislb400.dll
C:\WINNT\system32\mnmsrvc.exe
C:\WINNT\system32\ipxwan.dll
C:\WINNT\system32\drivers\rca.sys
C:\WINNT\system32\tapi.dll
C:\WINNT\system32\drivers\msfs.sys
C:\WINNT\system32\rsvpmsg.dll
C:\WINNT\system32\netdet.dll
C:\WINNT\system32\migpwd.exe
C:\WINNT\system32\licmgr10.dll
C:\WINNT\system32\comclust.exe
C:\WINNT\system32\tlntadmn.exe
C:\WINNT\system32\logdrive.dll
C:\WINNT\system32\route.exe
C:\WINNT\system32\plustab.dll
C:\WINNT\system32\nwcfg.dll
C:\WINNT\system32\mode.com
C:\WINNT\system32\lnkstub.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\debug.exe
C:\WINNT\vmmreg32.dll
C:\WINNT\system32\rcp.exe
C:\WINNT\system32\winsock.dll

poolshark
2007-05-29, 01:51
C:\WINNT\system32\drivers\null.sys
C:\WINNT\system32\wowdeb.exe
C:\WINNT\system32\winspool.exe
C:\WINNT\system32\ir32_32.dll
C:\WINNT\system32\netevent.dll
C:\WINNT\system32\drivers\ipinip.sys
C:\WINNT\system32\winstrm.dll
C:\WINNT\system32\faxevent.dll
C:\WINNT\system32\arp.exe
C:\WINNT\system32\graphics.com
C:\WINNT\system32\winrnr.dll
C:\WINNT\system32\midimap.dll
C:\WINNT\system32\drivers\cdaudio.sys
C:\WINNT\system32\winmm.dll
C:\WINNT\system32\ftsrch.dll
C:\WINNT\system32\sysedit.exe
C:\WINNT\system32\ureg.dll
C:\WINNT\system32\ws2help.dll
C:\WINNT\system32\pathping.exe
C:\WINNT\system32\nwapi16.dll
C:\WINNT\system32\msfaxmon.dll
C:\WINNT\system32\mcicda.dll
C:\WINNT\system32\dsctl.dll
C:\WINNT\system32\compact.exe
C:\WINNT\system32\alrsvc.dll
C:\WINNT\system32\vga64k.dll
C:\WINNT\system32\typelib.dll
C:\WINNT\system32\qcut.dll
C:\WINNT\system32\EqnClass.Dll
C:\WINNT\system32\ups.exe
C:\WINNT\system32\sfmatmsg.dll
C:\WINNT\system32\prflbmsg.dll
C:\WINNT\system32\perfnet.dll
C:\WINNT\system32\drivers\lvsound.sys
C:\WINNT\system32\faxroute.dll
C:\WINNT\system32\faxext32.dll
C:\WINNT\system32\cfgmgr32.dll
C:\WINNT\system32\avmeter.dll
C:\WINNT\system32\ole2disp.dll
C:\WINNT\system32\syncui.dll
C:\WINNT\system32\ntsd.exe
C:\WINNT\system32\progman.exe
C:\WINNT\system32\drivers\raspti.sys
C:\WINNT\system32\sysinv.dll
C:\WINNT\system32\more.com
C:\WINNT\system32\feclient.dll
C:\WINNT\system32\msobjs.dll
C:\WINNT\system32\tsd32.dll
C:\WINNT\system32\serwvdrv.dll
C:\WINNT\system32\ping.exe
C:\WINNT\system32\pentnt.exe
C:\WINNT\system32\fc.exe
C:\WINNT\system32\comp.exe
C:\WINNT\system32\cmpbk32.dll
C:\WINNT\system32\faxcover.exe
C:\WINNT\system32\ipmontr.dll
C:\WINNT\system32\datime.dll
C:\WINNT\system32\netmsg.dll
C:\WINNT\system32\cards.dll
C:\WINNT\system32\ole2nls.dll
C:\WINNT\system32\perfmon.exe
C:\WINNT\system32\ntlanui2.dll
C:\WINNT\system32\expand.exe
C:\WINNT\upwizun.exe
C:\WINNT\system32\serialui.dll
C:\WINNT\system32\drivers\usbintel.sys
C:\WINNT\system32\sdpblb.dll
C:\WINNT\system32\crtdll.dll
C:\WINNT\system32\spxcoins.dll
C:\WINNT\system32\msls31.dll
C:\WINNT\system32\DComExt.dll
C:\WINNT\system32\comsnap.dll
C:\WINNT\system32\rcamsp.dll
C:\WINNT\system32\nwscript.exe
C:\WINNT\system32\drivers\smclib.sys
C:\WINNT\system32\kb16.com
C:\WINNT\system32\asfsipc.dll
C:\WINNT\system32\wtsapi32.dll
C:\WINNT\system32\wowfaxui.dll
C:\WINNT\system32\faxmapi.dll
C:\WINNT\system32\senscfg.dll
C:\WINNT\system32\rasser.dll
C:\WINNT\system32\deskperf.dll
C:\WINNT\system32\deskmon.dll
C:\WINNT\system32\cnetcfg.dll
C:\WINNT\system32\moricons.dll
C:\WINNT\system32\acledit.dll
C:\WINNT\system32\mapistub.dll
C:\WINNT\system32\mapi32.dll
C:\WINNT\system32\drivers\vga.sys
C:\WINNT\system32\toolhelp.dll
C:\WINNT\system32\iologmsg.dll
C:\WINNT\system32\mrinfo.exe
C:\WINNT\system32\mcastmib.dll
C:\WINNT\system32\irclass.dll
C:\WINNT\system32\imgshl.dll
C:\WINNT\system32\win87em.dll
C:\WINNT\system32\slbrsrc.dll
C:\WINNT\system32\umdmxfrm.dll
C:\WINNT\system32\tcmsetup.exe
C:\WINNT\system32\rexec.exe
C:\WINNT\system32\replace.exe
C:\WINNT\system32\pjlmon.dll
C:\WINNT\system32\oissq400.dll
C:\WINNT\system32\oiprt400.dll
C:\WINNT\system32\deskadp.dll
C:\WINNT\system32\msvideo.dll
C:\WINNT\system32\termmgr.dll
C:\WINNT\system32\dgrpsetu.dll
C:\WINNT\system32\scardssp.dll
C:\WINNT\system32\os2srv.exe
C:\WINNT\system32\dvdplay.exe
C:\WINNT\system32\ir41_qc.dll
C:\WINNT\system32\drivers\class2.sys
C:\WINNT\system32\edlin.exe
C:\WINNT\system32\wshisn.dll
C:\WINNT\system32\w32topl.dll
C:\WINNT\system32\tsbyuv.dll
C:\WINNT\system32\tree.com
C:\WINNT\system32\sigtab.dll
C:\WINNT\system32\rasdial.exe
C:\WINNT\system32\rasctrs.dll
C:\WINNT\system32\nmmkcert.dll
C:\WINNT\system32\drivers\nwlnkflt.sys
C:\WINNT\system32\doskey.exe
C:\WINNT\system32\append.exe
C:\WINNT\system32\drivers\fsvga.sys
C:\WINNT\system32\mmdrv.dll
C:\WINNT\system32\attrib.exe
C:\WINNT\system32\drivers\ws2ifsl.sys
C:\WINNT\system32\glu32.dll
C:\WINNT\system32\mmutilse.dll
C:\WINNT\system32\rasadmin.exe
C:\WINNT\system32\mplay32.exe
C:\WINNT\system32\iexpress.exe
C:\WINNT\system32\msnsspc.dll
C:\WINNT\system32\oleacc.dll
C:\WINNT\system32\ifmon.dll
C:\WINNT\system32\iccvid.dll
C:\WINNT\system32\setver.exe
C:\WINNT\system32\winmsd.exe
C:\WINNT\system32\rasgprxy.dll
C:\WINNT\system32\netrap.dll
C:\WINNT\system32\indicdll.dll
C:\WINNT\system32\help.exe
C:\WINNT\system32\cmmgr32.exe
C:\WINNT\system32\acsmib.dll
C:\WINNT\system32\oleaccrc.dll
C:\WINNT\system32\rsvpperf.dll
C:\WINNT\system32\panmap.dll
C:\WINNT\system32\mcd32.dll
C:\WINNT\system32\clb.dll
C:\WINNT\system32\atmadm.exe
C:\WINNT\system32\dfrgui.dll
C:\WINNT\system32\netapi.dll
C:\WINNT\system32\avifile.dll
C:\WINNT\system32\apcups.dll
C:\WINNT\system32\drivers\streams.sys
C:\WINNT\system32\drivers\nbf.sys
C:\WINNT\system32\cic.dll
C:\WINNT\system32\mprmsg.dll
C:\WINNT\system32\bootvid.dll
C:\WINNT\system32\mcdsrv32.dll
C:\WINNT\system32\tracert.exe
C:\WINNT\system32\runonce.exe
C:\WINNT\system32\pschdprf.dll
C:\WINNT\system32\dlcapi.dll
C:\WINNT\system32\wowexec.exe
C:\WINNT\system32\modex.dll
C:\WINNT\system32\sfc.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\print.exe
C:\WINNT\system32\mstinit.exe
C:\WINNT\system32\lprmonui.dll
C:\WINNT\system32\lprhelp.dll
C:\WINNT\system32\iissuba.dll
C:\WINNT\system32\finger.exe
C:\WINNT\system32\msvbvm50.dll
C:\WINNT\system32\loadfix.com
C:\WINNT\system32\vwipxspx.exe
C:\WINNT\system32\vct3216.dll
C:\WINNT\system32\iyuv_32.dll
C:\WINNT\system32\csamsp.dll
C:\WINNT\system32\usbui.dll
C:\WINNT\system32\kbdjpn.dll
C:\WINNT\system32\kbd106.dll
C:\WINNT\system32\drivers\atimpab.sys
C:\WINNT\system32\drivers\cwbwdm.sys
C:\WINNT\system32\FM20ENU.DLL
C:\WINNT\system32\FM20.DLL
C:\WINNT\system32\drivers\DMusic.sys
C:\WINNT\system32\drivers\el90xbc5.sys
C:\WINNT\system32\drivers\ichaud.sys
C:\WINNT\system32\setupcl.exe
C:\WINNT\system32\MSRECR40.DLL
C:\WINNT\system32\drivers\cwbmidi.sys
C:\WINNT\system32\drivers\cwbase.sys
C:\WINNT\system32\drivers\foghorn.sys
C:\WINNT\system32\drivers\hidusb.sys
C:\WINNT\system32\drivers\serscan.sys
C:\WINNT\system32\drivers\msmpu401.sys
C:\WINNT\system32\drivers\MODEMCSA.sys
C:\WINNT\system32\drivers\MSPQM.sys
C:\WINNT\system32\drivers\audstub.sys
C:\WINNT\system32\drivers\wvlan48.sys
C:\WINNT\KX16.DLL
C:\WINNT\KX95.DLL
C:\WINNT\KX32.DLL
C:\WINNT\system32\wmaudsdk.dll
C:\WINNT\system32\Camapi32.dll
C:\WINNT\system32\PICN1111.DLL
C:\WINNT\system32\DC120fc7_32.dll
C:\WINNT\system32\HELLUT32.DLL
C:\WINNT\system32\DC210.dll
C:\WINNT\system32\FPXLIB.DLL
C:\WINNT\system32\F210.dll
C:\WINNT\system32\PICN11.DLL
C:\WINNT\system32\Comm32.dll
C:\WINNT\system32\SFWIUDLL.DLL
C:\WINNT\system32\SFWUTS20.DLL
C:\WINNT\system32\opccli32.dll
C:\WINNT\system32\MGIIpl2.dll
C:\WINNT\system32\JPEGLIB.DLL
C:\WINNT\system32\EnrouteStitch.dll
C:\WINNT\system32\MGIIpl2A6.dll
C:\WINNT\system32\MGIIpl2PX.dll
C:\WINNT\system32\ctl3d.dll
C:\WINNT\UniFish3.exe
C:\WINNT\pcdlib32.dll
C:\WINNT\system32\GAPI32.DLL
C:\WINNT\system32\MSREPL35.DLL
C:\WINNT\system32\MSJET35.DLL
C:\WINNT\system32\VB6STKIT.DLL
C:\WINNT\system32\MDT2FW95.DLL
C:\WINNT\system32\hh.exe
C:\WINNT\system32\EXSEC32.DLL
C:\WINNT\system32\MSRTEDIT.DLL
C:\WINNT\system32\VBAME.DLL
C:\WINNT\system32\PCDLIB32.DLL
C:\WINNT\IsUninst.exe
C:\WINNT\system32\MAPI.DLL
C:\WINNT\system32\MAPISRVR.EXE
C:\WINNT\system32\Visshe32.DLL
C:\WINNT\system32\MSSTKPRP.DLL
C:\WINNT\system32\VB5DB.dll
C:\WINNT\system32\MFC42ENU.DLL
C:\WINNT\system32\MSJTER35.DLL
C:\WINNT\system32\MSRD2X35.DLL
C:\WINNT\system32\MSEXCL35.DLL
C:\WINNT\system32\MSTEXT35.DLL
C:\WINNT\system32\MSJINT35.DLL
C:\WINNT\system32\ODBCTL32.DLL
C:\WINNT\system32\mapi32x.dll
C:\WINNT\system32\DAO350.DLL
C:\WINNT\system32\MSJT4JLT.DLL
C:\WINNT\system32\SCP32.DLL
C:\WINNT\system32\jgmd400.dll
C:\WINNT\system32\jgsh400.dll
C:\WINNT\system32\AM18.DLL
C:\WINNT\system32\DSLITE.DLL
C:\WINNT\system32\PISERVER.DLL
C:\WINNT\system32\MFCANS32.DLL
C:\WINNT\system32\PIUTIL.DLL
C:\WINNT\system32\jgaw400.dll
C:\WINNT\system32\jgsd400.dll
C:\WINNT\system32\W95INF32.DLL
C:\WINNT\system32\W95INF16.DLL
C:\WINNT\system32\HLP95EN.DLL
C:\WINNT\system32\MSIMRT32.DLL
C:\WINNT\system32\MSIMRT.DLL
C:\WINNT\system32\MSIMUSIC.DLL
C:\WINNT\system32\MSIMRT16.DLL
C:\WINNT\system32\MSEXCH35.DLL
C:\WINNT\system32\MSXBSE35.DLL
C:\WINNT\system32\MSPDOX35.DLL
C:\WINNT\system32\MSLTUS35.DLL
C:\WINNT\uninst.exe
C:\WINNT\system32\RNAPH.DLL
C:\WINNT\system32\VB5StKit.dll
C:\WINNT\system32\HLINKPRX.DLL
C:\WINNT\system32\INLOADER.DLL
C:\WINNT\system32\Imgman31.dll
C:\WINNT\QTW16DEL.EXE
C:\WINNT\PLAYER.EXE
C:\WINNT\VIEWER.EXE
C:\WINNT\VIEWENU.DLL
C:\WINNT\PLAYENU.DLL
C:\WINNT\system32\Msjt3032.dll
C:\WINNT\system32\Msjter32.dll
C:\WINNT\system32\Msjint32.dll
C:\WINNT\system32\Vb40032.DLL
C:\WINNT\system32\Vbar2232.dll
C:\WINNT\system32\Msrd2x32.dll
C:\WINNT\system32\SH30W16.DLL
C:\WINNT\system32\oc30.dll
C:\WINNT\system32\WING.DLL
C:\WINNT\system32\WING32.DLL
C:\WINNT\system32\WINGDE.DLL
C:\STRLINE.EXE
C:\WINNT\yc.exe.dat
C:\WINNT\system32\__c00F1BA4.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{3A790138-7D03-4371-BC52-FC3BB2538456}=\ [05/28/07 06:24p]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [03/16/03 12:02a]
{93FFB93E-5113-4154-9F9B-88C6DD5DBB3D}=\ [05/28/07 06:24p]
{9675BE7E-8CD0-44D7-B7B8-6CC597FFF32A}=\ [05/28/07 06:24p]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=d:\program files\google\googletoolbar6.dll [01/19/07 11:55p]
{DA11D82C-A0D8-448D-A95A-8205ED1DE453}=\ [05/28/07 06:24p]
{DDDFCD51-EF17-4CCF-976D-069318474C21}=\ [05/28/07 06:24p]
{FBFD9255-337A-4FAF-B5B3-D39C49D87E0E}=\ [05/28/07 06:24p]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CaAvTray="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe" [05/16/07 09:54p]
Synchronization Manager="mobsync.exe" [06/19/03 02:05p C:\WINNT\system32\mobsync.exe]
HP Software Update="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05/11/05 11:12p]
CAVRID="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [05/16/07 09:54p]
Zone Labs Client="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe" [01/26/05 03:43a]
QuickTime Task="C:\Program Files\QuickTime\qttask.exe" [06/15/03 06:38p]
QOELOADER="C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe" [04/18/06 08:30p]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
^SetupICWDesktop=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
C:\Program Files\Common Files\progyc.html

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00C9AF9]
C:\WINNT\system32\__c00C9AF9.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00F1BA4]
C:\WINNT\system32\__c00F1BA4.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
Tweak UI=RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
Synchronization Manager=mobsync.exe /logon
KAZAA="D:\Program Files\KaZaA Lite\kpp.exe" "d:\Program Files\KaZaA Lite\kazaalite.kpp" /SYSTRAY
CAVRID="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime
setup=rundll32.exe "C:\WINNT\system32\csvpfhxg.dll",realset

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime
InCD=C:\Program Files\Ahead\InCD\InCD.exe
NeroCheck=C:\WINNT\System32\NeroCheck.exe
TPP Auto Loader=C:\WINNT\tppaldr.exe
dla=C:\WINNT\system32\dla\tfswctrl.exe
AtiPTA=Atiptaxx.exe
TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
tgcmd=D:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
WmdmPmSN


Contents of the 'Scheduled Tasks' folder
2005-12-29 12:08:12 C:\WINNT\tasks\1-Click Maintenance.job
2007-05-28 21:03:17 C:\WINNT\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-28 18:28:02
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


********************************************************************

Completion time: 05/28/2007 18:30:31
C:\ComboFix-quarantined-files.txt ... 05/28/07 06:30p
C:\ComboFix2.txt ... 05/28/07 02:02p
C:\ComboFix3.txt ... 05/28/07 01:48p

--- E O F ---

poolshark
2007-05-29, 02:08
Logfile of HijackThis v1.99.1
Scan saved at 7:09:39 PM, on 1/6/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2evxx.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINNT\System32\DRIVERS\dcfssvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Hijackthis\scanner.exe
C:\WINNT\system32\HPZinw12.exe

O2 - BHO: (no name) - {3A790138-7D03-4371-BC52-FC3BB2538456} - \
O2 - BHO: 0 - {40D87560-F618-4B9E-2F86-A6EB5B9D8F30} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {93FFB93E-5113-4154-9F9B-88C6DD5DBB3D} - \
O2 - BHO: (no name) - {9675BE7E-8CD0-44D7-B7B8-6CC597FFF32A} - \
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar6.dll
O2 - BHO: (no name) - {DA11D82C-A0D8-448D-A95A-8205ED1DE453} - \
O2 - BHO: (no name) - {DDDFCD51-EF17-4CCF-976D-069318474C21} - \
O2 - BHO: (no name) - {FBFD9255-337A-4FAF-B5B3-D39C49D87E0E} - \
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar6.dll
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - Startup: Greetings Workshop Reminders.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\Netscape\Communicator\Program\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135782094636
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab58570.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
O16 - DPF: {ff348b6e-fd21-11d4-a3f0-00c04fa32518} -
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: __c00C9AF9 - C:\WINNT\system32\__c00C9AF9.dat
O20 - Winlogon Notify: __c00F1BA4 - C:\WINNT\system32\__c00F1BA4.dat
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINNT\System32\DRIVERS\dcfssvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

poolshark
2007-05-29, 02:13
aaarrrggghhh ... Darn malware ... problem still there !!
:sad:

Shaba, I REALLY appreciate all your time and effort on my problem ... thanks for being so patient !!!
Jerry

Shaba
2007-05-29, 09:10
Hi

Looking better, most of vundo is gone :)

Open HijackThis, click do a system scan only and checkmark these:

O2 - BHO: (no name) - {3A790138-7D03-4371-BC52-FC3BB2538456} - \
O2 - BHO: 0 - {40D87560-F618-4B9E-2F86-A6EB5B9D8F30} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {93FFB93E-5113-4154-9F9B-88C6DD5DBB3D} - \
O2 - BHO: (no name) - {9675BE7E-8CD0-44D7-B7B8-6CC597FFF32A} - \
O2 - BHO: (no name) - {DA11D82C-A0D8-448D-A95A-8205ED1DE453} - \
O2 - BHO: (no name) - {DDDFCD51-EF17-4CCF-976D-069318474C21} - \
O2 - BHO: (no name) - {FBFD9255-337A-4FAF-B5B3-D39C49D87E0E} - \

Close all windows including browser and press fix checked.

Please download the Killbox (http://download.bleepingcomputer.com/spyware/KillBox.zip).
Unzip it to the desktop.

Please run Killbox.

Select "Delete on Reboot" and "All files"

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINNT\system32\__c00C9AF9.dat
C:\WINNT\system32\__c00F1BA4.dat

Go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here (http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe) to download and run missingfilesetup.exe. Then try TheKillbox again..

If your computer does not restart automatically, please restart it manually

Post a fresh HijackThis log.

poolshark
2007-05-29, 12:16
Shaba... All popups seem to be gone!! :bigthumb:
PC is running MUCH faster (back to normal) ...
I did re-run VundoFix .. nothing detected (but you knew that !! ;) )
I think all is fixed ???
Thanks!!!
Jerry


Logfile of HijackThis v1.99.1
Scan saved at 5:17:11 AM, on 1/7/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2evxx.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINNT\System32\DRIVERS\dcfssvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\scanner.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar6.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar6.dll
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - Startup: Greetings Workshop Reminders.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\Netscape\Communicator\Program\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135782094636
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab58570.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
O16 - DPF: {ff348b6e-fd21-11d4-a3f0-00c04fa32518} -
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: __c00C9AF9 - C:\WINNT\system32\__c00C9AF9.dat
O20 - Winlogon Notify: __c00F1BA4 - C:\WINNT\system32\__c00F1BA4.dat
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINNT\System32\DRIVERS\dcfssvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

poolshark
2007-05-29, 12:22
Just curious, what are these entries from the above HJT log:

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.comp...bio5_1_6_0.cab
O16 - DPF: {ff348b6e-fd21-11d4-a3f0-00c04fa32518} -

O20 - Winlogon Notify: __c00C9AF9 - C:\WINNT\system32\__c00C9AF9.dat
O20 - Winlogon Notify: __c00F1BA4 - C:\WINNT\system32\__c00F1BA4.dat

Shaba
2007-05-29, 12:44
Hi

Your system clock is wrong, please correct it.

Leftover:

O16 - DPF: {ff348b6e-fd21-11d4-a3f0-00c04fa32518} -

Related to yahoo toolbar:

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.comp...bio5_1_6_0.cab

Bad entries:

O20 - Winlogon Notify: __c00C9AF9 - C:\WINNT\system32\__c00C9AF9.dat
O20 - Winlogon Notify: __c00F1BA4 - C:\WINNT\system32\__c00F1BA4.dat


Did you run killbox as instructed?

I mean that these files are still there:

C:\WINNT\system32\__c00C9AF9.dat
C:\WINNT\system32\__c00F1BA4.dat

If not, please do so now.

poolshark
2007-05-30, 00:32
hmmm... killbox couldn't get rid of
O20 - Winlogon Notify: __c00C9AF9 - C:\WINNT\system32\__c00C9AF9.dat

Logfile of HijackThis v1.99.1
Scan saved at 5:35:06 PM, on 5/29/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2evxx.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINNT\System32\DRIVERS\dcfssvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Hijackthis\scanner.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\HPZipm12.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar6.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar6.dll
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - Startup: Greetings Workshop Reminders.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\Netscape\Communicator\Program\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135782094636
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab58570.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: __c00C9AF9 - C:\WINNT\system32\__c00C9AF9.dat
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINNT\System32\DRIVERS\dcfssvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

poolshark
2007-05-30, 05:53
KillBox couldn't get rid of:
O20 - Winlogon Notify: __c00C9AF9 - C:\WINNT\system32\__c00C9AF9.dat

When I run KillBox and click on "Delete on Reboot" and "Delete File" ... up pops "File will be removed at reboot, do you want to reboot now" I then say "tes"... then up pops "verifying Registry entries..." then up pops another box with:

PendingFileRenameOperations Registry Data has been Removed by External Process!

After I reboot, HJT still lists
O20 - Winlogon Notify: __c00C9AF9 - C:\WINNT\system32\__c00C9AF9.dat

Shaba
2007-05-30, 09:20
Hi

Yes, it looks like 50 % success.

Please download Process Explorer by Systernals from HERE (http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx)

Then boot up in SAFE MODE (http://www.bleepingcomputer.com/forums/index.php?showtutorial=61)

The rest of this fix must be done in safe mode.

Unzip Process Explorer and double click on procexp.exe

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of __c00C9AF9.dat once and then click the kill button.

After you have killed all of the __c00C9AF9.dat under winlogon click OK.

Click on the Threads tab at the top.

Once you have done that click OK again.

Next run HijackThis and place a check beside each of the following.

O20 - Winlogon Notify: __c00C9AF9 - C:\WINNT\system32\__c00C9AF9.dat

Now click fix checked and close HijackThis.

Double click on Killbox.exe and check the Delete on Reboot button.

When done Copy/Paste this into the "Full path of file to delete" box:

C:\WINNT\system32\__c00C9AF9.dat

Click the red and white "Delete File" button.
Click "Yes" at the first prompt .
Click "Yes" at the second.

Reboot.

After your computer has rebooted please run Hijackthis again and post a new HijackThis log.

poolshark
2007-05-30, 12:57
so I'm on another PC making this post ...

In "Safe Mode" I got thru
1) procep.exe (stopped 2 processes of c00C9AF9.dat)
2) HJT .. killed c00C9AF9.dat
3) While still in Safe Mode, I pulled up Killbox .. browsed for the c00C9AF9.dat file ... selected it for "file to delete" .... hit 'delete' ... window popped up to "Confirm Delete" ... Selected "Yes"... up popped a window "File Access... file could not be deleted"

Here is what procep says is running on my malware pc:
winlogon.exe
ntdll
RPCRT4.dll
ntdll
winlogon.exe
WINMM.dll
winlogon.exe
cscdll
WINMM.dll
RPCRT4.dll

Shaba
2007-05-30, 17:38
Hi

Ok, time for more powerful tools:

1. Please download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 to your Desktop. Click on Avenger.zip to open the file Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Files to delete:
C:\WINNT\system32\__c00C9AF9.dat


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

poolshark
2007-05-31, 06:04
:bigthumb:
fixed ?????

---------------------------------------------------------------

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\tskhapcb

*******************

Script file located at: \??\C:\WINNT\system32\qvihqyim.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINNT\system32\__c00C9AF9.dat deleted successfully.

Completed script processing.

*******************

Finished! Terminate.





Logfile of HijackThis v1.99.1
Scan saved at 11:03:34 PM, on 5/30/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2evxx.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINNT\System32\DRIVERS\dcfssvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\vanguard.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\scanner.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\autodown.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar6.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar6.dll
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - Startup: Greetings Workshop Reminders.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\Netscape\Communicator\Program\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135782094636
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab58570.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINNT\System32\DRIVERS\dcfssvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

Shaba
2007-05-31, 09:23
Hi

Yes, looks like so :)

Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases

Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

Post:

- a fresh HijackThis log
- kaspersky report

poolshark
2007-06-01, 03:55
KASPERSKY ONLINE SCANNER REPORT
Thursday, May 31, 2007 8:56:22 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 31/05/2007
Kaspersky Anti-Virus database records: 334594


Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 45731
Number of viruses found: 21
Number of infected objects: 45
Number of suspicious objects: 31
Duration of the scan process: 01:57:20

Infected Object Name / Virus Name / Last Action
C:\!KillBox\__c00C9AF9.dat Suspicious: Packed.Win32.Morphine.a skipped
C:\!KillBox\__c00C9AF9.dat( 1) Suspicious: Packed.Win32.Morphine.a skipped
C:\!KillBox\__c00C9AF9.dat( 2) Suspicious: Packed.Win32.Morphine.a skipped
C:\!KillBox\__c00C9AF9.dat( 3) Suspicious: Packed.Win32.Morphine.a skipped
C:\!KillBox\__c00C9AF9.dat( 4) Suspicious: Packed.Win32.Morphine.a skipped
C:\avenger\backup.zip/avenger/__c00C9AF9.dat Suspicious: Packed.Win32.Morphine.a skipped
C:\avenger\backup.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Default User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Desktop\update.exe/EXE-file Suspicious: Packed.Win32.Morphine.a skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Desktop\update.exe Embedded EXE: suspicious - 1 skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Desktop\update.exe.dat Suspicious: Packed.Win32.Morphine.a skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3204510e.ini.inuse Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.cdx Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.dbf Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\Identities\{7403742A-09EB-49E3-AF81-0206CFDB60A1}\Microsoft\Outlook Express\cleanup.log Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\Identities\{7403742A-09EB-49E3-AF81-0206CFDB60A1}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\Identities\{7403742A-09EB-49E3-AF81-0206CFDB60A1}\Microsoft\Outlook Express\Inbox.dbx Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\Identities\{7403742A-09EB-49E3-AF81-0206CFDB60A1}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\Identities\{7403742A-09EB-49E3-AF81-0206CFDB60A1}\Microsoft\Outlook Express\Pop3uidl.dbx Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\Identities\{B16B7DC4-0412-45A2-9627-F28DF0E69755}\Microsoft\Outlook Express\EZ Anti-Spam.dbx/[From Volksbanken Raiffeisenbanken AG][Date Sat, 02 Sep 2006 06:37:34 -0400 (EDT)]/UNNAMED/html Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\Identities\{B16B7DC4-0412-45A2-9627-F28DF0E69755}\Microsoft\Outlook Express\EZ Anti-Spam.dbx/[From Volksbanken Raiffeisenbanken AG][Date Sat, 02 Sep 2006 06:37:34 -0400 (EDT)]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\Identities\{B16B7DC4-0412-45A2-9627-F28DF0E69755}\Microsoft\Outlook Express\EZ Anti-Spam.dbx Mail MS Outlook 5: infected - 2 skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\QurbOE\MsgInfo.dat Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\History\History.IE5\MSHist012007053020070531\index.dat Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Temp\~DFB6A9.tmp Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Temp\~DFCBFF.tmp Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\NTUSER.DAT.LOG Object is locked skipped
C:\Program Files\Common Files\Companion Wizard\WapCHK.dll Infected: not-a-virus:FraudTool.Win32.WinAntiVirus.2006 skipped
C:\QooBox\Quarantine\C\WINNT\b122.exe.vir/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\QooBox\Quarantine\C\WINNT\b122.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\QooBox\Quarantine\C\WINNT\b122.exe.vir NSIS: infected - 2 skipped
C:\QooBox\Quarantine\C\WINNT\retadpu1000106.exe.vir Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\QooBox\Quarantine\C\WINNT\retadpu2000219.exe.vir Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\QooBox\Quarantine\C\WINNT\system32\ddcyv.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\QooBox\Quarantine\C\WINNT\system32\dikstldr.dll.vir Infected: Packed.Win32.Klone.j skipped
C:\QooBox\Quarantine\C\WINNT\system32\dwckcacl.dll.vir Infected: Trojan.Win32.BHO.o skipped
C:\QooBox\Quarantine\C\WINNT\system32\iiihe.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\QooBox\Quarantine\C\WINNT\system32\leiancrv.dll.vir Infected: Trojan.Win32.BHO.o skipped
C:\QooBox\Quarantine\C\WINNT\system32\smpi1\lb66.exe.vir/unknown2.bin Infected: not-a-virus:AdWare.Win32.Ucmore.e skipped
C:\QooBox\Quarantine\C\WINNT\system32\smpi1\lb66.exe.vir/UCMTSAIE.DLL Infected: not-a-virus:AdWare.Win32.Ucmore.a skipped
C:\QooBox\Quarantine\C\WINNT\system32\smpi1\lb66.exe.vir/IUCMORE.DLL Infected: not-a-virus:AdWare.Win32.Ucmore skipped
C:\QooBox\Quarantine\C\WINNT\system32\smpi1\lb66.exe.vir ZIP: infected - 3 skipped
C:\QooBox\Quarantine\C\WINNT\system32\smpi1\lb66.exe.vir WiseSFX Dropper: infected - 3 skipped
C:\QooBox\Quarantine\C\WINNT\system32\smpi1\lib06.exe.vir Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\QooBox\Quarantine\C\WINNT\system32\smpi1\lib67.exe.vir Infected: Trojan.Win32.BHO.ab skipped
C:\QooBox\Quarantine\C\WINNT\system32\tuvtrol.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINNT\system32\uqmryanc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kb skipped
C:\QooBox\Quarantine\C\WINNT\system32\ydjfmydl.dll.vir Infected: Packed.Win32.Klone.j skipped
C:\QooBox\Quarantine\C\WINNT\VTTC.exe.vir/data0004 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\QooBox\Quarantine\C\WINNT\VTTC.exe.vir NSIS: infected - 1 skipped
C:\RECYCLER\S-1-5-21-1652376794-1690639982-1337592118-1002\Dc1 Suspicious: Packed.Win32.Morphine.a skipped
C:\RECYCLER\S-1-5-21-1652376794-1690639982-1337592118-1002\Dc11.dat Suspicious: Packed.Win32.Morphine.a skipped
C:\RECYCLER\S-1-5-21-1652376794-1690639982-1337592118-1002\Dc12 Suspicious: Packed.Win32.Morphine.a skipped
C:\RECYCLER\S-1-5-21-1652376794-1690639982-1337592118-1002\Dc13 Suspicious: Packed.Win32.Morphine.a skipped
C:\RECYCLER\S-1-5-21-1652376794-1690639982-1337592118-1002\Dc14 Suspicious: Packed.Win32.Morphine.a skipped
C:\RECYCLER\S-1-5-21-1652376794-1690639982-1337592118-1002\Dc15.dat Suspicious: Packed.Win32.Morphine.a skipped
C:\RECYCLER\S-1-5-21-1652376794-1690639982-1337592118-1002\Dc16 Suspicious: Packed.Win32.Morphine.a skipped
C:\RECYCLER\S-1-5-21-1652376794-1690639982-1337592118-1002\Dc2 Suspicious: Packed.Win32.Morphine.a skipped
C:\RECYCLER\S-1-5-21-1652376794-1690639982-1337592118-1002\Dc3 Suspicious: Packed.Win32.Morphine.a skipped
C:\RECYCLER\S-1-5-21-1652376794-1690639982-1337592118-1002\Dc4.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\RECYCLER\S-1-5-21-1652376794-1690639982-1337592118-1002\Dc5 Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\RECYCLER\S-1-5-21-1652376794-1690639982-1337592118-1002\Dc6 Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\RECYCLER\S-1-5-21-1652376794-1690639982-1337592118-1002\Dc7 Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\RECYCLER\S-1-5-21-1652376794-1690639982-1337592118-1002\Dc8.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\RECYCLER\S-1-5-21-1652376794-1690639982-1337592118-1002\Dc9 Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\TTC.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\VundoFix Backups\csvpfhxg.dll.bad Object is locked skipped
C:\VundoFix Backups\ddcyv.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\VundoFix Backups\leiancrv.dll.bad Infected: Trojan.Win32.BHO.o skipped
C:\VundoFix Backups\musuloyk.dll.bad Infected: Trojan.Win32.BHO.g skipped
C:\VundoFix Backups\nnnli.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\VundoFix Backups\pjcmhmeo.dll.bad Object is locked skipped
C:\VundoFix Backups\qomjk.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\VundoFix Backups\rqroo.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\VundoFix Backups\tuvtrol.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\vwqnffih.dll.bad Infected: Trojan.Win32.BHO.g skipped
C:\VundoFix Backups\ydwfcnnu.dll.bad Object is locked skipped
C:\WINNT\Cache32\Business Card Designer Plus 7.9.exe Suspicious: Type_Win32 skipped
C:\WINNT\Cache32\C&C Generals_crack.exe Suspicious: Type_Win32 skipped
C:\WINNT\Cache32\GetRight 5.0a.exe Suspicious: Type_Win32 skipped
C:\WINNT\Cache32\Hot Babes XXX Screen Saver.exe Suspicious: Type_Win32 skipped
C:\WINNT\Cache32\IrfanView 4.5.exe Suspicious: Type_Win32 skipped
C:\WINNT\Cache32\Network Cable e ADSL Speed 2.0.5.exe Suspicious: Type_Win32 skipped
C:\WINNT\Cache32\TweakAll 3.8.exe Suspicious: Type_Win32 skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Downloaded Program Files\SbCIe026.dll Infected: not-a-virus:AdWare.Win32.SideStep.c skipped
C:\WINNT\Downloaded Program Files\UWA7P_0001_N91M0809NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINNT\Drivers\TPP\tppun.exe Suspicious: Type_Win32 skipped
C:\WINNT\Internet Logs\BLACKDELL.ldb Object is locked skipped
C:\WINNT\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINNT\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINNT\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINNT\Internet Logs\tvDebug.log Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\SBO\SB1065.exe Infected: Trojan-Downloader.Win32.VB.fn skipped
C:\WINNT\Temp\ZLT01175.TMP Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
C:\WINNT\yc.exe/EXE-file Suspicious: Packed.Win32.Morphine.a skipped
C:\WINNT\yc.exe Embedded EXE: suspicious - 1 skipped
C:\WINNT\yc.exe.dat Suspicious: Packed.Win32.Morphine.a skipped
D:\Program Files\KaZaA Lite\TopSearch.dll Infected: not-a-virus:AdWare.Win32.Altnet.o skipped
D:\Program Files\ShareMonkey\unins000.exe Suspicious: Type_Win32 skipped

Scan process completed.

poolshark
2007-06-01, 03:56
Logfile of HijackThis v1.99.1
Scan saved at 8:58:09 PM, on 5/31/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2evxx.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINNT\System32\DRIVERS\dcfssvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar6.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar6.dll
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - Startup: Greetings Workshop Reminders.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\Netscape\Communicator\Program\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135782094636
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab58570.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINNT\System32\DRIVERS\dcfssvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

Shaba
2007-06-01, 10:01
Hi

Delete these:

C:\TTC.dll
C:\WINNT\Cache32\Business Card Designer Plus 7.9.exe
C:\WINNT\Cache32\C&C Generals_crack.exe
C:\WINNT\Cache32\GetRight 5.0a.exe
C:\WINNT\Cache32\Hot Babes XXX Screen Saver.exe
C:\WINNT\Cache32\IrfanView 4.5.exe
C:\WINNT\Cache32\Network Cable e ADSL Speed 2.0.5.exe
C:\WINNT\Cache32\TweakAll 3.8.exe (delete entire Cache32 folder if you don't recognize anything inside it)
C:\WINNT\Downloaded Program Files\SbCIe026.dll
C:\WINNT\Downloaded Program Files\UWA7P_0001_N91M0809NetInstaller.exe
C:\WINNT\Drivers\TPP\tppun.exe
C:\WINNT\system32\SBO\SB1065.exe
C:\WINNT\yc.exe
C:\WINNT\yc.exe.dat
D:\Program Files\KaZaA Lite\TopSearch.dll
D:\Program Files\ShareMonkey\unins000.exe

Empty these folders:

C:\!KillBox\
C:\avenger\
C:\QooBox\Quarantine\
C:\VundoFix Backups\

Empty Recycle Bin

Re-scan with kaspersky

Post:

- a fresh HijackThis log
- kaspersky report

Shaba
2007-06-08, 12:26
Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.